xref: /freebsd/crypto/openssl/CHANGES.md (revision 59c8e88e72633afbc47a4ace0d2170d00d51f7dc)
1OpenSSL CHANGES
2===============
3
4This is a high-level summary of the most important changes.
5For a full list of changes, see the [git commit log][log] and
6pick the appropriate release branch.
7
8  [log]: https://github.com/openssl/openssl/commits/
9
10OpenSSL Releases
11----------------
12
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
20
21OpenSSL 3.0
22-----------
23
24For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
25listed here are only a brief description.
26The migration guide contains more detailed information related to new features,
27breaking changes, and mappings for the large list of deprecated functions.
28
29[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
30
31### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
32
33 * A file in PKCS12 format can contain certificates and keys and may come from
34   an untrusted source. The PKCS12 specification allows certain fields to be
35   NULL, but OpenSSL did not correctly check for this case. A fix has been
36   applied to prevent a NULL pointer dereference that results in OpenSSL
37   crashing. If an application processes PKCS12 files from an untrusted source
38   using the OpenSSL APIs then that application will be vulnerable to this
39   issue prior to this fix.
40
41   OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
42   PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
43   and PKCS12_newpass().
44
45   We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
46   function is related to writing data we do not consider it security
47   significant.
48
49   ([CVE-2024-0727])
50
51   *Matt Caswell*
52
53 * When function EVP_PKEY_public_check() is called on RSA public keys,
54   a computation is done to confirm that the RSA modulus, n, is composite.
55   For valid RSA keys, n is a product of two or more large primes and this
56   computation completes quickly. However, if n is an overly large prime,
57   then this computation would take a long time.
58
59   An application that calls EVP_PKEY_public_check() and supplies an RSA key
60   obtained from an untrusted source could be vulnerable to a Denial of Service
61   attack.
62
63   The function EVP_PKEY_public_check() is not called from other OpenSSL
64   functions however it is called from the OpenSSL pkey command line
65   application. For that reason that application is also vulnerable if used
66   with the "-pubin" and "-check" options on untrusted data.
67
68   To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
69   now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
70
71   ([CVE-2023-6237])
72
73   *Tomáš Mráz*
74
75 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
76   have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
77   rather than SM2.
78
79   *Richard Levitte*
80
81 * The POLY1305 MAC (message authentication code) implementation in OpenSSL
82   for PowerPC CPUs saves the contents of vector registers in different
83   order than they are restored. Thus the contents of some of these vector
84   registers is corrupted when returning to the caller. The vulnerable code is
85   used only on newer PowerPC processors supporting the PowerISA 2.07
86   instructions.
87
88   The consequences of this kind of internal application state corruption can
89   be various - from no consequences, if the calling application does not
90   depend on the contents of non-volatile XMM registers at all, to the worst
91   consequences, where the attacker could get complete control of the
92   application process. However unless the compiler uses the vector registers
93   for storing pointers, the most likely consequence, if any, would be an
94   incorrect result of some application dependent calculations or a crash
95   leading to a denial of service.
96
97   ([CVE-2023-6129])
98
99   *Rohan McLure*
100
101 * Fix excessive time spent in DH check / generation with large Q parameter
102   value.
103
104   Applications that use the functions DH_generate_key() to generate an
105   X9.42 DH key may experience long delays. Likewise, applications that use
106   DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
107   to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
108   Where the key or parameters that are being checked have been obtained from
109   an untrusted source this may lead to a Denial of Service.
110
111   ([CVE-2023-5678])
112
113   *Richard Levitte*
114
115### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]
116
117 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
118   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
119   that alter the key or IV length ([CVE-2023-5363]).
120
121   *Paul Dale*
122
123### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
124
125 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
126
127   The POLY1305 MAC (message authentication code) implementation in OpenSSL
128   does not save the contents of non-volatile XMM registers on Windows 64
129   platform when calculating the MAC of data larger than 64 bytes. Before
130   returning to the caller all the XMM registers are set to zero rather than
131   restoring their previous content. The vulnerable code is used only on newer
132   x86_64 processors supporting the AVX512-IFMA instructions.
133
134   The consequences of this kind of internal application state corruption can
135   be various - from no consequences, if the calling application does not
136   depend on the contents of non-volatile XMM registers at all, to the worst
137   consequences, where the attacker could get complete control of the
138   application process. However given the contents of the registers are just
139   zeroized so the attacker cannot put arbitrary values inside, the most likely
140   consequence, if any, would be an incorrect result of some application
141   dependent calculations or a crash leading to a denial of service.
142
143   ([CVE-2023-4807])
144
145   *Bernd Edlinger*
146
147### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
148
149 * Fix excessive time spent checking DH q parameter value.
150
151   The function DH_check() performs various checks on DH parameters. After
152   fixing CVE-2023-3446 it was discovered that a large q parameter value can
153   also trigger an overly long computation during some of these checks.
154   A correct q value, if present, cannot be larger than the modulus p
155   parameter, thus it is unnecessary to perform these checks if q is larger
156   than p.
157
158   If DH_check() is called with such q parameter value,
159   DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
160   intensive checks are skipped.
161
162   ([CVE-2023-3817])
163
164   *Tomáš Mráz*
165
166 * Fix DH_check() excessive time with over sized modulus.
167
168   The function DH_check() performs various checks on DH parameters. One of
169   those checks confirms that the modulus ("p" parameter) is not too large.
170   Trying to use a very large modulus is slow and OpenSSL will not normally use
171   a modulus which is over 10,000 bits in length.
172
173   However the DH_check() function checks numerous aspects of the key or
174   parameters that have been supplied. Some of those checks use the supplied
175   modulus value even if it has already been found to be too large.
176
177   A new limit has been added to DH_check of 32,768 bits. Supplying a
178   key/parameters with a modulus over this size will simply cause DH_check() to
179   fail.
180
181   ([CVE-2023-3446])
182
183   *Matt Caswell*
184
185 * Do not ignore empty associated data entries with AES-SIV.
186
187   The AES-SIV algorithm allows for authentication of multiple associated
188   data entries along with the encryption. To authenticate empty data the
189   application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
190   with NULL pointer as the output buffer and 0 as the input buffer length.
191   The AES-SIV implementation in OpenSSL just returns success for such call
192   instead of performing the associated data authentication operation.
193   The empty data thus will not be authenticated. ([CVE-2023-2975])
194
195   Thanks to Juerg Wullschleger (Google) for discovering the issue.
196
197   The fix changes the authentication tag value and the ciphertext for
198   applications that use empty associated data entries with AES-SIV.
199   To decrypt data encrypted with previous versions of OpenSSL the application
200   has to skip calls to `EVP_DecryptUpdate()` for empty associated data
201   entries.
202
203   *Tomáš Mráz*
204
205### Changes between 3.0.8 and 3.0.9 [30 May 2023]
206
207 * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
208   OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
209
210   OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
211   numeric text form.  For gigantic sub-identifiers, this would take a very
212   long time, the time complexity being O(n^2) where n is the size of that
213   sub-identifier.  ([CVE-2023-2650])
214
215   To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
216   IDENTIFIER to canonical numeric text form if the size of that OBJECT
217   IDENTIFIER is 586 bytes or less, and fail otherwise.
218
219   The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
220   IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
221   most 128 sub-identifiers, and that the maximum value that each sub-
222   identifier may have is 2^32-1 (4294967295 decimal).
223
224   For each byte of every sub-identifier, only the 7 lower bits are part of
225   the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
226   these restrictions may occupy is 32 * 128 / 7, which is approximately 586
227   bytes.
228
229   *Richard Levitte*
230
231 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
232   happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
233   trigger a crash of an application using AES-XTS decryption if the memory
234   just after the buffer being decrypted is not mapped.
235   Thanks to Anton Romanov (Amazon) for discovering the issue.
236   ([CVE-2023-1255])
237
238   *Nevine Ebeid*
239
240 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
241   The previous fix for this timing side channel turned out to cause
242   a severe 2-3x performance regression in the typical use case
243   compared to 3.0.7. The new fix uses existing constant time
244   code paths, and restores the previous performance level while
245   fully eliminating all existing timing side channels.
246   The fix was developed by Bernd Edlinger with testing support
247   by Hubert Kario.
248
249   *Bernd Edlinger*
250
251 * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
252   that it does not enable policy checking. Thanks to David Benjamin for
253   discovering this issue.
254   ([CVE-2023-0466])
255
256   *Tomáš Mráz*
257
258 * Fixed an issue where invalid certificate policies in leaf certificates are
259   silently ignored by OpenSSL and other certificate policy checks are skipped
260   for that certificate. A malicious CA could use this to deliberately assert
261   invalid certificate policies in order to circumvent policy checking on the
262   certificate altogether.
263   ([CVE-2023-0465])
264
265   *Matt Caswell*
266
267 * Limited the number of nodes created in a policy tree to mitigate
268   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
269   should be sufficient for most installations.  If required, the limit
270   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
271   time define to a desired maximum number of nodes or zero to allow
272   unlimited growth.
273   ([CVE-2023-0464])
274
275   *Paul Dale*
276
277### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
278
279 * Fixed NULL dereference during PKCS7 data verification.
280
281   A NULL pointer can be dereferenced when signatures are being
282   verified on PKCS7 signed or signedAndEnveloped data. In case the hash
283   algorithm used for the signature is known to the OpenSSL library but
284   the implementation of the hash algorithm is not available the digest
285   initialization will fail. There is a missing check for the return
286   value from the initialization function which later leads to invalid
287   usage of the digest API most likely leading to a crash.
288   ([CVE-2023-0401])
289
290   PKCS7 data is processed by the SMIME library calls and also by the
291   time stamp (TS) library calls. The TLS implementation in OpenSSL does
292   not call these functions however third party applications would be
293   affected if they call these functions to verify signatures on untrusted
294   data.
295
296   *Tomáš Mráz*
297
298 * Fixed X.400 address type confusion in X.509 GeneralName.
299
300   There is a type confusion vulnerability relating to X.400 address processing
301   inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
302   but the public structure definition for GENERAL_NAME incorrectly specified
303   the type of the x400Address field as ASN1_TYPE. This field is subsequently
304   interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
305   than an ASN1_STRING.
306
307   When CRL checking is enabled (i.e. the application sets the
308   X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
309   pass arbitrary pointers to a memcmp call, enabling them to read memory
310   contents or enact a denial of service.
311   ([CVE-2023-0286])
312
313   *Hugo Landau*
314
315 * Fixed NULL dereference validating DSA public key.
316
317   An invalid pointer dereference on read can be triggered when an
318   application tries to check a malformed DSA public key by the
319   EVP_PKEY_public_check() function. This will most likely lead
320   to an application crash. This function can be called on public
321   keys supplied from untrusted sources which could allow an attacker
322   to cause a denial of service attack.
323
324   The TLS implementation in OpenSSL does not call this function
325   but applications might call the function if there are additional
326   security requirements imposed by standards such as FIPS 140-3.
327   ([CVE-2023-0217])
328
329   *Shane Lontis, Tomáš Mráz*
330
331 * Fixed Invalid pointer dereference in d2i_PKCS7 functions.
332
333   An invalid pointer dereference on read can be triggered when an
334   application tries to load malformed PKCS7 data with the
335   d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
336
337   The result of the dereference is an application crash which could
338   lead to a denial of service attack. The TLS implementation in OpenSSL
339   does not call this function however third party applications might
340   call these functions on untrusted data.
341   ([CVE-2023-0216])
342
343   *Tomáš Mráz*
344
345 * Fixed Use-after-free following BIO_new_NDEF.
346
347   The public API function BIO_new_NDEF is a helper function used for
348   streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
349   to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
350   be called directly by end user applications.
351
352   The function receives a BIO from the caller, prepends a new BIO_f_asn1
353   filter BIO onto the front of it to form a BIO chain, and then returns
354   the new head of the BIO chain to the caller. Under certain conditions,
355   for example if a CMS recipient public key is invalid, the new filter BIO
356   is freed and the function returns a NULL result indicating a failure.
357   However, in this case, the BIO chain is not properly cleaned up and the
358   BIO passed by the caller still retains internal pointers to the previously
359   freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
360   then a use-after-free will occur. This will most likely result in a crash.
361   ([CVE-2023-0215])
362
363   *Viktor Dukhovni, Matt Caswell*
364
365 * Fixed Double free after calling PEM_read_bio_ex.
366
367   The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
368   decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
369   data. If the function succeeds then the "name_out", "header" and "data"
370   arguments are populated with pointers to buffers containing the relevant
371   decoded data. The caller is responsible for freeing those buffers. It is
372   possible to construct a PEM file that results in 0 bytes of payload data.
373   In this case PEM_read_bio_ex() will return a failure code but will populate
374   the header argument with a pointer to a buffer that has already been freed.
375   If the caller also frees this buffer then a double free will occur. This
376   will most likely lead to a crash.
377
378   The functions PEM_read_bio() and PEM_read() are simple wrappers around
379   PEM_read_bio_ex() and therefore these functions are also directly affected.
380
381   These functions are also called indirectly by a number of other OpenSSL
382   functions including PEM_X509_INFO_read_bio_ex() and
383   SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
384   internal uses of these functions are not vulnerable because the caller does
385   not free the header argument if PEM_read_bio_ex() returns a failure code.
386   ([CVE-2022-4450])
387
388   *Kurt Roeckx, Matt Caswell*
389
390 * Fixed Timing Oracle in RSA Decryption.
391
392   A timing based side channel exists in the OpenSSL RSA Decryption
393   implementation which could be sufficient to recover a plaintext across
394   a network in a Bleichenbacher style attack. To achieve a successful
395   decryption an attacker would have to be able to send a very large number
396   of trial messages for decryption. The vulnerability affects all RSA padding
397   modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
398   ([CVE-2022-4304])
399
400   *Dmitry Belyavsky, Hubert Kario*
401
402 * Fixed X.509 Name Constraints Read Buffer Overflow.
403
404   A read buffer overrun can be triggered in X.509 certificate verification,
405   specifically in name constraint checking. The read buffer overrun might
406   result in a crash which could lead to a denial of service attack.
407   In a TLS client, this can be triggered by connecting to a malicious
408   server. In a TLS server, this can be triggered if the server requests
409   client authentication and a malicious client connects.
410   ([CVE-2022-4203])
411
412   *Viktor Dukhovni*
413
414 * Fixed X.509 Policy Constraints Double Locking security issue.
415
416   If an X.509 certificate contains a malformed policy constraint and
417   policy processing is enabled, then a write lock will be taken twice
418   recursively.  On some operating systems (most widely: Windows) this
419   results in a denial of service when the affected process hangs.  Policy
420   processing being enabled on a publicly facing server is not considered
421   to be a common setup.
422   ([CVE-2022-3996])
423
424   *Paul Dale*
425
426 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
427   `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
428   `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
429   default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting
430   `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using
431   `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases.
432   For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
433   for legacy EC and SM2 keys is also changed similarly to honor the
434   equivalent conversion format flag as specified in the underlying
435   `EC_KEY` object being exported to a provider, when this function is
436   called through `EVP_PKEY_export()`.
437
438   *Nicola Tuveri*
439
440### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
441
442 * Fixed two buffer overflows in punycode decoding functions.
443
444   A buffer overrun can be triggered in X.509 certificate verification,
445   specifically in name constraint checking. Note that this occurs after
446   certificate chain signature verification and requires either a CA to
447   have signed the malicious certificate or for the application to continue
448   certificate verification despite failure to construct a path to a trusted
449   issuer.
450
451   In a TLS client, this can be triggered by connecting to a malicious
452   server.  In a TLS server, this can be triggered if the server requests
453   client authentication and a malicious client connects.
454
455   An attacker can craft a malicious email address to overflow
456   an arbitrary number of bytes containing the `.`  character (decimal 46)
457   on the stack.  This buffer overflow could result in a crash (causing a
458   denial of service).
459   ([CVE-2022-3786])
460
461   An attacker can craft a malicious email address to overflow four
462   attacker-controlled bytes on the stack.  This buffer overflow could
463   result in a crash (causing a denial of service) or potentially remote code
464   execution depending on stack layout for any given platform/compiler.
465   ([CVE-2022-3602])
466
467   *Paul Dale*
468
469 * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
470   parameters in OpenSSL code.
471   Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
472   OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
473   Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
474   Using these invalid names may cause algorithms to use slower methods
475   that ignore the CRT parameters.
476
477   *Shane Lontis*
478
479 * Fixed a regression introduced in 3.0.6 version raising errors on some stack
480   operations.
481
482   *Tomáš Mráz*
483
484 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
485   data to be signed before signing the certificate.
486
487   *Gibeom Gwon*
488
489 * Added RIPEMD160 to the default provider.
490
491   *Paul Dale*
492
493 * Ensured that the key share group sent or accepted for the key exchange
494   is allowed for the protocol version.
495
496   *Matt Caswell*
497
498### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
499
500 * OpenSSL supports creating a custom cipher via the legacy
501   EVP_CIPHER_meth_new() function and associated function calls. This function
502   was deprecated in OpenSSL 3.0 and application authors are instead encouraged
503   to use the new provider mechanism in order to implement custom ciphers.
504
505   OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers
506   passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
507   EVP_CipherInit_ex2() functions (as well as other similarly named encryption
508   and decryption initialisation functions). Instead of using the custom cipher
509   directly it incorrectly tries to fetch an equivalent cipher from the
510   available providers. An equivalent cipher is found based on the NID passed to
511   EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a
512   given cipher. However it is possible for an application to incorrectly pass
513   NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef
514   is used in this way the OpenSSL encryption/decryption initialisation function
515   will match the NULL cipher as being equivalent and will fetch this from the
516   available providers. This will succeed if the default provider has been
517   loaded (or if a third party provider has been loaded that offers this
518   cipher). Using the NULL cipher means that the plaintext is emitted as the
519   ciphertext.
520
521   Applications are only affected by this issue if they call
522   EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
523   encryption/decryption initialisation function. Applications that only use
524   SSL/TLS are not impacted by this issue.
525   ([CVE-2022-3358])
526
527   *Matt Caswell*
528
529 * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures
530   on MacOS 10.11
531
532   *Richard Levitte*
533
534 * Fixed the linux-mips64 Configure target which was missing the
535   SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
536   platform.
537
538   *Adam Joseph*
539
540 * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a
541   ticket
542
543   *Matt Caswell*
544
545 * Correctly handle a retransmitted ClientHello in DTLS
546
547   *Matt Caswell*
548
549 * Fixed detection of ktls support in cross-compile environment on Linux
550
551   *Tomas Mraz*
552
553 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider
554   against 3.0.x
555
556   *Paul Dale*
557
558 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
559   report correct results in some cases
560
561   *Matt Caswell*
562
563 * Fix UWP builds by defining VirtualLock
564
565   *Charles Milette*
566
567 * For known safe primes use the minimum key length according to RFC 7919.
568   Longer private key sizes unnecessarily raise the cycles needed to compute the
569   shared secret without any increase of the real security. This fixes a
570   regression from 1.1.1 where these shorter keys were generated for the known
571   safe primes.
572
573   *Tomas Mraz*
574
575 * Added the loongarch64 target
576
577   *Shi Pujin*
578
579 * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were
580   only passed to the FIPS provider and not to the default or legacy provider.
581
582   *Juergen Christ*
583
584 * Fixed reported performance degradation on aarch64. Restored the
585   implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
586   32-bit lane assignment in CTR mode") for 64bit targets only, since it is
587   reportedly 2-17% slower and the silicon errata only affects 32bit targets.
588   The new algorithm is still used for 32 bit targets.
589
590   *Bernd Edlinger*
591
592 * Added a missing header for memcmp that caused compilation failure on some
593   platforms
594
595   *Gregor Jasny*
596
597### Changes between 3.0.4 and 3.0.5 [5 Jul 2022]
598
599 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
600   implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
601   This issue makes the RSA implementation with 2048 bit private keys
602   incorrect on such machines and memory corruption will happen during
603   the computation. As a consequence of the memory corruption an attacker
604   may be able to trigger a remote code execution on the machine performing
605   the computation.
606
607   SSL/TLS servers or other servers using 2048 bit RSA private keys running
608   on machines supporting AVX512IFMA instructions of the X86_64 architecture
609   are affected by this issue.
610   ([CVE-2022-2274])
611
612   *Xi Ruoyao*
613
614 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
615   implementation would not encrypt the entirety of the data under some
616   circumstances.  This could reveal sixteen bytes of data that was
617   preexisting in the memory that wasn't written.  In the special case of
618   "in place" encryption, sixteen bytes of the plaintext would be revealed.
619
620   Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
621   they are both unaffected.
622   ([CVE-2022-2097])
623
624   *Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño*
625
626### Changes between 3.0.3 and 3.0.4 [21 Jun 2022]
627
628 * In addition to the c_rehash shell command injection identified in
629   CVE-2022-1292, further bugs where the c_rehash script does not
630   properly sanitise shell metacharacters to prevent command injection have been
631   fixed.
632
633   When the CVE-2022-1292 was fixed it was not discovered that there
634   are other places in the script where the file names of certificates
635   being hashed were possibly passed to a command executed through the shell.
636
637   This script is distributed by some operating systems in a manner where
638   it is automatically executed.  On such operating systems, an attacker
639   could execute arbitrary commands with the privileges of the script.
640
641   Use of the c_rehash script is considered obsolete and should be replaced
642   by the OpenSSL rehash command line tool.
643   (CVE-2022-2068)
644
645   *Daniel Fiala, Tomáš Mráz*
646
647 * Case insensitive string comparison no longer uses locales.  It has instead
648   been directly implemented.
649
650   *Paul Dale*
651
652### Changes between 3.0.2 and 3.0.3 [3 May 2022]
653
654 * Case insensitive string comparison is reimplemented via new locale-agnostic
655   comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
656   comparison. The previous implementation had problems when the Turkish locale
657   was used.
658
659   *Dmitry Belyavskiy*
660
661 * Fixed a bug in the c_rehash script which was not properly sanitising shell
662   metacharacters to prevent command injection.  This script is distributed by
663   some operating systems in a manner where it is automatically executed.  On
664   such operating systems, an attacker could execute arbitrary commands with the
665   privileges of the script.
666
667   Use of the c_rehash script is considered obsolete and should be replaced
668   by the OpenSSL rehash command line tool.
669   (CVE-2022-1292)
670
671   *Tomáš Mráz*
672
673 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
674   certificate on an OCSP response. The bug caused the function in the case
675   where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
676   response (meaning a successful verification) even in the case where the
677   response signing certificate fails to verify.
678
679   It is anticipated that most users of `OCSP_basic_verify` will not use the
680   OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return
681   a negative value (indicating a fatal error) in the case of a certificate
682   verification failure. The normal expected return value in this case would be
683   0.
684
685   This issue also impacts the command line OpenSSL "ocsp" application. When
686   verifying an ocsp response with the "-no_cert_checks" option the command line
687   application will report that the verification is successful even though it
688   has in fact failed. In this case the incorrect successful response will also
689   be accompanied by error messages showing the failure and contradicting the
690   apparently successful result.
691   ([CVE-2022-1343])
692
693   *Matt Caswell*
694
695 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
696   AAD data as the MAC key. This made the MAC key trivially predictable.
697
698   An attacker could exploit this issue by performing a man-in-the-middle attack
699   to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such
700   that the modified data would still pass the MAC integrity check.
701
702   Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
703   endpoint will always be rejected by the recipient and the connection will
704   fail at that point. Many application protocols require data to be sent from
705   the client to the server first. Therefore, in such a case, only an OpenSSL
706   3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
707
708   If both endpoints are OpenSSL 3.0 then the attacker could modify data being
709   sent in both directions. In this case both clients and servers could be
710   affected, regardless of the application protocol.
711
712   Note that in the absence of an attacker this bug means that an OpenSSL 3.0
713   endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
714   the handshake when using this ciphersuite.
715
716   The confidentiality of data is not impacted by this issue, i.e. an attacker
717   cannot decrypt data that has been encrypted using this ciphersuite - they can
718   only modify it.
719
720   In order for this attack to work both endpoints must legitimately negotiate
721   the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
722   OpenSSL 3.0, and is not available within the default provider or the default
723   ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been
724   negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the
725   following must have occurred:
726
727   1) OpenSSL must have been compiled with the (non-default) compile time option
728      enable-weak-ssl-ciphers
729
730   2) OpenSSL must have had the legacy provider explicitly loaded (either
731      through application code or via configuration)
732
733   3) The ciphersuite must have been explicitly added to the ciphersuite list
734
735   4) The libssl security level must have been set to 0 (default is 1)
736
737   5) A version of SSL/TLS below TLSv1.3 must have been negotiated
738
739   6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
740      others that both endpoints have in common
741   (CVE-2022-1434)
742
743   *Matt Caswell*
744
745 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
746   occuppied by the removed hash table entries.
747
748   This function is used when decoding certificates or keys. If a long lived
749   process periodically decodes certificates or keys its memory usage will
750   expand without bounds and the process might be terminated by the operating
751   system causing a denial of service. Also traversing the empty hash table
752   entries will take increasingly more time.
753
754   Typically such long lived processes might be TLS clients or TLS servers
755   configured to accept client certificate authentication.
756   (CVE-2022-1473)
757
758   *Hugo Landau, Aliaksei Levin*
759
760 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report
761   the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other
762   statistics are no longer supported. For compatibility, these statistics are
763   still listed in the output but are now always reported as zero.
764
765   *Hugo Landau*
766
767### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
768
769 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
770   for non-prime moduli.
771
772   Internally this function is used when parsing certificates that contain
773   elliptic curve public keys in compressed form or explicit elliptic curve
774   parameters with a base point encoded in compressed form.
775
776   It is possible to trigger the infinite loop by crafting a certificate that
777   has invalid explicit curve parameters.
778
779   Since certificate parsing happens prior to verification of the certificate
780   signature, any process that parses an externally supplied certificate may thus
781   be subject to a denial of service attack. The infinite loop can also be
782   reached when parsing crafted private keys as they can contain explicit
783   elliptic curve parameters.
784
785   Thus vulnerable situations include:
786
787    - TLS clients consuming server certificates
788    - TLS servers consuming client certificates
789    - Hosting providers taking certificates or private keys from customers
790    - Certificate authorities parsing certification requests from subscribers
791    - Anything else which parses ASN.1 elliptic curve parameters
792
793   Also any other applications that use the BN_mod_sqrt() where the attacker
794   can control the parameter values are vulnerable to this DoS issue.
795   ([CVE-2022-0778])
796
797   *Tomáš Mráz*
798
799 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
800   to the list of ciphersuites providing Perfect Forward Secrecy as
801   required by SECLEVEL >= 3.
802
803   *Dmitry Belyavskiy, Nicola Tuveri*
804
805 * Made the AES constant time code for no-asm configurations
806   optional due to the resulting 95% performance degradation.
807   The AES constant time code can be enabled, for no assembly
808   builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
809
810   *Paul Dale*
811
812 * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty
813   passphrase strings.
814
815   *Darshan Sen*
816
817 * The negative return value handling of the certificate verification callback
818   was reverted. The replacement is to set the verification retry state with
819   the SSL_set_retry_verify() function.
820
821   *Tomáš Mráz*
822
823### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
824
825 * Fixed invalid handling of X509_verify_cert() internal errors in libssl
826   Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
827   verify a certificate supplied by a server. That function may return a
828   negative return value to indicate an internal error (for example out of
829   memory). Such a negative return value is mishandled by OpenSSL and will cause
830   an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
831   success and a subsequent call to SSL_get_error() to return the value
832   SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
833   returned by OpenSSL if the application has previously called
834   SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
835   the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
836   totally unexpected and applications may not behave correctly as a result. The
837   exact behaviour will depend on the application but it could result in
838   crashes, infinite loops or other similar incorrect responses.
839
840   This issue is made more serious in combination with a separate bug in OpenSSL
841   3.0 that will cause X509_verify_cert() to indicate an internal error when
842   processing a certificate chain. This will occur where a certificate does not
843   include the Subject Alternative Name extension but where a Certificate
844   Authority has enforced name constraints. This issue can occur even with valid
845   chains.
846   ([CVE-2021-4044])
847
848   *Matt Caswell*
849
850 * Corrected a few file name and file reference bugs in the build,
851   installation and setup scripts, which lead to installation verification
852   failures.  Slightly enhanced the installation verification script.
853
854   *Richard Levitte*
855
856 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private
857   keys.
858
859   *Richard Levitte*
860
861 * Fixed PVK encoder to properly query for the passphrase.
862
863   *Tomáš Mráz*
864
865 * Multiple fixes in the OSSL_HTTP API functions.
866
867   *David von Oheimb*
868
869 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the
870   OSSL_PARAM_INTEGER data type and return error on negative numbers
871   used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make
872   OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.
873
874   *Richard Levitte*
875
876 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
877
878   *Tomáš Mráz*
879
880 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
881
882   *Allan Jude*
883
884 * Multiple threading fixes.
885
886   *Matt Caswell*
887
888 * Added NULL digest implementation to keep compatibility with 1.1.1 version.
889
890   *Tomáš Mráz*
891
892 * Allow fetching an operation from the provider that owns an unexportable key
893   as a fallback if that is still allowed by the property query.
894
895   *Richard Levitte*
896
897### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
898
899 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
900   deprecated.
901
902   *Matt Caswell*
903
904 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
905   S390X capability vector to zero. This simplifies testing of different code
906   paths on S390X architecture.
907
908   *Patrick Steuer*
909
910 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
911   as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
912   SP 800-38D". The communication will fail at this point.
913
914   *Paul Dale*
915
916 * The EC_GROUP_clear_free() function is deprecated as there is nothing
917   confidential in EC_GROUP data.
918
919   *Nicola Tuveri*
920
921 * The byte order mark (BOM) character is ignored if encountered at the
922   beginning of a PEM-formatted file.
923
924   *Dmitry Belyavskiy*
925
926 * Added CMS support for the Russian GOST algorithms.
927
928   *Dmitry Belyavskiy*
929
930 * Due to move of the implementation of cryptographic operations
931   to the providers, validation of various operation parameters can
932   be postponed until the actual operation is executed where previously
933   it happened immediately when an operation parameter was set.
934
935   For example when setting an unsupported curve with
936   EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not
937   fail but later keygen operations with the EVP_PKEY_CTX will fail.
938
939   *OpenSSL team members and many third party contributors*
940
941 * The EVP_get_cipherbyname() function will return NULL for algorithms such as
942   "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
943   previously only accessible via low level interfaces. Use EVP_CIPHER_fetch()
944   instead to retrieve these algorithms from a provider.
945
946   *Shane Lontis*
947
948 * On build targets where the multilib postfix is set in the build
949   configuration the libdir directory was changing based on whether
950   the lib directory with the multilib postfix exists on the system
951   or not. This unpredictable behavior was removed and eventual
952   multilib postfix is now always added to the default libdir. Use
953   `--libdir=lib` to override the libdir if adding the postfix is
954   undesirable.
955
956   *Jan Lána*
957
958 * The triple DES key wrap functionality now conforms to RFC 3217 but is
959   no longer interoperable with OpenSSL 1.1.1.
960
961   *Paul Dale*
962
963 * The ERR_GET_FUNC() function was removed.  With the loss of meaningful
964   function codes, this function can only cause problems for calling
965   applications.
966
967   *Paul Dale*
968
969 * Add a configurable flag to output date formats as ISO 8601. Does not
970   change the default date format.
971
972   *William Edmisten*
973
974 * Version of MSVC earlier than 1300 could get link warnings, which could
975   be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
976   Support for this flag has been removed.
977
978   *Rich Salz*
979
980 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
981   -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
982   printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
983   Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
984   also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
985
986   *Rich Salz*
987
988 * The signatures of the functions to get and set options on SSL and
989   SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
990   Some source code changes may be required.
991
992   *Rich Salz*
993
994 * The public definitions of conf_method_st and conf_st have been
995   deprecated. They will be made opaque in a future release.
996
997   *Rich Salz and Tomáš Mráz*
998
999 * Client-initiated renegotiation is disabled by default. To allow it, use
1000   the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1001   flag, or the "ClientRenegotiation" config parameter as appropriate.
1002
1003   *Rich Salz*
1004
1005 * Add "abspath" and "includedir" pragma's to config files, to prevent,
1006   or modify relative pathname inclusion.
1007
1008   *Rich Salz*
1009
1010 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1011   validated. Please consult the README-FIPS and
1012   README-PROVIDERS files, as well as the migration guide.
1013
1014   *OpenSSL team members and many third party contributors*
1015
1016 * For the key types DH and DHX the allowed settable parameters are now different.
1017
1018   *Shane Lontis*
1019
1020 * The openssl commands that read keys, certificates, and CRLs now
1021   automatically detect the PEM or DER format of the input files.
1022
1023   *David von Oheimb, Richard Levitte, and Tomáš Mráz*
1024
1025 * Added enhanced PKCS#12 APIs which accept a library context.
1026
1027   *Jon Spillett*
1028
1029 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
1030
1031   *Matt Caswell*
1032
1033 * Added support for Kernel TLS (KTLS).
1034
1035   *Boris Pismenny, John Baldwin and Andrew Gallatin*
1036
1037 * Support for RFC 5746 secure renegotiation is now required by default for
1038   SSL or TLS connections to succeed.
1039
1040   *Benjamin Kaduk*
1041
1042 * The signature of the `copy` functional parameter of the
1043   EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
1044   now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
1045   the signature of the `pub_decode` functional parameter of the
1046   EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
1047   now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
1048
1049   *David von Oheimb*
1050
1051 * The error return values from some control calls (ctrl) have changed.
1052
1053   *Paul Dale*
1054
1055 * A public key check is now performed during EVP_PKEY_derive_set_peer().
1056
1057   *Shane Lontis*
1058
1059 * Many functions in the EVP_ namespace that are getters of values from
1060   implementations or contexts were renamed to include get or get0 in their
1061   names. Old names are provided as macro aliases for compatibility and
1062   are not deprecated.
1063
1064   *Tomáš Mráz*
1065
1066 * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
1067   EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
1068   EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
1069   are deprecated.
1070
1071   *Tomáš Mráz*
1072
1073 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
1074   more key types.
1075
1076 * The output from the command line applications may have minor
1077   changes.
1078
1079   *Paul Dale*
1080
1081 * The output from numerous "printing" may have minor changes.
1082
1083   *David von Oheimb*
1084
1085 * Windows thread synchronization uses read/write primitives (SRWLock) when
1086   supported by the OS, otherwise CriticalSection continues to be used.
1087
1088   *Vincent Drake*
1089
1090 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to
1091   work on read only BIO source/sinks that do not support these functions.
1092   This allows piping or redirection of a file BIO using stdin to be buffered
1093   into memory. This is used internally in OSSL_DECODER_from_bio().
1094
1095   *Shane Lontis*
1096
1097 * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1
1098   this function would return one of the values OSSL_STORE_INFO_NAME,
1099   OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or
1100   OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported
1101   as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now
1102   reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications
1103   using this function should be amended to handle the changed return value.
1104
1105   *Richard Levitte*
1106
1107 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
1108   for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
1109   As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
1110   Correct the semantics of checking the validation chain in case ESSCertID{,v2}
1111   contains more than one certificate identifier: This means that all
1112   certificates referenced there MUST be part of the validation chain.
1113
1114   *David von Oheimb*
1115
1116 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
1117   RC5, DESX and DES have been moved to the legacy provider.
1118
1119   *Matt Caswell*
1120
1121 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
1122   RIPEMD-160 have been moved to the legacy provider.
1123
1124   *Matt Caswell*
1125
1126 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a
1127   provided key.
1128
1129   *Dmitry Belyavskiy*
1130
1131 * The deprecated functions EVP_PKEY_get0_RSA(),
1132   EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(),
1133   EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as
1134   well as the similarly named "get1" functions behave differently in
1135   OpenSSL 3.0.
1136
1137   *Matt Caswell*
1138
1139 * A number of functions handling low-level keys or engines were deprecated
1140   including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(),
1141   EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
1142   EVP_PKEY_get0_siphash().
1143
1144   *Matt Caswell*
1145
1146 * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into
1147   the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
1148   will need to load the legacy crypto provider. This includes these PBE
1149   algorithms which use this KDF:
1150   - NID_pbeWithMD2AndDES_CBC
1151   - NID_pbeWithMD5AndDES_CBC
1152   - NID_pbeWithSHA1AndRC2_CBC
1153   - NID_pbeWithMD2AndRC2_CBC
1154   - NID_pbeWithMD5AndRC2_CBC
1155   - NID_pbeWithSHA1AndDES_CBC
1156
1157   *Jon Spillett*
1158
1159 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and
1160   BIO_debug_callback() functions.
1161
1162   *Tomáš Mráz*
1163
1164 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
1165   EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
1166
1167   *Tomáš Mráz*
1168
1169 * The RAND_METHOD APIs have been deprecated.
1170
1171   *Paul Dale*
1172
1173 * The SRP APIs have been deprecated.
1174
1175   *Matt Caswell*
1176
1177 * Add a compile time option to prevent the caching of provider fetched
1178   algorithms.  This is enabled by including the no-cached-fetch option
1179   at configuration time.
1180
1181   *Paul Dale*
1182
1183 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1184   count of PKCS12_DEFAULT_ITER.
1185
1186   *Tomáš Mráz and Sahana Prasad*
1187
1188 * The openssl speed command does not use low-level API calls anymore.
1189
1190   *Tomáš Mráz*
1191
1192 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1193   capable processors.
1194
1195   *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)*
1196
1197 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1198
1199   *Matt Caswell*
1200
1201 * Implemented support for fully "pluggable" TLSv1.3 groups. This means that
1202   providers may supply their own group implementations (using either the "key
1203   exchange" or the "key encapsulation" methods) which will automatically be
1204   detected and used by libssl.
1205
1206   *Matt Caswell, Nicola Tuveri*
1207
1208 * The undocumented function X509_certificate_type() has been deprecated;
1209
1210   *Rich Salz*
1211
1212 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
1213
1214   *Tomáš Mráz*
1215
1216 * Removed RSA padding mode for SSLv23 (which was only used for
1217   SSLv2). This includes the functions RSA_padding_check_SSLv23() and
1218   RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1219   `rsautl` command.
1220
1221   *Rich Salz*
1222
1223 * Deprecated the obsolete X9.31 RSA key generation related functions.
1224
1225 * While a callback function set via `SSL_CTX_set_cert_verify_callback()`
1226   is not allowed to return a value > 1, this is no more taken as failure.
1227
1228   *Viktor Dukhovni and David von Oheimb*
1229
1230 * Deprecated the obsolete X9.31 RSA key generation related functions
1231   BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
1232   BN_X931_generate_prime_ex().
1233
1234   *Tomáš Mráz*
1235
1236 * The default key generation method for the regular 2-prime RSA keys was
1237   changed to the FIPS 186-4 B.3.6 method.
1238
1239   *Shane Lontis*
1240
1241 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
1242
1243   *Kurt Roeckx*
1244
1245 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
1246
1247   *Rich Salz*
1248
1249 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and
1250   replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
1251
1252   *Rich Salz, Richard Levitte, and David von Oheimb*
1253
1254 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
1255
1256   *David von Oheimb*
1257
1258 * Deprecated `OCSP_parse_url()`.
1259
1260   *David von Oheimb*
1261
1262 * Validation of SM2 keys has been separated from the validation of regular EC
1263   keys.
1264
1265   *Nicola Tuveri*
1266
1267 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1268   switches: a validation failure triggers an early exit, returning a failure
1269   exit status to the parent process.
1270
1271   *Nicola Tuveri*
1272
1273 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
1274   to ignore unknown ciphers.
1275
1276   *Otto Hollmann*
1277
1278 * The `-cipher-commands` and `-digest-commands` options
1279   of the command line utility `list` have been deprecated.
1280   Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1281
1282   *Dmitry Belyavskiy*
1283
1284 * Added convenience functions for generating asymmetric key pairs:
1285   The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1286   and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
1287
1288   *David von Oheimb*
1289
1290 * All of the low level EC_KEY functions have been deprecated.
1291
1292   *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
1293
1294 * Deprecated all the libcrypto and libssl error string loading
1295   functions.
1296
1297   *Richard Levitte*
1298
1299 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
1300   well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
1301   deprecated.
1302
1303   *Matt Caswell*
1304
1305 * The `-crypt` option to the `passwd` command line tool has been removed.
1306
1307   *Paul Dale*
1308
1309 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1310   were removed.
1311
1312   *Rich Salz*
1313
1314 * Add support for AES Key Wrap inverse ciphers to the EVP layer.
1315
1316   *Shane Lontis*
1317
1318 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
1319   EVP_PKEY_get1_tls_encodedpoint().
1320
1321   *Matt Caswell*
1322
1323 * The security callback, which can be customised by application code, supports
1324   the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter
1325   was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
1326
1327   *Matt Caswell*
1328
1329 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
1330   interface. Their functionality remains unchanged.
1331
1332   *Jordan Montgomery*
1333
1334 * Added new option for 'openssl list', '-providers', which will display the
1335   list of loaded providers, their names, version and status.  It optionally
1336   displays their gettable parameters.
1337
1338   *Paul Dale*
1339
1340 * Removed EVP_PKEY_set_alias_type().
1341
1342   *Richard Levitte*
1343
1344 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
1345   `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred.
1346
1347   *Jeremy Walch*
1348
1349 * Changed all "STACK" functions to be macros instead of inline functions. Macro
1350   parameters are still checked for type safety at compile time via helper
1351   inline functions.
1352
1353   *Matt Caswell*
1354
1355 * Remove the RAND_DRBG API
1356
1357   *Paul Dale and Matthias St. Pierre*
1358
1359 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
1360   as well as actual hostnames.
1361
1362   *David Woodhouse*
1363
1364 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
1365   ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1366   conversely, silently ignore DTLS protocol version bounds when configuring
1367   TLS-based contexts.  The commands can be repeated to set bounds of both
1368   types.  The same applies with the corresponding "min_protocol" and
1369   "max_protocol" command-line switches, in case some application uses both TLS
1370   and DTLS.
1371
1372   SSL_CTX instances that are created for a fixed protocol version (e.g.
1373   `TLSv1_server_method()`) also silently ignore version bounds.  Previously
1374   attempts to apply bounds to these protocol versions would result in an
1375   error.  Now only the "version-flexible" SSL_CTX instances are subject to
1376   limits in configuration files in command-line options.
1377
1378   *Viktor Dukhovni*
1379
1380 * Deprecated the `ENGINE` API.  Engines should be replaced with providers
1381   going forward.
1382
1383   *Paul Dale*
1384
1385 * Reworked the recorded ERR codes to make better space for system errors.
1386   To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the
1387   given code is a system error (true) or an OpenSSL error (false).
1388
1389   *Richard Levitte*
1390
1391 * Reworked the test perl framework to better allow parallel testing.
1392
1393   *Nicola Tuveri and David von Oheimb*
1394
1395 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1396   AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1397
1398   *Shane Lontis*
1399
1400 * 'Configure' has been changed to figure out the configuration target if
1401   none is given on the command line.  Consequently, the 'config' script is
1402   now only a mere wrapper.  All documentation is changed to only mention
1403   'Configure'.
1404
1405   *Rich Salz and Richard Levitte*
1406
1407 * Added a library context `OSSL_LIB_CTX` that applications as well as
1408   other libraries can use to form a separate context within which
1409   libcrypto operations are performed.
1410
1411   *Richard Levitte*
1412
1413 * Added various `_ex` functions to the OpenSSL API that support using
1414   a non-default `OSSL_LIB_CTX`.
1415
1416   *OpenSSL team*
1417
1418 * Handshake now fails if Extended Master Secret extension is dropped
1419   on renegotiation.
1420
1421   *Tomáš Mráz*
1422
1423 * Dropped interactive mode from the `openssl` program.
1424
1425   *Richard Levitte*
1426
1427 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
1428
1429   *David von Oheimb and Shane Lontis*
1430
1431 * Deprecated `EC_METHOD_get_field_type()`.
1432
1433   *Billy Bob Brumley*
1434
1435 * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
1436   EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
1437   EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
1438
1439   *Billy Bob Brumley*
1440
1441 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
1442
1443   *Billy Bob Brumley*
1444
1445 * Add CAdES-BES signature verification support, mostly derived
1446   from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
1447
1448   *Filipe Raimundo da Silva*
1449
1450 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1451
1452   *Antonio Iacono*
1453
1454 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1455   parameter (RFC 5084) for the Cryptographic Message Syntax (CMS).
1456
1457   *Jakub Zelenka*
1458
1459 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
1460
1461   *Billy Bob Brumley*
1462
1463 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
1464   EC_KEY_precompute_mult().
1465
1466   *Billy Bob Brumley*
1467
1468 * Deprecated EC_POINTs_mul().
1469
1470   *Billy Bob Brumley*
1471
1472 * Removed FIPS_mode() and FIPS_mode_set().
1473
1474   *Shane Lontis*
1475
1476 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
1477
1478   *Dmitry Belyavskiy*
1479
1480 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
1481   EC_POINT_get_Jprojective_coordinates_GFp().
1482
1483   *Billy Bob Brumley*
1484
1485 * Added OSSL_PARAM_BLD to the public interface.  This allows OSSL_PARAM
1486   arrays to be more easily constructed via a series of utility functions.
1487   Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
1488   the various push functions and finally convert to a passable OSSL_PARAM
1489   array using OSSL_PARAM_BLD_to_param().
1490
1491   *Paul Dale*
1492
1493 * The security strength of SHA1 and MD5 based signatures in TLS has been
1494   reduced.
1495
1496   *Kurt Roeckx*
1497
1498 * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
1499   contain a provider side internal key.
1500
1501   *Richard Levitte*
1502
1503 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
1504
1505   *Richard Levitte*
1506
1507 * Project text documents not yet having a proper file name extension
1508   (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to
1509   `*.md` as far as reasonable, else `*.txt`, for better use with file managers.
1510
1511   *David von Oheimb*
1512
1513 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
1514   have been converted to Markdown with the goal to produce documents
1515   which not only look pretty when viewed online in the browser, but
1516   remain well readable inside a plain text editor.
1517
1518   To achieve this goal, a 'minimalistic' Markdown style has been applied
1519   which avoids formatting elements that interfere too much with the
1520   reading flow in the text file. For example, it
1521
1522   * avoids [ATX headings][] and uses [setext headings][] instead
1523     (which works for `<h1>` and `<h2>` headings only).
1524   * avoids [inline links][] and uses [reference links][] instead.
1525   * avoids [fenced code blocks][] and uses [indented code blocks][] instead.
1526
1527     [ATX headings]:         https://github.github.com/gfm/#atx-headings
1528     [setext headings]:      https://github.github.com/gfm/#setext-headings
1529     [inline links]:         https://github.github.com/gfm/#inline-link
1530     [reference links]:      https://github.github.com/gfm/#reference-link
1531     [fenced code blocks]:   https://github.github.com/gfm/#fenced-code-blocks
1532     [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1533
1534   *Matthias St. Pierre*
1535
1536 * The test suite is changed to preserve results of each test recipe.
1537   A new directory test-runs/ with subdirectories named like the
1538   test recipes are created in the build tree for this purpose.
1539
1540   *Richard Levitte*
1541
1542 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
1543   This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
1544   See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1545
1546   *David von Oheimb, Martin Peylo*
1547
1548 * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`.
1549   It supports arbitrary request and response content types, GET redirection,
1550   TLS, connections via HTTP(S) proxies, connections and exchange via
1551   user-defined BIOs (allowing implicit connections), persistent connections,
1552   and timeout checks.  See L<OSSL_HTTP_transfer(3)> etc. for details.
1553   The legacy OCSP-focused (and only partly documented) API
1554   is retained for backward compatibility, while most of it is deprecated.
1555
1556   *David von Oheimb*
1557
1558 * Added `util/check-format.pl`, a tool for checking adherence to the
1559   OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>.
1560   The checks performed are incomplete and yield some false positives.
1561   Still the tool should be useful for detecting most typical glitches.
1562
1563   *David von Oheimb*
1564
1565 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
1566   If domain name resolution yields multiple IP addresses all of them are tried
1567   after `connect()` failures.
1568
1569   *David von Oheimb*
1570
1571 * All of the low level RSA functions have been deprecated.
1572
1573   *Paul Dale*
1574
1575 * X509 certificates signed using SHA1 are no longer allowed at security
1576   level 1 and above.
1577
1578   *Kurt Roeckx*
1579
1580 * The command line utilities dhparam, dsa, gendsa and dsaparam have been
1581   modified to use PKEY APIs.  These commands are now in maintenance mode
1582   and no new features will be added to them.
1583
1584   *Paul Dale*
1585
1586 * The command line utility rsautl has been deprecated.
1587
1588   *Paul Dale*
1589
1590 * The command line utilities genrsa and rsa have been modified to use PKEY
1591   APIs. They now write PKCS#8 keys by default. These commands are now in
1592   maintenance mode and no new features will be added to them.
1593
1594   *Paul Dale*
1595
1596 * All of the low level DH functions have been deprecated.
1597
1598   *Paul Dale and Matt Caswell*
1599
1600 * All of the low level DSA functions have been deprecated.
1601
1602   *Paul Dale*
1603
1604 * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
1605   automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
1606
1607   *Richard Levitte*
1608
1609 * Deprecated low level ECDH and ECDSA functions.
1610
1611   *Paul Dale*
1612
1613 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
1614
1615   *Richard Levitte*
1616
1617 * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits()
1618   and EVP_PKEY_get_security_bits().  Especially EVP_PKEY_get_size() needed
1619   a new formulation to include all the things it can be used for,
1620   as well as words of caution.
1621
1622   *Richard Levitte*
1623
1624 * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
1625
1626   *Paul Dale*
1627
1628 * All of the low level HMAC functions have been deprecated.
1629
1630   *Paul Dale and David von Oheimb*
1631
1632 * Over two thousand fixes were made to the documentation, including:
1633   - Common options (such as -rand/-writerand, TLS version control, etc)
1634     were refactored and point to newly-enhanced descriptions in openssl.pod.
1635   - Added style conformance for all options (with help from Richard Levitte),
1636     documented all reported missing options, added a CI build to check
1637     that all options are documented and that no unimplemented options
1638     are documented.
1639   - Documented some internals, such as all use of environment variables.
1640   - Addressed all internal broken L<> references.
1641
1642   *Rich Salz*
1643
1644 * All of the low level CMAC functions have been deprecated.
1645
1646   *Paul Dale*
1647
1648 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1649   functions have been deprecated.
1650
1651   *Paul Dale and David von Oheimb*
1652
1653 * Corrected the documentation of the return values from the `EVP_DigestSign*`
1654   set of functions.  The documentation mentioned negative values for some
1655   errors, but this was never the case, so the mention of negative values
1656   was removed.
1657
1658   Code that followed the documentation and thereby check with something
1659   like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
1660
1661   *Richard Levitte*
1662
1663 * All of the low level cipher functions have been deprecated.
1664
1665   *Matt Caswell and Paul Dale*
1666
1667 * Removed include/openssl/opensslconf.h.in and replaced it with
1668   include/openssl/configuration.h.in, which differs in not including
1669   <openssl/macros.h>.  A short header include/openssl/opensslconf.h
1670   was added to include both.
1671
1672   This allows internal hacks where one might need to modify the set
1673   of configured macros, for example this if deprecated symbols are
1674   still supposed to be available internally:
1675
1676       #include <openssl/configuration.h>
1677
1678       #undef OPENSSL_NO_DEPRECATED
1679       #define OPENSSL_SUPPRESS_DEPRECATED
1680
1681       #include <openssl/macros.h>
1682
1683   This should not be used by applications that use the exported
1684   symbols, as that will lead to linking errors.
1685
1686   *Richard Levitte*
1687
1688 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
1689   used in exponentiation with 512-bit moduli. No EC algorithms are
1690   affected. Analysis suggests that attacks against 2-prime RSA1024,
1691   3-prime RSA1536, and DSA1024 as a result of this defect would be very
1692   difficult to perform and are not believed likely. Attacks against DH512
1693   are considered just feasible. However, for an attack the target would
1694   have to re-use the DH512 private key, which is not recommended anyway.
1695   Also applications directly using the low-level API BN_mod_exp may be
1696   affected if they use BN_FLG_CONSTTIME.
1697   ([CVE-2019-1551])
1698
1699   *Andy Polyakov*
1700
1701 * Most memory-debug features have been deprecated, and the functionality
1702   replaced with no-ops.
1703
1704   *Rich Salz*
1705
1706 * Added documentation for the STACK API.
1707
1708   *Rich Salz*
1709
1710 * Introduced a new method type and API, OSSL_ENCODER, to represent
1711   generic encoders.  These do the same sort of job that PEM writers
1712   and d2i functions do, but with support for methods supplied by
1713   providers, and the possibility for providers to support other
1714   formats as well.
1715
1716   *Richard Levitte*
1717
1718 * Introduced a new method type and API, OSSL_DECODER, to represent
1719   generic decoders.  These do the same sort of job that PEM readers
1720   and i2d functions do, but with support for methods supplied by
1721   providers, and the possibility for providers to support other
1722   formats as well.
1723
1724   *Richard Levitte*
1725
1726 * Added a .pragma directive to the syntax of configuration files, to
1727   allow varying behavior in a supported and predictable manner.
1728   Currently added pragma:
1729
1730           .pragma dollarid:on
1731
1732   This allows dollar signs to be a keyword character unless it's
1733   followed by a opening brace or parenthesis.  This is useful for
1734   platforms where dollar signs are commonly used in names, such as
1735   volume names and system directory names on VMS.
1736
1737   *Richard Levitte*
1738
1739 * Added functionality to create an EVP_PKEY from user data.
1740
1741   *Richard Levitte*
1742
1743 * Change the interpretation of the '--api' configuration option to
1744   mean that this is a desired API compatibility level with no
1745   further meaning.  The previous interpretation, that this would
1746   also mean to remove all deprecated symbols up to and including
1747   the given version, no requires that 'no-deprecated' is also used
1748   in the configuration.
1749
1750   When building applications, the desired API compatibility level
1751   can be set with the OPENSSL_API_COMPAT macro like before.  For
1752   API compatibility version below 3.0, the old style numerical
1753   value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1754   For version 3.0 and on, the value is expected to be the decimal
1755   value calculated from the major and minor version like this:
1756
1757           MAJOR * 10000 + MINOR * 100
1758
1759   Examples:
1760
1761           -DOPENSSL_API_COMPAT=30000             For 3.0
1762           -DOPENSSL_API_COMPAT=30200             For 3.2
1763
1764   To hide declarations that are deprecated up to and including the
1765   given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1766   given when building the application as well.
1767
1768   *Richard Levitte*
1769
1770 * Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow
1771   access to certificate and CRL stores via URIs and OSSL_STORE
1772   loaders.
1773
1774   This adds the following functions:
1775
1776   - X509_LOOKUP_store()
1777   - X509_STORE_load_file()
1778   - X509_STORE_load_path()
1779   - X509_STORE_load_store()
1780   - SSL_add_store_cert_subjects_to_stack()
1781   - SSL_CTX_set_default_verify_store()
1782   - SSL_CTX_load_verify_file()
1783   - SSL_CTX_load_verify_dir()
1784   - SSL_CTX_load_verify_store()
1785
1786   *Richard Levitte*
1787
1788 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
1789   The presence of this system service is determined at run-time.
1790
1791   *Richard Levitte*
1792
1793 * Added functionality to create an EVP_PKEY context based on data
1794   for methods from providers.  This takes an algorithm name and a
1795   property query string and simply stores them, with the intent
1796   that any operation that uses this context will use those strings
1797   to fetch the needed methods implicitly, thereby making the port
1798   of application written for pre-3.0 OpenSSL easier.
1799
1800   *Richard Levitte*
1801
1802 * The undocumented function NCONF_WIN32() has been deprecated; for
1803   conversion details see the HISTORY section of doc/man5/config.pod
1804
1805   *Rich Salz*
1806
1807 * Introduced the new functions EVP_DigestSignInit_ex() and
1808   EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
1809   EVP_DigestVerifyUpdate() have been converted to functions. See the man
1810   pages for further details.
1811
1812   *Matt Caswell*
1813
1814 * Over two thousand fixes were made to the documentation, including:
1815   adding missing command flags, better style conformance, documentation
1816   of internals, etc.
1817
1818   *Rich Salz, Richard Levitte*
1819
1820 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1821   X25519, X448, Ed25519 and Ed448.
1822
1823   *Patrick Steuer*
1824
1825 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
1826   the first value.
1827
1828   *Jon Spillett*
1829
1830 * Deprecated the public definition of `ERR_STATE` as well as the function
1831   `ERR_get_state()`.  This is done in preparation of making `ERR_STATE` an
1832   opaque type.
1833
1834   *Richard Levitte*
1835
1836 * Added ERR functionality to give callers access to the stored function
1837   names that have replaced the older function code based functions.
1838
1839   New functions are ERR_peek_error_func(), ERR_peek_last_error_func(),
1840   ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(),
1841   ERR_peek_error_all() and ERR_peek_last_error_all().
1842
1843   Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(),
1844   ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
1845   ERR_func_error_string().
1846
1847   *Richard Levitte*
1848
1849 * Extended testing to be verbose for failing tests only.  The make variables
1850   VERBOSE_FAILURE or VF can be used to enable this:
1851
1852           $ make VF=1 test                           # Unix
1853           $ mms /macro=(VF=1) test                   ! OpenVMS
1854           $ nmake VF=1 test                          # Windows
1855
1856   *Richard Levitte*
1857
1858 * Added the `-copy_extensions` option to the `x509` command for use with
1859   `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1860   all extensions in the request are copied to the certificate or vice versa.
1861
1862   *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>*
1863
1864 * Added the `-copy_extensions` option to the `req` command for use with
1865   `-x509`. When given with the `copy` or `copyall` argument,
1866   all extensions in the certification request are copied to the certificate.
1867
1868   *David von Oheimb*
1869
1870 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates
1871   they generate are by default RFC 5280 compliant in the following sense:
1872   There is a subjectKeyIdentifier extension with a hash value of the public key
1873   and for not self-signed certs there is an authorityKeyIdentifier extension
1874   with a keyIdentifier field or issuer information identifying the signing key.
1875   This is done unless some configuration overrides the new default behavior,
1876   such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`.
1877
1878   *David von Oheimb*
1879
1880 * Added several checks to `X509_verify_cert()` according to requirements in
1881   RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set
1882   (which may be done by using the CLI option `-x509_strict`):
1883   * The basicConstraints of CA certificates must be marked critical.
1884   * CA certificates must explicitly include the keyUsage extension.
1885   * If a pathlenConstraint is given the key usage keyCertSign must be allowed.
1886   * The issuer name of any certificate must not be empty.
1887   * The subject name of CA certs, certs with keyUsage crlSign,
1888     and certs without subjectAlternativeName must not be empty.
1889   * If a subjectAlternativeName extension is given it must not be empty.
1890   * The signatureAlgorithm field and the cert signature must be consistent.
1891   * Any given authorityKeyIdentifier and any given subjectKeyIdentifier
1892     must not be marked critical.
1893   * The authorityKeyIdentifier must be given for X.509v3 certs
1894     unless they are self-signed.
1895   * The subjectKeyIdentifier must be given for all X.509v3 CA certs.
1896
1897   *David von Oheimb*
1898
1899 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys
1900   with explicit curve parameters (specifiedCurve) as required by RFC 5480.
1901
1902   *Tomáš Mráz*
1903
1904 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
1905   used even when parsing explicit parameters, when loading a encoded key
1906   or calling `EC_GROUP_new_from_ecpkparameters()`/
1907   `EC_GROUP_new_from_ecparameters()`.
1908   This prevents bypass of security hardening and performance gains,
1909   especially for curves with specialized EC_METHODs.
1910   By default, if a key encoded with explicit parameters is loaded and later
1911   encoded, the output is still encoded with explicit parameters, even if
1912   internally a "named" EC_GROUP is used for computation.
1913
1914   *Nicola Tuveri*
1915
1916 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
1917   this change, EC_GROUP_set_generator would accept order and/or cofactor as
1918   NULL. After this change, only the cofactor parameter can be NULL. It also
1919   does some minimal sanity checks on the passed order.
1920   ([CVE-2019-1547])
1921
1922   *Billy Bob Brumley*
1923
1924 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
1925   An attack is simple, if the first CMS_recipientInfo is valid but the
1926   second CMS_recipientInfo is chosen ciphertext. If the second
1927   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
1928   encryption key will be replaced by garbage, and the message cannot be
1929   decoded, but if the RSA decryption fails, the correct encryption key is
1930   used and the recipient will not notice the attack.
1931   As a work around for this potential attack the length of the decrypted
1932   key must be equal to the cipher default key length, in case the
1933   certifiate is not given and all recipientInfo are tried out.
1934   The old behaviour can be re-enabled in the CMS code by setting the
1935   CMS_DEBUG_DECRYPT flag.
1936
1937   *Bernd Edlinger*
1938
1939 * Early start up entropy quality from the DEVRANDOM seed source has been
1940   improved for older Linux systems.  The RAND subsystem will wait for
1941   /dev/random to be producing output before seeding from /dev/urandom.
1942   The seeded state is stored for future library initialisations using
1943   a system global shared memory segment.  The shared memory identifier
1944   can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
1945   the desired value.  The default identifier is 114.
1946
1947   *Paul Dale*
1948
1949 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
1950   when primes for RSA keys are computed.
1951   Since we previously always generated primes == 2 (mod 3) for RSA keys,
1952   the 2-prime and 3-prime RSA modules were easy to distinguish, since
1953   `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting
1954   2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
1955   This avoids possible fingerprinting of newly generated RSA modules.
1956
1957   *Bernd Edlinger*
1958
1959 * Correct the extended master secret constant on EBCDIC systems. Without this
1960   fix TLS connections between an EBCDIC system and a non-EBCDIC system that
1961   negotiate EMS will fail. Unfortunately this also means that TLS connections
1962   between EBCDIC systems with this fix, and EBCDIC systems without this
1963   fix will fail if they negotiate EMS.
1964
1965   *Matt Caswell*
1966
1967 * Changed the library initialisation so that the config file is now loaded
1968   by default. This was already the case for libssl. It now occurs for both
1969   libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
1970   `OPENSSL_init_crypto()` to suppress automatic loading of a config file.
1971
1972   *Matt Caswell*
1973
1974 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`,
1975   where the former acts as a replacement for `ERR_put_error()`, and the
1976   latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`.
1977   `ERR_raise_data()` adds more flexibility by taking a format string and
1978   an arbitrary number of arguments following it, to be processed with
1979   `BIO_snprintf()`.
1980
1981   *Richard Levitte*
1982
1983 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used
1984   to check if a named provider is loaded and available.  When called, it
1985   will also activate all fallback providers if such are still present.
1986
1987   *Richard Levitte*
1988
1989 * Enforce a minimum DH modulus size of 512 bits.
1990
1991   *Bernd Edlinger*
1992
1993 * Changed DH parameters to generate the order q subgroup instead of 2q.
1994   Previously generated DH parameters are still accepted by DH_check
1995   but DH_generate_key works around that by clearing bit 0 of the
1996   private key for those. This avoids leaking bit 0 of the private key.
1997
1998   *Bernd Edlinger*
1999
2000 * Significantly reduce secure memory usage by the randomness pools.
2001
2002   *Paul Dale*
2003
2004 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2005   deprecated.
2006
2007   *Rich Salz*
2008
2009 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange
2010   algorithms. An implementation of a key exchange algorithm can be obtained
2011   by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be
2012   used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
2013   the older EVP_PKEY_derive_init() function. See the man pages for the new
2014   functions for further details.
2015
2016   *Matt Caswell*
2017
2018 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
2019
2020   *Matt Caswell*
2021
2022 * Removed the function names from error messages and deprecated the
2023   xxx_F_xxx define's.
2024
2025   *Richard Levitte*
2026
2027 * Removed NextStep support and the macro OPENSSL_UNISTD
2028
2029   *Rich Salz*
2030
2031 * Removed DES_check_key.  Also removed OPENSSL_IMPLEMENT_GLOBAL,
2032   OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
2033   Also removed "export var as function" capability; we do not export
2034   variables, only functions.
2035
2036   *Rich Salz*
2037
2038 * RC5_32_set_key has been changed to return an int type, with 0 indicating
2039   an error and 1 indicating success. In previous versions of OpenSSL this
2040   was a void type. If a key was set longer than the maximum possible this
2041   would crash.
2042
2043   *Matt Caswell*
2044
2045 * Support SM2 signing and verification schemes with X509 certificate.
2046
2047   *Paul Yang*
2048
2049 * Use SHA256 as the default digest for TS query in the `ts` app.
2050
2051   *Tomáš Mráz*
2052
2053 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2054
2055   *Shane Lontis*
2056
2057 * Default cipher lists/suites are now available via a function, the
2058   #defines are deprecated.
2059
2060   *Todd Short*
2061
2062 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2063   VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2064   for Windows Store apps easier. Also, the "no-uplink" option has been added.
2065
2066   *Kenji Mouri*
2067
2068 * Join the directories crypto/x509 and crypto/x509v3
2069
2070   *Richard Levitte*
2071
2072 * Added command 'openssl kdf' that uses the EVP_KDF API.
2073
2074   *Shane Lontis*
2075
2076 * Added command 'openssl mac' that uses the EVP_MAC API.
2077
2078   *Shane Lontis*
2079
2080 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2081   as default directories.  Also added the command 'openssl info'
2082   for scripting purposes.
2083
2084   *Richard Levitte*
2085
2086 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
2087   deprecated.
2088
2089   *Matt Caswell*
2090
2091 * Add prediction resistance to the DRBG reseeding process.
2092
2093   *Paul Dale*
2094
2095 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2096   mandated by IEEE Std 1619-2018.
2097
2098   *Paul Dale*
2099
2100 * Added newline escaping functionality to a filename when using openssl dgst.
2101   This output format is to replicate the output format found in the `*sum`
2102   checksum programs. This aims to preserve backward compatibility.
2103
2104   *Matt Eaton, Richard Levitte, and Paul Dale*
2105
2106 * Removed the heartbeat message in DTLS feature, as it has very
2107   little usage and doesn't seem to fulfill a valuable purpose.
2108   The configuration option is now deprecated.
2109
2110   *Richard Levitte*
2111
2112 * Changed the output of 'openssl {digestname} < file' to display the
2113   digest name in its output.
2114
2115   *Richard Levitte*
2116
2117 * Added a new generic trace API which provides support for enabling
2118   instrumentation through trace output.
2119
2120   *Richard Levitte & Matthias St. Pierre*
2121
2122 * Added build tests for C++.  These are generated files that only do one
2123   thing, to include one public OpenSSL head file each.  This tests that
2124   the public header files can be usefully included in a C++ application.
2125
2126   This test isn't enabled by default.  It can be enabled with the option
2127   'enable-buildtest-c++'.
2128
2129   *Richard Levitte*
2130
2131 * Added KB KDF (EVP_KDF_KB) to EVP_KDF.
2132
2133   *Robbie Harwood*
2134
2135 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
2136
2137   *Simo Sorce*
2138
2139 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
2140
2141   *Shane Lontis*
2142
2143 * Added KMAC to EVP_MAC.
2144
2145   *Shane Lontis*
2146
2147 * Added property based algorithm implementation selection framework to
2148   the core.
2149
2150   *Paul Dale*
2151
2152 * Added SCA hardening for modular field inversion in EC_GROUP through
2153   a new dedicated field_inv() pointer in EC_METHOD.
2154   This also addresses a leakage affecting conversions from projective
2155   to affine coordinates.
2156
2157   *Billy Bob Brumley, Nicola Tuveri*
2158
2159 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
2160   implementations.  This includes an EVP_PKEY to EVP_KDF bridge for
2161   those algorithms that were already supported through the EVP_PKEY API
2162   (scrypt, TLS1 PRF and HKDF).  The low-level KDF functions for PBKDF2
2163   and scrypt are now wrappers that call EVP_KDF.
2164
2165   *David Makepeace*
2166
2167 * Build devcrypto engine as a dynamic engine.
2168
2169   *Eneas U de Queiroz*
2170
2171 * Add keyed BLAKE2 to EVP_MAC.
2172
2173   *Antoine Salon*
2174
2175 * Fix a bug in the computation of the endpoint-pair shared secret used
2176   by DTLS over SCTP. This breaks interoperability with older versions
2177   of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
2178   switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
2179   interoperability with such broken implementations. However, enabling
2180   this switch breaks interoperability with correct implementations.
2181
2182 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
2183   re-used X509_PUBKEY object if the second PUBKEY is malformed.
2184
2185   *Bernd Edlinger*
2186
2187 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
2188
2189   *Richard Levitte*
2190
2191 * Changed the license to the Apache License v2.0.
2192
2193   *Richard Levitte*
2194
2195 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
2196
2197   - Major releases (indicated by incrementing the MAJOR release number)
2198     may introduce incompatible API/ABI changes.
2199   - Minor releases (indicated by incrementing the MINOR release number)
2200     may introduce new features but retain API/ABI compatibility.
2201   - Patch releases (indicated by incrementing the PATCH number)
2202     are intended for bug fixes and other improvements of existing
2203     features only (like improving performance or adding documentation)
2204     and retain API/ABI compatibility.
2205
2206   *Richard Levitte*
2207
2208 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2209
2210   *Todd Short*
2211
2212 * Remove the 'dist' target and add a tarball building script.  The
2213   'dist' target has fallen out of use, and it shouldn't be
2214   necessary to configure just to create a source distribution.
2215
2216   *Richard Levitte*
2217
2218 * Recreate the OS390-Unix config target.  It no longer relies on a
2219   special script like it did for OpenSSL pre-1.1.0.
2220
2221   *Richard Levitte*
2222
2223 * Instead of having the source directories listed in Configure, add
2224   a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2225   look into.
2226
2227   *Richard Levitte*
2228
2229 * Add GMAC to EVP_MAC.
2230
2231   *Paul Dale*
2232
2233 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
2234
2235   *Richard Levitte*
2236
2237 * Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
2238   implementations.  This includes a generic EVP_PKEY to EVP_MAC bridge,
2239   to facilitate the continued use of MACs through raw private keys in
2240   functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
2241
2242   *Richard Levitte*
2243
2244 * Deprecate ECDH_KDF_X9_62().
2245
2246   *Antoine Salon*
2247
2248 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
2249   the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
2250   are retained for backwards compatibility.
2251
2252   *Antoine Salon*
2253
2254 * AES-XTS mode now enforces that its two keys are different to mitigate
2255   the attacked described in "Efficient Instantiations of Tweakable
2256   Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
2257   Details of this attack can be obtained from:
2258   <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf>
2259
2260   *Paul Dale*
2261
2262 * Rename the object files, i.e. give them other names than in previous
2263   versions.  Their names now include the name of the final product, as
2264   well as its type mnemonic (bin, lib, shlib).
2265
2266   *Richard Levitte*
2267
2268 * Added new option for 'openssl list', '-objects', which will display the
2269   list of built in objects, i.e. OIDs with names.
2270
2271   *Richard Levitte*
2272
2273 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2274   allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
2275   be set explicitly.
2276
2277   *Chris Novakovic*
2278
2279 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2280   improves application performance by removing data copies and providing
2281   applications with zero-copy system calls such as sendfile and splice.
2282
2283   *Boris Pismenny*
2284
2285 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
2286
2287   *Martin Elshuber*
2288
2289 * `PKCS12_parse` now maintains the order of the parsed certificates
2290   when outputting them via `*ca` (rather than reversing it).
2291
2292   *David von Oheimb*
2293
2294 * Deprecated pthread fork support methods.
2295
2296   *Randall S. Becker*
2297
2298 * Added support for FFDHE key exchange in TLS 1.3.
2299
2300   *Raja Ashok*
2301
2302 * Added a new concept for OpenSSL plugability: providers.  This
2303   functionality is designed to replace the ENGINE API and ENGINE
2304   implementations, and to be much more dynamic, allowing provider
2305   authors to introduce new algorithms among other things, as long as
2306   there's an API that supports the algorithm type.
2307
2308   With this concept comes a new core API for interaction between
2309   libcrypto and provider implementations.  Public libcrypto functions
2310   that want to use providers do so through this core API.
2311
2312   The main documentation for this core API is found in
2313   doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2314   refer to other manuals describing the API specific for supported
2315   algorithm types (also called operations).
2316
2317   *The OpenSSL team*
2318
2319OpenSSL 1.1.1
2320-------------
2321
2322### Changes between 1.1.1l and 1.1.1m [xx XXX xxxx]
2323
2324 * Avoid loading of a dynamic engine twice.
2325
2326   *Bernd Edlinger*
2327
2328 * Prioritise DANE TLSA issuer certs over peer certs
2329
2330   *Viktor Dukhovni*
2331
2332 * Fixed random API for MacOS prior to 10.12
2333
2334   These MacOS versions don't support the CommonCrypto APIs
2335
2336   *Lenny Primak*
2337
2338### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
2339
2340 * Fixed an SM2 Decryption Buffer Overflow.
2341
2342   In order to decrypt SM2 encrypted data an application is expected to
2343   call the API function EVP_PKEY_decrypt(). Typically an application will
2344   call this function twice. The first time, on entry, the "out" parameter
2345   can be NULL and, on exit, the "outlen" parameter is populated with the
2346   buffer size required to hold the decrypted plaintext. The application
2347   can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
2348   again, but this time passing a non-NULL value for the "out" parameter.
2349
2350   A bug in the implementation of the SM2 decryption code means that the
2351   calculation of the buffer size required to hold the plaintext returned
2352   by the first call to EVP_PKEY_decrypt() can be smaller than the actual
2353   size required by the second call. This can lead to a buffer overflow
2354   when EVP_PKEY_decrypt() is called by the application a second time with
2355   a buffer that is too small.
2356
2357   A malicious attacker who is able present SM2 content for decryption to
2358   an application could cause attacker chosen data to overflow the buffer
2359   by up to a maximum of 62 bytes altering the contents of other data held
2360   after the buffer, possibly changing application behaviour or causing
2361   the application to crash. The location of the buffer is application
2362   dependent but is typically heap allocated.
2363   ([CVE-2021-3711])
2364
2365   *Matt Caswell*
2366
2367 * Fixed various read buffer overruns processing ASN.1 strings
2368
2369   ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
2370   structure which contains a buffer holding the string data and a field
2371   holding the buffer length. This contrasts with normal C strings which
2372   are repesented as a buffer for the string data which is terminated
2373   with a NUL (0) byte.
2374
2375   Although not a strict requirement, ASN.1 strings that are parsed using
2376   OpenSSL's own "d2i" functions (and other similar parsing functions) as
2377   well as any string whose value has been set with the ASN1_STRING_set()
2378   function will additionally NUL terminate the byte array in the
2379   ASN1_STRING structure.
2380
2381   However, it is possible for applications to directly construct valid
2382   ASN1_STRING structures which do not NUL terminate the byte array by
2383   directly setting the "data" and "length" fields in the ASN1_STRING
2384   array. This can also happen by using the ASN1_STRING_set0() function.
2385
2386   Numerous OpenSSL functions that print ASN.1 data have been found to
2387   assume that the ASN1_STRING byte array will be NUL terminated, even
2388   though this is not guaranteed for strings that have been directly
2389   constructed. Where an application requests an ASN.1 structure to be
2390   printed, and where that ASN.1 structure contains ASN1_STRINGs that have
2391   been directly constructed by the application without NUL terminating
2392   the "data" field, then a read buffer overrun can occur.
2393
2394   The same thing can also occur during name constraints processing
2395   of certificates (for example if a certificate has been directly
2396   constructed by the application instead of loading it via the OpenSSL
2397   parsing functions, and the certificate contains non NUL terminated
2398   ASN1_STRING structures). It can also occur in the X509_get1_email(),
2399   X509_REQ_get1_email() and X509_get1_ocsp() functions.
2400
2401   If a malicious actor can cause an application to directly construct an
2402   ASN1_STRING and then process it through one of the affected OpenSSL
2403   functions then this issue could be hit. This might result in a crash
2404   (causing a Denial of Service attack). It could also result in the
2405   disclosure of private memory contents (such as private keys, or
2406   sensitive plaintext).
2407   ([CVE-2021-3712])
2408
2409   *Matt Caswell*
2410
2411### Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
2412
2413 * Fixed a problem with verifying a certificate chain when using the
2414   X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of
2415   the certificates present in a certificate chain. It is not set by default.
2416
2417   Starting from OpenSSL version 1.1.1h a check to disallow certificates in
2418   the chain that have explicitly encoded elliptic curve parameters was added
2419   as an additional strict check.
2420
2421   An error in the implementation of this check meant that the result of a
2422   previous check to confirm that certificates in the chain are valid CA
2423   certificates was overwritten. This effectively bypasses the check
2424   that non-CA certificates must not be able to issue other certificates.
2425
2426   If a "purpose" has been configured then there is a subsequent opportunity
2427   for checks that the certificate is a valid CA.  All of the named "purpose"
2428   values implemented in libcrypto perform this check.  Therefore, where
2429   a purpose is set the certificate chain will still be rejected even when the
2430   strict flag has been used. A purpose is set by default in libssl client and
2431   server certificate verification routines, but it can be overridden or
2432   removed by an application.
2433
2434   In order to be affected, an application must explicitly set the
2435   X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
2436   for the certificate verification or, in the case of TLS client or server
2437   applications, override the default purpose.
2438   ([CVE-2021-3450])
2439
2440   *Tomáš Mráz*
2441
2442 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
2443   crafted renegotiation ClientHello message from a client. If a TLSv1.2
2444   renegotiation ClientHello omits the signature_algorithms extension (where it
2445   was present in the initial ClientHello), but includes a
2446   signature_algorithms_cert extension then a NULL pointer dereference will
2447   result, leading to a crash and a denial of service attack.
2448
2449   A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
2450   (which is the default configuration). OpenSSL TLS clients are not impacted by
2451   this issue.
2452   ([CVE-2021-3449])
2453
2454   *Peter Kästle and Samuel Sapalski*
2455
2456### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
2457
2458 * Fixed the X509_issuer_and_serial_hash() function. It attempts to
2459   create a unique hash value based on the issuer and serial number data
2460   contained within an X509 certificate. However it was failing to correctly
2461   handle any errors that may occur while parsing the issuer field (which might
2462   occur if the issuer field is maliciously constructed). This may subsequently
2463   result in a NULL pointer deref and a crash leading to a potential denial of
2464   service attack.
2465   ([CVE-2021-23841])
2466
2467   *Matt Caswell*
2468
2469 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
2470   padding mode to correctly check for rollback attacks. This is considered a
2471   bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
2472   CVE-2021-23839.
2473
2474   *Matt Caswell*
2475
2476   Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
2477   functions. Previously they could overflow the output length argument in some
2478   cases where the input length is close to the maximum permissable length for
2479   an integer on the platform. In such cases the return value from the function
2480   call would be 1 (indicating success), but the output length value would be
2481   negative. This could cause applications to behave incorrectly or crash.
2482   ([CVE-2021-23840])
2483
2484   *Matt Caswell*
2485
2486 * Fixed SRP_Calc_client_key so that it runs in constant time. The previous
2487   implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
2488   could be exploited in a side channel attack to recover the password. Since
2489   the attack is local host only this is outside of the current OpenSSL
2490   threat model and therefore no CVE is assigned.
2491
2492   Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
2493   issue.
2494
2495   *Matt Caswell*
2496
2497### Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
2498
2499 * Fixed NULL pointer deref in the GENERAL_NAME_cmp function
2500   This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
2501    If an attacker can control both items being compared  then this could lead
2502    to a possible denial of service attack. OpenSSL itself uses the
2503    GENERAL_NAME_cmp function for two purposes:
2504    1) Comparing CRL distribution point names between an available CRL and a
2505       CRL distribution point embedded in an X509 certificate
2506    2) When verifying that a timestamp response token signer matches the
2507       timestamp authority name (exposed via the API functions
2508       TS_RESP_verify_response and TS_RESP_verify_token)
2509   ([CVE-2020-1971])
2510
2511   *Matt Caswell*
2512
2513### Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
2514
2515 * Certificates with explicit curve parameters are now disallowed in
2516   verification chains if the X509_V_FLAG_X509_STRICT flag is used.
2517
2518   *Tomáš Mráz*
2519
2520 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
2521   ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2522   conversely, silently ignore DTLS protocol version bounds when configuring
2523   TLS-based contexts.  The commands can be repeated to set bounds of both
2524   types.  The same applies with the corresponding "min_protocol" and
2525   "max_protocol" command-line switches, in case some application uses both TLS
2526   and DTLS.
2527
2528   SSL_CTX instances that are created for a fixed protocol version (e.g.
2529   TLSv1_server_method()) also silently ignore version bounds.  Previously
2530   attempts to apply bounds to these protocol versions would result in an
2531   error.  Now only the "version-flexible" SSL_CTX instances are subject to
2532   limits in configuration files in command-line options.
2533
2534   *Viktor Dukhovni*
2535
2536 * Handshake now fails if Extended Master Secret extension is dropped
2537   on renegotiation.
2538
2539   *Tomáš Mráz*
2540
2541 * The Oracle Developer Studio compiler will start reporting deprecated APIs
2542
2543### Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
2544
2545 * Fixed segmentation fault in SSL_check_chain()
2546   Server or client applications that call the SSL_check_chain() function
2547   during or after a TLS 1.3 handshake may crash due to a NULL pointer
2548   dereference as a result of incorrect handling of the
2549   "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
2550   or unrecognised signature algorithm is received from the peer. This could
2551   be exploited by a malicious peer in a Denial of Service attack.
2552   ([CVE-2020-1967])
2553
2554   *Benjamin Kaduk*
2555
2556 * Added AES consttime code for no-asm configurations
2557   an optional constant time support for AES was added
2558   when building openssl for no-asm.
2559   Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2560   Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2561   At this time this feature is by default disabled.
2562   It will be enabled by default in 3.0.
2563
2564   *Bernd Edlinger*
2565
2566### Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
2567
2568 * Revert the change of EOF detection while reading in libssl to avoid
2569   regressions in applications depending on the current way of reporting
2570   the EOF. As the existing method is not fully accurate the change to
2571   reporting the EOF via SSL_ERROR_SSL is kept on the current development
2572   branch and will be present in the 3.0 release.
2573
2574   *Tomáš Mráz*
2575
2576 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2577   when primes for RSA keys are computed.
2578   Since we previously always generated primes == 2 (mod 3) for RSA keys,
2579   the 2-prime and 3-prime RSA modules were easy to distinguish, since
2580   N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
2581   2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2582   This avoids possible fingerprinting of newly generated RSA modules.
2583
2584   *Bernd Edlinger*
2585
2586### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
2587
2588 * Properly detect EOF while reading in libssl. Previously if we hit an EOF
2589   while reading in libssl then we would report an error back to the
2590   application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
2591   an error to the stack (which means we instead return SSL_ERROR_SSL) and
2592   therefore give a hint as to what went wrong.
2593
2594   *Matt Caswell*
2595
2596 * Check that ed25519 and ed448 are allowed by the security level. Previously
2597   signature algorithms not using an MD were not being checked that they were
2598   allowed by the security level.
2599
2600   *Kurt Roeckx*
2601
2602 * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
2603   was not quite right. The behaviour was not consistent between resumption
2604   and normal handshakes, and also not quite consistent with historical
2605   behaviour. The behaviour in various scenarios has been clarified and
2606   it has been updated to make it match historical behaviour as closely as
2607   possible.
2608
2609   *Matt Caswell*
2610
2611 * *[VMS only]* The header files that the VMS compilers include automatically,
2612   `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas
2613   that the C++ compiler doesn't understand.  This is a shortcoming in the
2614   compiler, but can be worked around with `__cplusplus` guards.
2615
2616   C++ applications that use OpenSSL libraries must be compiled using the
2617   qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL
2618   functions.  Otherwise, only functions with symbols of less than 31
2619   characters can be used, as the linker will not be able to successfully
2620   resolve symbols with longer names.
2621
2622   *Richard Levitte*
2623
2624 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
2625   The presence of this system service is determined at run-time.
2626
2627   *Richard Levitte*
2628
2629 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
2630   the first value.
2631
2632   *Jon Spillett*
2633
2634### Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
2635
2636 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
2637   number generator (RNG). This was intended to include protection in the
2638   event of a fork() system call in order to ensure that the parent and child
2639   processes did not share the same RNG state. However this protection was not
2640   being used in the default case.
2641
2642   A partial mitigation for this issue is that the output from a high
2643   precision timer is mixed into the RNG state so the likelihood of a parent
2644   and child process sharing state is significantly reduced.
2645
2646   If an application already calls OPENSSL_init_crypto() explicitly using
2647   OPENSSL_INIT_ATFORK then this problem does not occur at all.
2648   ([CVE-2019-1549])
2649
2650   *Matthias St. Pierre*
2651
2652 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2653   used even when parsing explicit parameters, when loading a encoded key
2654   or calling `EC_GROUP_new_from_ecpkparameters()`/
2655   `EC_GROUP_new_from_ecparameters()`.
2656   This prevents bypass of security hardening and performance gains,
2657   especially for curves with specialized EC_METHODs.
2658   By default, if a key encoded with explicit parameters is loaded and later
2659   encoded, the output is still encoded with explicit parameters, even if
2660   internally a "named" EC_GROUP is used for computation.
2661
2662   *Nicola Tuveri*
2663
2664 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
2665   this change, EC_GROUP_set_generator would accept order and/or cofactor as
2666   NULL. After this change, only the cofactor parameter can be NULL. It also
2667   does some minimal sanity checks on the passed order.
2668   ([CVE-2019-1547])
2669
2670   *Billy Bob Brumley*
2671
2672 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
2673   An attack is simple, if the first CMS_recipientInfo is valid but the
2674   second CMS_recipientInfo is chosen ciphertext. If the second
2675   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
2676   encryption key will be replaced by garbage, and the message cannot be
2677   decoded, but if the RSA decryption fails, the correct encryption key is
2678   used and the recipient will not notice the attack.
2679   As a work around for this potential attack the length of the decrypted
2680   key must be equal to the cipher default key length, in case the
2681   certifiate is not given and all recipientInfo are tried out.
2682   The old behaviour can be re-enabled in the CMS code by setting the
2683   CMS_DEBUG_DECRYPT flag.
2684   ([CVE-2019-1563])
2685
2686   *Bernd Edlinger*
2687
2688 * Early start up entropy quality from the DEVRANDOM seed source has been
2689   improved for older Linux systems.  The RAND subsystem will wait for
2690   /dev/random to be producing output before seeding from /dev/urandom.
2691   The seeded state is stored for future library initialisations using
2692   a system global shared memory segment.  The shared memory identifier
2693   can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
2694   the desired value.  The default identifier is 114.
2695
2696   *Paul Dale*
2697
2698 * Correct the extended master secret constant on EBCDIC systems. Without this
2699   fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2700   negotiate EMS will fail. Unfortunately this also means that TLS connections
2701   between EBCDIC systems with this fix, and EBCDIC systems without this
2702   fix will fail if they negotiate EMS.
2703
2704   *Matt Caswell*
2705
2706 * Use Windows installation paths in the mingw builds
2707
2708   Mingw isn't a POSIX environment per se, which means that Windows
2709   paths should be used for installation.
2710   ([CVE-2019-1552])
2711
2712   *Richard Levitte*
2713
2714 * Changed DH_check to accept parameters with order q and 2q subgroups.
2715   With order 2q subgroups the bit 0 of the private key is not secret
2716   but DH_generate_key works around that by clearing bit 0 of the
2717   private key for those. This avoids leaking bit 0 of the private key.
2718
2719   *Bernd Edlinger*
2720
2721 * Significantly reduce secure memory usage by the randomness pools.
2722
2723   *Paul Dale*
2724
2725 * Revert the DEVRANDOM_WAIT feature for Linux systems
2726
2727   The DEVRANDOM_WAIT feature added a select() call to wait for the
2728   /dev/random device to become readable before reading from the
2729   /dev/urandom device.
2730
2731   It turned out that this change had negative side effects on
2732   performance which were not acceptable. After some discussion it
2733   was decided to revert this feature and leave it up to the OS
2734   resp. the platform maintainer to ensure a proper initialization
2735   during early boot time.
2736
2737   *Matthias St. Pierre*
2738
2739### Changes between 1.1.1b and 1.1.1c [28 May 2019]
2740
2741 * Add build tests for C++.  These are generated files that only do one
2742   thing, to include one public OpenSSL head file each.  This tests that
2743   the public header files can be usefully included in a C++ application.
2744
2745   This test isn't enabled by default.  It can be enabled with the option
2746   'enable-buildtest-c++'.
2747
2748   *Richard Levitte*
2749
2750 * Enable SHA3 pre-hashing for ECDSA and DSA.
2751
2752   *Patrick Steuer*
2753
2754 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
2755   This changes the size when using the `genpkey` command when no size is given.
2756   It fixes an omission in earlier changes that changed all RSA, DSA and DH
2757   generation commands to use 2048 bits by default.
2758
2759   *Kurt Roeckx*
2760
2761 * Reorganize the manual pages to consistently have RETURN VALUES,
2762   EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
2763   util/fix-doc-nits accordingly.
2764
2765   *Paul Yang, Joshua Lock*
2766
2767 * Add the missing accessor EVP_PKEY_get0_engine()
2768
2769   *Matt Caswell*
2770
2771 * Have commands like `s_client` and `s_server` output the signature scheme
2772   along with other cipher suite parameters when debugging.
2773
2774   *Lorinczy Zsigmond*
2775
2776 * Make OPENSSL_config() error agnostic again.
2777
2778   *Richard Levitte*
2779
2780 * Do the error handling in RSA decryption constant time.
2781
2782   *Bernd Edlinger*
2783
2784 * Prevent over long nonces in ChaCha20-Poly1305.
2785
2786   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2787   for every encryption operation. RFC 7539 specifies that the nonce value
2788   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
2789   and front pads the nonce with 0 bytes if it is less than 12
2790   bytes. However it also incorrectly allows a nonce to be set of up to 16
2791   bytes. In this case only the last 12 bytes are significant and any
2792   additional leading bytes are ignored.
2793
2794   It is a requirement of using this cipher that nonce values are
2795   unique. Messages encrypted using a reused nonce value are susceptible to
2796   serious confidentiality and integrity attacks. If an application changes
2797   the default nonce length to be longer than 12 bytes and then makes a
2798   change to the leading bytes of the nonce expecting the new value to be a
2799   new unique nonce then such an application could inadvertently encrypt
2800   messages with a reused nonce.
2801
2802   Additionally the ignored bytes in a long nonce are not covered by the
2803   integrity guarantee of this cipher. Any application that relies on the
2804   integrity of these ignored leading bytes of a long nonce may be further
2805   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
2806   is safe because no such use sets such a long nonce value. However user
2807   applications that use this cipher directly and set a non-default nonce
2808   length to be longer than 12 bytes may be vulnerable.
2809
2810   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
2811   Greef of Ronomon.
2812   ([CVE-2019-1543])
2813
2814   *Matt Caswell*
2815
2816 * Add DEVRANDOM_WAIT feature for Linux systems
2817
2818   On older Linux systems where the getrandom() system call is not available,
2819   OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
2820   Contrary to getrandom(), the /dev/urandom device will not block during
2821   early boot when the kernel CSPRNG has not been seeded yet.
2822
2823   To mitigate this known weakness, use select() to wait for /dev/random to
2824   become readable before reading from /dev/urandom.
2825
2826 * Ensure that SM2 only uses SM3 as digest algorithm
2827
2828   *Paul Yang*
2829
2830### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
2831
2832 * Change the info callback signals for the start and end of a post-handshake
2833   message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
2834   and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
2835   confused by this and assume that a TLSv1.2 renegotiation has started. This
2836   can break KeyUpdate handling. Instead we no longer signal the start and end
2837   of a post handshake message exchange (although the messages themselves are
2838   still signalled). This could break some applications that were expecting
2839   the old signals. However without this KeyUpdate is not usable for many
2840   applications.
2841
2842   *Matt Caswell*
2843
2844### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
2845
2846 * Timing vulnerability in DSA signature generation
2847
2848   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
2849   timing side channel attack. An attacker could use variations in the signing
2850   algorithm to recover the private key.
2851
2852   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
2853   ([CVE-2018-0734])
2854
2855   *Paul Dale*
2856
2857 * Timing vulnerability in ECDSA signature generation
2858
2859   The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
2860   timing side channel attack. An attacker could use variations in the signing
2861   algorithm to recover the private key.
2862
2863   This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
2864   ([CVE-2018-0735])
2865
2866   *Paul Dale*
2867
2868 * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
2869   if its length exceeds 4096 bytes. The limit has been raised to a buffer size
2870   of two gigabytes and the error handling improved.
2871
2872   This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
2873   categorized as a normal bug, not a security issue, because the DRBG reseeds
2874   automatically and is fully functional even without additional randomness
2875   provided by the application.
2876
2877### Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
2878
2879 * Add a new ClientHello callback. Provides a callback interface that gives
2880   the application the ability to adjust the nascent SSL object at the
2881   earliest stage of ClientHello processing, immediately after extensions have
2882   been collected but before they have been processed. In particular, this
2883   callback can adjust the supported TLS versions in response to the contents
2884   of the ClientHello
2885
2886   *Benjamin Kaduk*
2887
2888 * Add SM2 base algorithm support.
2889
2890   *Jack Lloyd*
2891
2892 * s390x assembly pack: add (improved) hardware-support for the following
2893   cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
2894   aes-cfb/cfb8, aes-ecb.
2895
2896   *Patrick Steuer*
2897
2898 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
2899   parameter is no longer accepted, as it leads to a corrupt table.  NULL
2900   pem_str is reserved for alias entries only.
2901
2902   *Richard Levitte*
2903
2904 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
2905   step for prime curves. The new implementation is based on formulae from
2906   differential addition-and-doubling in homogeneous projective coordinates
2907   from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
2908   against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
2909   and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
2910   to work in projective coordinates.
2911
2912   *Billy Bob Brumley, Nicola Tuveri*
2913
2914 * Change generating and checking of primes so that the error rate of not
2915   being prime depends on the intended use based on the size of the input.
2916   For larger primes this will result in more rounds of Miller-Rabin.
2917   The maximal error rate for primes with more than 1080 bits is lowered
2918   to 2^-128.
2919
2920   *Kurt Roeckx, Annie Yousar*
2921
2922 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
2923
2924   *Kurt Roeckx*
2925
2926 * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
2927   moving between systems, and to avoid confusion when a Windows build is
2928   done with mingw vs with MSVC.  For POSIX installs, there's still a
2929   symlink or copy named 'tsget' to avoid that confusion as well.
2930
2931   *Richard Levitte*
2932
2933 * Revert blinding in ECDSA sign and instead make problematic addition
2934   length-invariant. Switch even to fixed-length Montgomery multiplication.
2935
2936   *Andy Polyakov*
2937
2938 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
2939   step for binary curves. The new implementation is based on formulae from
2940   differential addition-and-doubling in mixed Lopez-Dahab projective
2941   coordinates, modified to independently blind the operands.
2942
2943   *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
2944
2945 * Add a scaffold to optionally enhance the Montgomery ladder implementation
2946   for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
2947   EC_METHODs to implement their own specialized "ladder step", to take
2948   advantage of more favorable coordinate systems or more efficient
2949   differential addition-and-doubling algorithms.
2950
2951   *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
2952
2953 * Modified the random device based seed sources to keep the relevant
2954   file descriptors open rather than reopening them on each access.
2955   This allows such sources to operate in a chroot() jail without
2956   the associated device nodes being available. This behaviour can be
2957   controlled using RAND_keep_random_devices_open().
2958
2959   *Paul Dale*
2960
2961 * Numerous side-channel attack mitigations have been applied. This may have
2962   performance impacts for some algorithms for the benefit of improved
2963   security. Specific changes are noted in this change log by their respective
2964   authors.
2965
2966   *Matt Caswell*
2967
2968 * AIX shared library support overhaul. Switch to AIX "natural" way of
2969   handling shared libraries, which means collecting shared objects of
2970   different versions and bitnesses in one common archive. This allows to
2971   mitigate conflict between 1.0 and 1.1 side-by-side installations. It
2972   doesn't affect the way 3rd party applications are linked, only how
2973   multi-version installation is managed.
2974
2975   *Andy Polyakov*
2976
2977 * Make ec_group_do_inverse_ord() more robust and available to other
2978   EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
2979   mitigations are applied to the fallback BN_mod_inverse().
2980   When using this function rather than BN_mod_inverse() directly, new
2981   EC cryptosystem implementations are then safer-by-default.
2982
2983   *Billy Bob Brumley*
2984
2985 * Add coordinate blinding for EC_POINT and implement projective
2986   coordinate blinding for generic prime curves as a countermeasure to
2987   chosen point SCA attacks.
2988
2989   *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
2990
2991 * Add blinding to ECDSA and DSA signatures to protect against side channel
2992   attacks discovered by Keegan Ryan (NCC Group).
2993
2994   *Matt Caswell*
2995
2996 * Enforce checking in the `pkeyutl` command to ensure that the input
2997   length does not exceed the maximum supported digest length when performing
2998   a sign, verify or verifyrecover operation.
2999
3000   *Matt Caswell*
3001
3002 * SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
3003   I/O in combination with something like select() or poll() will hang. This
3004   can be turned off again using SSL_CTX_clear_mode().
3005   Many applications do not properly handle non-application data records, and
3006   TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
3007   around the problems in those applications, but can also break some.
3008   It's recommended to read the manpages about SSL_read(), SSL_write(),
3009   SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
3010   SSL_CTX_set_read_ahead() again.
3011
3012   *Kurt Roeckx*
3013
3014 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
3015   now allow empty (zero character) pass phrases.
3016
3017   *Richard Levitte*
3018
3019 * Apply blinding to binary field modular inversion and remove patent
3020   pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
3021
3022   *Billy Bob Brumley*
3023
3024 * Deprecate ec2_mult.c and unify scalar multiplication code paths for
3025   binary and prime elliptic curves.
3026
3027   *Billy Bob Brumley*
3028
3029 * Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
3030   constant time fixed point multiplication.
3031
3032   *Billy Bob Brumley*
3033
3034 * Revise elliptic curve scalar multiplication with timing attack
3035   defenses: ec_wNAF_mul redirects to a constant time implementation
3036   when computing fixed point and variable point multiplication (which
3037   in OpenSSL are mostly used with secret scalars in keygen, sign,
3038   ECDH derive operations).
3039   *Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
3040    Sohaib ul Hassan*
3041
3042 * Updated CONTRIBUTING
3043
3044   *Rich Salz*
3045
3046 * Updated DRBG / RAND to request nonce and additional low entropy
3047   randomness from the system.
3048
3049   *Matthias St. Pierre*
3050
3051 * Updated 'openssl rehash' to use OpenSSL consistent default.
3052
3053   *Richard Levitte*
3054
3055 * Moved the load of the ssl_conf module to libcrypto, which helps
3056   loading engines that libssl uses before libssl is initialised.
3057
3058   *Matt Caswell*
3059
3060 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
3061
3062   *Matt Caswell*
3063
3064 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3065
3066   *Ingo Schwarze, Rich Salz*
3067
3068 * Added output of accepting IP address and port for 'openssl s_server'
3069
3070   *Richard Levitte*
3071
3072 * Added a new API for TLSv1.3 ciphersuites:
3073      SSL_CTX_set_ciphersuites()
3074      SSL_set_ciphersuites()
3075
3076   *Matt Caswell*
3077
3078 * Memory allocation failures consistently add an error to the error
3079   stack.
3080
3081   *Rich Salz*
3082
3083 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
3084   in libcrypto when run as setuid/setgid.
3085
3086   *Bernd Edlinger*
3087
3088 * Load any config file by default when libssl is used.
3089
3090   *Matt Caswell*
3091
3092 * Added new public header file <openssl/rand_drbg.h> and documentation
3093   for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
3094
3095   *Matthias St. Pierre*
3096
3097 * QNX support removed (cannot find contributors to get their approval
3098   for the license change).
3099
3100   *Rich Salz*
3101
3102 * TLSv1.3 replay protection for early data has been implemented. See the
3103   SSL_read_early_data() man page for further details.
3104
3105   *Matt Caswell*
3106
3107 * Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
3108   configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
3109   below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
3110   In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
3111   would otherwise inadvertently disable all TLSv1.3 ciphersuites the
3112   configuration has been separated out. See the ciphers man page or the
3113   SSL_CTX_set_ciphersuites() man page for more information.
3114
3115   *Matt Caswell*
3116
3117 * On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
3118   in responder mode now supports the new "-multi" option, which
3119   spawns the specified number of child processes to handle OCSP
3120   requests.  The "-timeout" option now also limits the OCSP
3121   responder's patience to wait to receive the full client request
3122   on a newly accepted connection. Child processes are respawned
3123   as needed, and the CA index file is automatically reloaded
3124   when changed.  This makes it possible to run the "ocsp" responder
3125   as a long-running service, making the OpenSSL CA somewhat more
3126   feature-complete.  In this mode, most diagnostic messages logged
3127   after entering the event loop are logged via syslog(3) rather than
3128   written to stderr.
3129
3130   *Viktor Dukhovni*
3131
3132 * Added support for X448 and Ed448. Heavily based on original work by
3133   Mike Hamburg.
3134
3135   *Matt Caswell*
3136
3137 * Extend OSSL_STORE with capabilities to search and to narrow the set of
3138   objects loaded.  This adds the functions OSSL_STORE_expect() and
3139   OSSL_STORE_find() as well as needed tools to construct searches and
3140   get the search data out of them.
3141
3142   *Richard Levitte*
3143
3144 * Support for TLSv1.3 added. Note that users upgrading from an earlier
3145   version of OpenSSL should review their configuration settings to ensure
3146   that they are still appropriate for TLSv1.3. For further information see:
3147   <https://wiki.openssl.org/index.php/TLS1.3>
3148
3149   *Matt Caswell*
3150
3151 * Grand redesign of the OpenSSL random generator
3152
3153   The default RAND method now utilizes an AES-CTR DRBG according to
3154   NIST standard SP 800-90Ar1. The new random generator is essentially
3155   a port of the default random generator from the OpenSSL FIPS 2.0
3156   object module. It is a hybrid deterministic random bit generator
3157   using an AES-CTR bit stream and which seeds and reseeds itself
3158   automatically using trusted system entropy sources.
3159
3160   Some of its new features are:
3161    - Support for multiple DRBG instances with seed chaining.
3162    - The default RAND method makes use of a DRBG.
3163    - There is a public and private DRBG instance.
3164    - The DRBG instances are fork-safe.
3165    - Keep all global DRBG instances on the secure heap if it is enabled.
3166    - The public and private DRBG instance are per thread for lock free
3167      operation
3168
3169   *Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre*
3170
3171 * Changed Configure so it only says what it does and doesn't dump
3172   so much data.  Instead, ./configdata.pm should be used as a script
3173   to display all sorts of configuration data.
3174
3175   *Richard Levitte*
3176
3177 * Added processing of "make variables" to Configure.
3178
3179   *Richard Levitte*
3180
3181 * Added SHA512/224 and SHA512/256 algorithm support.
3182
3183   *Paul Dale*
3184
3185 * The last traces of Netware support, first removed in 1.1.0, have
3186   now been removed.
3187
3188   *Rich Salz*
3189
3190 * Get rid of Makefile.shared, and in the process, make the processing
3191   of certain files (rc.obj, or the .def/.map/.opt files produced from
3192   the ordinal files) more visible and hopefully easier to trace and
3193   debug (or make silent).
3194
3195   *Richard Levitte*
3196
3197 * Make it possible to have environment variable assignments as
3198   arguments to config / Configure.
3199
3200   *Richard Levitte*
3201
3202 * Add multi-prime RSA (RFC 8017) support.
3203
3204   *Paul Yang*
3205
3206 * Add SM3 implemented according to GB/T 32905-2016
3207   *Jack Lloyd <jack.lloyd@ribose.com>,*
3208   *Ronald Tse <ronald.tse@ribose.com>,*
3209   *Erick Borsboom <erick.borsboom@ribose.com>*
3210
3211 * Add 'Maximum Fragment Length' TLS extension negotiation and support
3212   as documented in RFC6066.
3213   Based on a patch from Tomasz Moń
3214
3215   *Filipe Raimundo da Silva*
3216
3217 * Add SM4 implemented according to GB/T 32907-2016.
3218   *Jack Lloyd <jack.lloyd@ribose.com>,*
3219   *Ronald Tse <ronald.tse@ribose.com>,*
3220   *Erick Borsboom <erick.borsboom@ribose.com>*
3221
3222 * Reimplement -newreq-nodes and ERR_error_string_n; the
3223   original author does not agree with the license change.
3224
3225   *Rich Salz*
3226
3227 * Add ARIA AEAD TLS support.
3228
3229   *Jon Spillett*
3230
3231 * Some macro definitions to support VS6 have been removed.  Visual
3232   Studio 6 has not worked since 1.1.0
3233
3234   *Rich Salz*
3235
3236 * Add ERR_clear_last_mark(), to allow callers to clear the last mark
3237   without clearing the errors.
3238
3239   *Richard Levitte*
3240
3241 * Add "atfork" functions.  If building on a system that without
3242   pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
3243   requirements.  The RAND facility now uses/requires this.
3244
3245   *Rich Salz*
3246
3247 * Add SHA3.
3248
3249   *Andy Polyakov*
3250
3251 * The UI API becomes a permanent and integral part of libcrypto, i.e.
3252   not possible to disable entirely.  However, it's still possible to
3253   disable the console reading UI method, UI_OpenSSL() (use UI_null()
3254   as a fallback).
3255
3256   To disable, configure with 'no-ui-console'.  'no-ui' is still
3257   possible to use as an alias.  Check at compile time with the
3258   macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
3259   possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
3260
3261   *Richard Levitte*
3262
3263 * Add a STORE module, which implements a uniform and URI based reader of
3264   stores that can contain keys, certificates, CRLs and numerous other
3265   objects.  The main API is loosely based on a few stdio functions,
3266   and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
3267   OSSL_STORE_error and OSSL_STORE_close.
3268   The implementation uses backends called "loaders" to implement arbitrary
3269   URI schemes.  There is one built in "loader" for the 'file' scheme.
3270
3271   *Richard Levitte*
3272
3273 * Add devcrypto engine.  This has been implemented against cryptodev-linux,
3274   then adjusted to work on FreeBSD 8.4 as well.
3275   Enable by configuring with 'enable-devcryptoeng'.  This is done by default
3276   on BSD implementations, as cryptodev.h is assumed to exist on all of them.
3277
3278   *Richard Levitte*
3279
3280 * Module names can prefixed with OSSL_ or OPENSSL_.  This affects
3281   util/mkerr.pl, which is adapted to allow those prefixes, leading to
3282   error code calls like this:
3283
3284           OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
3285
3286   With this change, we claim the namespaces OSSL and OPENSSL in a manner
3287   that can be encoded in C.  For the foreseeable future, this will only
3288   affect new modules.
3289
3290   *Richard Levitte and Tim Hudson*
3291
3292 * Removed BSD cryptodev engine.
3293
3294   *Rich Salz*
3295
3296 * Add a build target 'build_all_generated', to build all generated files
3297   and only that.  This can be used to prepare everything that requires
3298   things like perl for a system that lacks perl and then move everything
3299   to that system and do the rest of the build there.
3300
3301   *Richard Levitte*
3302
3303 * In the UI interface, make it possible to duplicate the user data.  This
3304   can be used by engines that need to retain the data for a longer time
3305   than just the call where this user data is passed.
3306
3307   *Richard Levitte*
3308
3309 * Ignore the '-named_curve auto' value for compatibility of applications
3310   with OpenSSL 1.0.2.
3311
3312   *Tomáš Mráz <tmraz@fedoraproject.org>*
3313
3314 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
3315   bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3316   alerts across multiple records (some of which could be empty). In practice
3317   it make no sense to send an empty alert record, or to fragment one. TLSv1.3
3318   prohibits this altogether and other libraries (BoringSSL, NSS) do not
3319   support this at all. Supporting it adds significant complexity to the
3320   record layer, and its removal is unlikely to cause interoperability
3321   issues.
3322
3323   *Matt Caswell*
3324
3325 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
3326   with Z.  These are meant to replace LONG and ZLONG and to be size safe.
3327   The use of LONG and ZLONG is discouraged and scheduled for deprecation
3328   in OpenSSL 1.2.0.
3329
3330   *Richard Levitte*
3331
3332 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
3333   'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3334
3335   *Richard Levitte, Andy Polyakov*
3336
3337 * Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
3338   does for RSA, etc.
3339
3340   *Richard Levitte*
3341
3342 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3343   platform rather than 'mingw'.
3344
3345   *Richard Levitte*
3346
3347 * The functions X509_STORE_add_cert and X509_STORE_add_crl return
3348   success if they are asked to add an object which already exists
3349   in the store. This change cascades to other functions which load
3350   certificates and CRLs.
3351
3352   *Paul Dale*
3353
3354 * x86_64 assembly pack: annotate code with DWARF CFI directives to
3355   facilitate stack unwinding even from assembly subroutines.
3356
3357   *Andy Polyakov*
3358
3359 * Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
3360   Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3361
3362   *Richard Levitte*
3363
3364 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3365   VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3366   which is the minimum version we support.
3367
3368   *Richard Levitte*
3369
3370 * Certificate time validation (X509_cmp_time) enforces stricter
3371   compliance with RFC 5280. Fractional seconds and timezone offsets
3372   are no longer allowed.
3373
3374   *Emilia Käsper*
3375
3376 * Add support for ARIA
3377
3378   *Paul Dale*
3379
3380 * s_client will now send the Server Name Indication (SNI) extension by
3381   default unless the new "-noservername" option is used. The server name is
3382   based on the host provided to the "-connect" option unless overridden by
3383   using "-servername".
3384
3385   *Matt Caswell*
3386
3387 * Add support for SipHash
3388
3389   *Todd Short*
3390
3391 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0
3392   or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
3393   prevent issues where no progress is being made and the peer continually
3394   sends unrecognised record types, using up resources processing them.
3395
3396   *Matt Caswell*
3397
3398 * 'openssl passwd' can now produce SHA256 and SHA512 based output,
3399   using the algorithm defined in
3400   <https://www.akkadia.org/drepper/SHA-crypt.txt>
3401
3402   *Richard Levitte*
3403
3404 * Heartbeat support has been removed; the ABI is changed for now.
3405
3406   *Richard Levitte, Rich Salz*
3407
3408 * Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
3409
3410   *Emilia Käsper*
3411
3412 * The RSA "null" method, which was partially supported to avoid patent
3413   issues, has been replaced to always returns NULL.
3414
3415   *Rich Salz*
3416
3417OpenSSL 1.1.0
3418-------------
3419
3420### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
3421
3422 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3423   used even when parsing explicit parameters, when loading a encoded key
3424   or calling `EC_GROUP_new_from_ecpkparameters()`/
3425   `EC_GROUP_new_from_ecparameters()`.
3426   This prevents bypass of security hardening and performance gains,
3427   especially for curves with specialized EC_METHODs.
3428   By default, if a key encoded with explicit parameters is loaded and later
3429   encoded, the output is still encoded with explicit parameters, even if
3430   internally a "named" EC_GROUP is used for computation.
3431
3432   *Nicola Tuveri*
3433
3434 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
3435   this change, EC_GROUP_set_generator would accept order and/or cofactor as
3436   NULL. After this change, only the cofactor parameter can be NULL. It also
3437   does some minimal sanity checks on the passed order.
3438   ([CVE-2019-1547])
3439
3440   *Billy Bob Brumley*
3441
3442 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3443   An attack is simple, if the first CMS_recipientInfo is valid but the
3444   second CMS_recipientInfo is chosen ciphertext. If the second
3445   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
3446   encryption key will be replaced by garbage, and the message cannot be
3447   decoded, but if the RSA decryption fails, the correct encryption key is
3448   used and the recipient will not notice the attack.
3449   As a work around for this potential attack the length of the decrypted
3450   key must be equal to the cipher default key length, in case the
3451   certifiate is not given and all recipientInfo are tried out.
3452   The old behaviour can be re-enabled in the CMS code by setting the
3453   CMS_DEBUG_DECRYPT flag.
3454   ([CVE-2019-1563])
3455
3456   *Bernd Edlinger*
3457
3458 * Use Windows installation paths in the mingw builds
3459
3460   Mingw isn't a POSIX environment per se, which means that Windows
3461   paths should be used for installation.
3462   ([CVE-2019-1552])
3463
3464   *Richard Levitte*
3465
3466### Changes between 1.1.0j and 1.1.0k [28 May 2019]
3467
3468 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
3469   This changes the size when using the `genpkey` command when no size is given.
3470   It fixes an omission in earlier changes that changed all RSA, DSA and DH
3471   generation commands to use 2048 bits by default.
3472
3473   *Kurt Roeckx*
3474
3475 * Prevent over long nonces in ChaCha20-Poly1305.
3476
3477   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3478   for every encryption operation. RFC 7539 specifies that the nonce value
3479   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
3480   and front pads the nonce with 0 bytes if it is less than 12
3481   bytes. However it also incorrectly allows a nonce to be set of up to 16
3482   bytes. In this case only the last 12 bytes are significant and any
3483   additional leading bytes are ignored.
3484
3485   It is a requirement of using this cipher that nonce values are
3486   unique. Messages encrypted using a reused nonce value are susceptible to
3487   serious confidentiality and integrity attacks. If an application changes
3488   the default nonce length to be longer than 12 bytes and then makes a
3489   change to the leading bytes of the nonce expecting the new value to be a
3490   new unique nonce then such an application could inadvertently encrypt
3491   messages with a reused nonce.
3492
3493   Additionally the ignored bytes in a long nonce are not covered by the
3494   integrity guarantee of this cipher. Any application that relies on the
3495   integrity of these ignored leading bytes of a long nonce may be further
3496   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
3497   is safe because no such use sets such a long nonce value. However user
3498   applications that use this cipher directly and set a non-default nonce
3499   length to be longer than 12 bytes may be vulnerable.
3500
3501   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
3502   Greef of Ronomon.
3503   ([CVE-2019-1543])
3504
3505   *Matt Caswell*
3506
3507 * Added SCA hardening for modular field inversion in EC_GROUP through
3508   a new dedicated field_inv() pointer in EC_METHOD.
3509   This also addresses a leakage affecting conversions from projective
3510   to affine coordinates.
3511
3512   *Billy Bob Brumley, Nicola Tuveri*
3513
3514 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
3515   re-used X509_PUBKEY object if the second PUBKEY is malformed.
3516
3517   *Bernd Edlinger*
3518
3519 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
3520
3521   *Richard Levitte*
3522
3523 * Remove the 'dist' target and add a tarball building script.  The
3524   'dist' target has fallen out of use, and it shouldn't be
3525   necessary to configure just to create a source distribution.
3526
3527   *Richard Levitte*
3528
3529### Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
3530
3531 * Timing vulnerability in DSA signature generation
3532
3533   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
3534   timing side channel attack. An attacker could use variations in the signing
3535   algorithm to recover the private key.
3536
3537   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
3538   ([CVE-2018-0734])
3539
3540   *Paul Dale*
3541
3542 * Timing vulnerability in ECDSA signature generation
3543
3544   The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
3545   timing side channel attack. An attacker could use variations in the signing
3546   algorithm to recover the private key.
3547
3548   This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
3549   ([CVE-2018-0735])
3550
3551   *Paul Dale*
3552
3553 * Add coordinate blinding for EC_POINT and implement projective
3554   coordinate blinding for generic prime curves as a countermeasure to
3555   chosen point SCA attacks.
3556
3557   *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
3558
3559### Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
3560
3561 * Client DoS due to large DH parameter
3562
3563   During key agreement in a TLS handshake using a DH(E) based ciphersuite a
3564   malicious server can send a very large prime value to the client. This will
3565   cause the client to spend an unreasonably long period of time generating a
3566   key for this prime resulting in a hang until the client has finished. This
3567   could be exploited in a Denial Of Service attack.
3568
3569   This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
3570   ([CVE-2018-0732])
3571
3572   *Guido Vranken*
3573
3574 * Cache timing vulnerability in RSA Key Generation
3575
3576   The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
3577   a cache timing side channel attack. An attacker with sufficient access to
3578   mount cache timing attacks during the RSA key generation process could
3579   recover the private key.
3580
3581   This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
3582   Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
3583   ([CVE-2018-0737])
3584
3585   *Billy Brumley*
3586
3587 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
3588   parameter is no longer accepted, as it leads to a corrupt table.  NULL
3589   pem_str is reserved for alias entries only.
3590
3591   *Richard Levitte*
3592
3593 * Revert blinding in ECDSA sign and instead make problematic addition
3594   length-invariant. Switch even to fixed-length Montgomery multiplication.
3595
3596   *Andy Polyakov*
3597
3598 * Change generating and checking of primes so that the error rate of not
3599   being prime depends on the intended use based on the size of the input.
3600   For larger primes this will result in more rounds of Miller-Rabin.
3601   The maximal error rate for primes with more than 1080 bits is lowered
3602   to 2^-128.
3603
3604   *Kurt Roeckx, Annie Yousar*
3605
3606 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3607
3608   *Kurt Roeckx*
3609
3610 * Add blinding to ECDSA and DSA signatures to protect against side channel
3611   attacks discovered by Keegan Ryan (NCC Group).
3612
3613   *Matt Caswell*
3614
3615 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
3616   now allow empty (zero character) pass phrases.
3617
3618   *Richard Levitte*
3619
3620 * Certificate time validation (X509_cmp_time) enforces stricter
3621   compliance with RFC 5280. Fractional seconds and timezone offsets
3622   are no longer allowed.
3623
3624   *Emilia Käsper*
3625
3626 * Fixed a text canonicalisation bug in CMS
3627
3628   Where a CMS detached signature is used with text content the text goes
3629   through a canonicalisation process first prior to signing or verifying a
3630   signature. This process strips trailing space at the end of lines, converts
3631   line terminators to CRLF and removes additional trailing line terminators
3632   at the end of a file. A bug in the canonicalisation process meant that
3633   some characters, such as form-feed, were incorrectly treated as whitespace
3634   and removed. This is contrary to the specification (RFC5485). This fix
3635   could mean that detached text data signed with an earlier version of
3636   OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
3637   signed with a fixed OpenSSL may fail to verify with an earlier version of
3638   OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
3639   and use the "-binary" flag (for the "cms" command line application) or set
3640   the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
3641
3642   *Matt Caswell*
3643
3644### Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
3645
3646 * Constructed ASN.1 types with a recursive definition could exceed the stack
3647
3648   Constructed ASN.1 types with a recursive definition (such as can be found
3649   in PKCS7) could eventually exceed the stack given malicious input with
3650   excessive recursion. This could result in a Denial Of Service attack. There
3651   are no such structures used within SSL/TLS that come from untrusted sources
3652   so this is considered safe.
3653
3654   This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3655   project.
3656   ([CVE-2018-0739])
3657
3658   *Matt Caswell*
3659
3660 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3661
3662   Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3663   effectively reduced to only comparing the least significant bit of each
3664   byte. This allows an attacker to forge messages that would be considered as
3665   authenticated in an amount of tries lower than that guaranteed by the
3666   security claims of the scheme. The module can only be compiled by the
3667   HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3668
3669   This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
3670   (IBM).
3671   ([CVE-2018-0733])
3672
3673   *Andy Polyakov*
3674
3675 * Add a build target 'build_all_generated', to build all generated files
3676   and only that.  This can be used to prepare everything that requires
3677   things like perl for a system that lacks perl and then move everything
3678   to that system and do the rest of the build there.
3679
3680   *Richard Levitte*
3681
3682 * Backport SSL_OP_NO_RENGOTIATION
3683
3684   OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
3685   (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
3686   changes this is no longer possible in 1.1.0. Therefore the new
3687   SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3688   1.1.0 to provide equivalent functionality.
3689
3690   Note that if an application built against 1.1.0h headers (or above) is run
3691   using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
3692   accepted but nothing will happen, i.e. renegotiation will not be prevented.
3693
3694   *Matt Caswell*
3695
3696 * Removed the OS390-Unix config target.  It relied on a script that doesn't
3697   exist.
3698
3699   *Rich Salz*
3700
3701 * rsaz_1024_mul_avx2 overflow bug on x86_64
3702
3703   There is an overflow bug in the AVX2 Montgomery multiplication procedure
3704   used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3705   Analysis suggests that attacks against RSA and DSA as a result of this
3706   defect would be very difficult to perform and are not believed likely.
3707   Attacks against DH1024 are considered just feasible, because most of the
3708   work necessary to deduce information about a private key may be performed
3709   offline. The amount of resources required for such an attack would be
3710   significant. However, for an attack on TLS to be meaningful, the server
3711   would have to share the DH1024 private key among multiple clients, which is
3712   no longer an option since CVE-2016-0701.
3713
3714   This only affects processors that support the AVX2 but not ADX extensions
3715   like Intel Haswell (4th generation).
3716
3717   This issue was reported to OpenSSL by David Benjamin (Google). The issue
3718   was originally found via the OSS-Fuzz project.
3719   ([CVE-2017-3738])
3720
3721   *Andy Polyakov*
3722
3723### Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
3724
3725 * bn_sqrx8x_internal carry bug on x86_64
3726
3727   There is a carry propagating bug in the x86_64 Montgomery squaring
3728   procedure. No EC algorithms are affected. Analysis suggests that attacks
3729   against RSA and DSA as a result of this defect would be very difficult to
3730   perform and are not believed likely. Attacks against DH are considered just
3731   feasible (although very difficult) because most of the work necessary to
3732   deduce information about a private key may be performed offline. The amount
3733   of resources required for such an attack would be very significant and
3734   likely only accessible to a limited number of attackers. An attacker would
3735   additionally need online access to an unpatched system using the target
3736   private key in a scenario with persistent DH parameters and a private
3737   key that is shared between multiple clients.
3738
3739   This only affects processors that support the BMI1, BMI2 and ADX extensions
3740   like Intel Broadwell (5th generation) and later or AMD Ryzen.
3741
3742   This issue was reported to OpenSSL by the OSS-Fuzz project.
3743   ([CVE-2017-3736])
3744
3745   *Andy Polyakov*
3746
3747 * Malformed X.509 IPAddressFamily could cause OOB read
3748
3749   If an X.509 certificate has a malformed IPAddressFamily extension,
3750   OpenSSL could do a one-byte buffer overread. The most likely result
3751   would be an erroneous display of the certificate in text format.
3752
3753   This issue was reported to OpenSSL by the OSS-Fuzz project.
3754   ([CVE-2017-3735])
3755
3756   *Rich Salz*
3757
3758### Changes between 1.1.0e and 1.1.0f [25 May 2017]
3759
3760 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3761   platform rather than 'mingw'.
3762
3763   *Richard Levitte*
3764
3765 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3766   VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3767   which is the minimum version we support.
3768
3769   *Richard Levitte*
3770
3771### Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
3772
3773 * Encrypt-Then-Mac renegotiation crash
3774
3775   During a renegotiation handshake if the Encrypt-Then-Mac extension is
3776   negotiated where it was not in the original handshake (or vice-versa) then
3777   this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
3778   and servers are affected.
3779
3780   This issue was reported to OpenSSL by Joe Orton (Red Hat).
3781   ([CVE-2017-3733])
3782
3783   *Matt Caswell*
3784
3785### Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
3786
3787 * Truncated packet could crash via OOB read
3788
3789   If one side of an SSL/TLS path is running on a 32-bit host and a specific
3790   cipher is being used, then a truncated packet can cause that host to
3791   perform an out-of-bounds read, usually resulting in a crash.
3792
3793   This issue was reported to OpenSSL by Robert Święcki of Google.
3794   ([CVE-2017-3731])
3795
3796   *Andy Polyakov*
3797
3798 * Bad (EC)DHE parameters cause a client crash
3799
3800   If a malicious server supplies bad parameters for a DHE or ECDHE key
3801   exchange then this can result in the client attempting to dereference a
3802   NULL pointer leading to a client crash. This could be exploited in a Denial
3803   of Service attack.
3804
3805   This issue was reported to OpenSSL by Guido Vranken.
3806   ([CVE-2017-3730])
3807
3808   *Matt Caswell*
3809
3810 * BN_mod_exp may produce incorrect results on x86_64
3811
3812   There is a carry propagating bug in the x86_64 Montgomery squaring
3813   procedure. No EC algorithms are affected. Analysis suggests that attacks
3814   against RSA and DSA as a result of this defect would be very difficult to
3815   perform and are not believed likely. Attacks against DH are considered just
3816   feasible (although very difficult) because most of the work necessary to
3817   deduce information about a private key may be performed offline. The amount
3818   of resources required for such an attack would be very significant and
3819   likely only accessible to a limited number of attackers. An attacker would
3820   additionally need online access to an unpatched system using the target
3821   private key in a scenario with persistent DH parameters and a private
3822   key that is shared between multiple clients. For example this can occur by
3823   default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
3824   similar to CVE-2015-3193 but must be treated as a separate problem.
3825
3826   This issue was reported to OpenSSL by the OSS-Fuzz project.
3827   ([CVE-2017-3732])
3828
3829   *Andy Polyakov*
3830
3831### Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
3832
3833 * ChaCha20/Poly1305 heap-buffer-overflow
3834
3835   TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3836   a DoS attack by corrupting larger payloads. This can result in an OpenSSL
3837   crash. This issue is not considered to be exploitable beyond a DoS.
3838
3839   This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
3840   ([CVE-2016-7054])
3841
3842   *Richard Levitte*
3843
3844 * CMS Null dereference
3845
3846   Applications parsing invalid CMS structures can crash with a NULL pointer
3847   dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
3848   type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
3849   structure callback if an attempt is made to free certain invalid encodings.
3850   Only CHOICE structures using a callback which do not handle NULL value are
3851   affected.
3852
3853   This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
3854   ([CVE-2016-7053])
3855
3856   *Stephen Henson*
3857
3858 * Montgomery multiplication may produce incorrect results
3859
3860   There is a carry propagating bug in the Broadwell-specific Montgomery
3861   multiplication procedure that handles input lengths divisible by, but
3862   longer than 256 bits. Analysis suggests that attacks against RSA, DSA
3863   and DH private keys are impossible. This is because the subroutine in
3864   question is not used in operations with the private key itself and an input
3865   of the attacker's direct choice. Otherwise the bug can manifest itself as
3866   transient authentication and key negotiation failures or reproducible
3867   erroneous outcome of public-key operations with specially crafted input.
3868   Among EC algorithms only Brainpool P-512 curves are affected and one
3869   presumably can attack ECDH key negotiation. Impact was not analyzed in
3870   detail, because pre-requisites for attack are considered unlikely. Namely
3871   multiple clients have to choose the curve in question and the server has to
3872   share the private key among them, neither of which is default behaviour.
3873   Even then only clients that chose the curve will be affected.
3874
3875   This issue was publicly reported as transient failures and was not
3876   initially recognized as a security issue. Thanks to Richard Morgan for
3877   providing reproducible case.
3878   ([CVE-2016-7055])
3879
3880   *Andy Polyakov*
3881
3882 * Removed automatic addition of RPATH in shared libraries and executables,
3883   as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
3884
3885   *Richard Levitte*
3886
3887### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
3888
3889 * Fix Use After Free for large message sizes
3890
3891   The patch applied to address CVE-2016-6307 resulted in an issue where if a
3892   message larger than approx 16k is received then the underlying buffer to
3893   store the incoming message is reallocated and moved. Unfortunately a
3894   dangling pointer to the old location is left which results in an attempt to
3895   write to the previously freed location. This is likely to result in a
3896   crash, however it could potentially lead to execution of arbitrary code.
3897
3898   This issue only affects OpenSSL 1.1.0a.
3899
3900   This issue was reported to OpenSSL by Robert Święcki.
3901   ([CVE-2016-6309])
3902
3903   *Matt Caswell*
3904
3905### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
3906
3907 * OCSP Status Request extension unbounded memory growth
3908
3909   A malicious client can send an excessively large OCSP Status Request
3910   extension. If that client continually requests renegotiation, sending a
3911   large OCSP Status Request extension each time, then there will be unbounded
3912   memory growth on the server. This will eventually lead to a Denial Of
3913   Service attack through memory exhaustion. Servers with a default
3914   configuration are vulnerable even if they do not support OCSP. Builds using
3915   the "no-ocsp" build time option are not affected.
3916
3917   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
3918   ([CVE-2016-6304])
3919
3920   *Matt Caswell*
3921
3922 * SSL_peek() hang on empty record
3923
3924   OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
3925   sends an empty record. This could be exploited by a malicious peer in a
3926   Denial Of Service attack.
3927
3928   This issue was reported to OpenSSL by Alex Gaynor.
3929   ([CVE-2016-6305])
3930
3931   *Matt Caswell*
3932
3933 * Excessive allocation of memory in tls_get_message_header() and
3934   dtls1_preprocess_fragment()
3935
3936   A (D)TLS message includes 3 bytes for its length in the header for the
3937   message. This would allow for messages up to 16Mb in length. Messages of
3938   this length are excessive and OpenSSL includes a check to ensure that a
3939   peer is sending reasonably sized messages in order to avoid too much memory
3940   being consumed to service a connection. A flaw in the logic of version
3941   1.1.0 means that memory for the message is allocated too early, prior to
3942   the excessive message length check. Due to way memory is allocated in
3943   OpenSSL this could mean an attacker could force up to 21Mb to be allocated
3944   to service a connection. This could lead to a Denial of Service through
3945   memory exhaustion. However, the excessive message length check still takes
3946   place, and this would cause the connection to immediately fail. Assuming
3947   that the application calls SSL_free() on the failed connection in a timely
3948   manner then the 21Mb of allocated memory will then be immediately freed
3949   again. Therefore the excessive memory allocation will be transitory in
3950   nature. This then means that there is only a security impact if:
3951
3952   1) The application does not call SSL_free() in a timely manner in the event
3953   that the connection fails
3954   or
3955   2) The application is working in a constrained environment where there is
3956   very little free memory
3957   or
3958   3) The attacker initiates multiple connection attempts such that there are
3959   multiple connections in a state where memory has been allocated for the
3960   connection; SSL_free() has not yet been called; and there is insufficient
3961   memory to service the multiple requests.
3962
3963   Except in the instance of (1) above any Denial Of Service is likely to be
3964   transitory because as soon as the connection fails the memory is
3965   subsequently freed again in the SSL_free() call. However there is an
3966   increased risk during this period of application crashes due to the lack of
3967   memory - which would then mean a more serious Denial of Service.
3968
3969   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
3970   (CVE-2016-6307 and CVE-2016-6308)
3971
3972   *Matt Caswell*
3973
3974 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
3975   had to be removed. Primary reason is that vendor assembler can't
3976   assemble our modules with -KPIC flag. As result it, assembly
3977   support, was not even available as option. But its lack means
3978   lack of side-channel resistant code, which is incompatible with
3979   security by todays standards. Fortunately gcc is readily available
3980   prepackaged option, which we firmly point at...
3981
3982   *Andy Polyakov*
3983
3984### Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
3985
3986 * Windows command-line tool supports UTF-8 opt-in option for arguments
3987   and console input. Setting OPENSSL_WIN32_UTF8 environment variable
3988   (to any value) allows Windows user to access PKCS#12 file generated
3989   with Windows CryptoAPI and protected with non-ASCII password, as well
3990   as files generated under UTF-8 locale on Linux also protected with
3991   non-ASCII password.
3992
3993   *Andy Polyakov*
3994
3995 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
3996   have been disabled by default and removed from DEFAULT, just like RC4.
3997   See the RC4 item below to re-enable both.
3998
3999   *Rich Salz*
4000
4001 * The method for finding the storage location for the Windows RAND seed file
4002   has changed. First we check %RANDFILE%. If that is not set then we check
4003   the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
4004   all else fails we fall back to C:\.
4005
4006   *Matt Caswell*
4007
4008 * The EVP_EncryptUpdate() function has had its return type changed from void
4009   to int. A return of 0 indicates and error while a return of 1 indicates
4010   success.
4011
4012   *Matt Caswell*
4013
4014 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
4015   DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
4016   off the constant time implementation for RSA, DSA and DH have been made
4017   no-ops and deprecated.
4018
4019   *Matt Caswell*
4020
4021 * Windows RAND implementation was simplified to only get entropy by
4022   calling CryptGenRandom(). Various other RAND-related tickets
4023   were also closed.
4024
4025   *Joseph Wylie Yandle, Rich Salz*
4026
4027 * The stack and lhash API's were renamed to start with `OPENSSL_SK_`
4028   and `OPENSSL_LH_`, respectively.  The old names are available
4029   with API compatibility.  They new names are now completely documented.
4030
4031   *Rich Salz*
4032
4033 * Unify TYPE_up_ref(obj) methods signature.
4034   SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
4035   X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
4036   int (instead of void) like all others TYPE_up_ref() methods.
4037   So now these methods also check the return value of CRYPTO_atomic_add(),
4038   and the validity of object reference counter.
4039
4040   *fdasilvayy@gmail.com*
4041
4042 * With Windows Visual Studio builds, the .pdb files are installed
4043   alongside the installed libraries and executables.  For a static
4044   library installation, ossl_static.pdb is the associate compiler
4045   generated .pdb file to be used when linking programs.
4046
4047   *Richard Levitte*
4048
4049 * Remove openssl.spec.  Packaging files belong with the packagers.
4050
4051   *Richard Levitte*
4052
4053 * Automatic Darwin/OSX configuration has had a refresh, it will now
4054   recognise x86_64 architectures automatically.  You can still decide
4055   to build for a different bitness with the environment variable
4056   KERNEL_BITS (can be 32 or 64), for example:
4057
4058           KERNEL_BITS=32 ./config
4059
4060   *Richard Levitte*
4061
4062 * Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
4063   256 bit AES and HMAC with SHA256.
4064
4065   *Steve Henson*
4066
4067 * Remove support for MIPS o32 ABI on IRIX (and IRIX only).
4068
4069   *Andy Polyakov*
4070
4071 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4072
4073   *Rich Salz*
4074
4075 * To enable users to have their own config files and build file templates,
4076   Configure looks in the directory indicated by the environment variable
4077   OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4078   directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
4079   name and is used as is.
4080
4081   *Richard Levitte*
4082
4083 * The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
4084   X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
4085   X509_CERT_FILE_CTX was removed.
4086
4087   *Rich Salz*
4088
4089 * "shared" builds are now the default. To create only static libraries use
4090   the "no-shared" Configure option.
4091
4092   *Matt Caswell*
4093
4094 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4095   All of these option have not worked for some while and are fundamental
4096   algorithms.
4097
4098   *Matt Caswell*
4099
4100 * Make various cleanup routines no-ops and mark them as deprecated. Most
4101   global cleanup functions are no longer required because they are handled
4102   via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4103   Explicitly de-initing can cause problems (e.g. where a library that uses
4104   OpenSSL de-inits, but an application is still using it). The affected
4105   functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
4106   EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
4107   RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
4108   COMP_zlib_cleanup().
4109
4110   *Matt Caswell*
4111
4112 * --strict-warnings no longer enables runtime debugging options
4113   such as REF_DEBUG. Instead, debug options are automatically
4114   enabled with '--debug' builds.
4115
4116   *Andy Polyakov, Emilia Käsper*
4117
4118 * Made DH and DH_METHOD opaque. The structures for managing DH objects
4119   have been moved out of the public header files. New functions for managing
4120   these have been added.
4121
4122   *Matt Caswell*
4123
4124 * Made RSA and RSA_METHOD opaque. The structures for managing RSA
4125   objects have been moved out of the public header files. New
4126   functions for managing these have been added.
4127
4128   *Richard Levitte*
4129
4130 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
4131   have been moved out of the public header files. New functions for managing
4132   these have been added.
4133
4134   *Matt Caswell*
4135
4136 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
4137   moved out of the public header files. New functions for managing these
4138   have been added.
4139
4140   *Matt Caswell*
4141
4142 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4143
4144   *Matt Caswell*
4145
4146 * Removed the mk1mf build scripts.
4147
4148   *Richard Levitte*
4149
4150 * Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
4151   it is always safe to #include a header now.
4152
4153   *Rich Salz*
4154
4155 * Removed the aged BC-32 config and all its supporting scripts
4156
4157   *Richard Levitte*
4158
4159 * Removed support for Ultrix, Netware, and OS/2.
4160
4161   *Rich Salz*
4162
4163 * Add support for HKDF.
4164
4165   *Alessandro Ghedini*
4166
4167 * Add support for blake2b and blake2s
4168
4169   *Bill Cox*
4170
4171 * Added support for "pipelining". Ciphers that have the
4172   EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
4173   encryptions/decryptions simultaneously. There are currently no built-in
4174   ciphers with this property but the expectation is that engines will be able
4175   to offer it to significantly improve throughput. Support has been extended
4176   into libssl so that multiple records for a single connection can be
4177   processed in one go (for >=TLS 1.1).
4178
4179   *Matt Caswell*
4180
4181 * Added the AFALG engine. This is an async capable engine which is able to
4182   offload work to the Linux kernel. In this initial version it only supports
4183   AES128-CBC. The kernel must be version 4.1.0 or greater.
4184
4185   *Catriona Lucey*
4186
4187 * OpenSSL now uses a new threading API. It is no longer necessary to
4188   set locking callbacks to use OpenSSL in a multi-threaded environment. There
4189   are two supported threading models: pthreads and windows threads. It is
4190   also possible to configure OpenSSL at compile time for "no-threads". The
4191   old threading API should no longer be used. The functions have been
4192   replaced with "no-op" compatibility macros.
4193
4194   *Alessandro Ghedini, Matt Caswell*
4195
4196 * Modify behavior of ALPN to invoke callback after SNI/servername
4197   callback, such that updates to the SSL_CTX affect ALPN.
4198
4199   *Todd Short*
4200
4201 * Add SSL_CIPHER queries for authentication and key-exchange.
4202
4203   *Todd Short*
4204
4205 * Changes to the DEFAULT cipherlist:
4206   - Prefer (EC)DHE handshakes over plain RSA.
4207   - Prefer AEAD ciphers over legacy ciphers.
4208   - Prefer ECDSA over RSA when both certificates are available.
4209   - Prefer TLSv1.2 ciphers/PRF.
4210   - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4211     default cipherlist.
4212
4213   *Emilia Käsper*
4214
4215 * Change the ECC default curve list to be this, in order: x25519,
4216   secp256r1, secp521r1, secp384r1.
4217
4218   *Rich Salz*
4219
4220 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
4221   disabled by default. They can be re-enabled using the
4222   enable-weak-ssl-ciphers option to Configure.
4223
4224   *Matt Caswell*
4225
4226 * If the server has ALPN configured, but supports no protocols that the
4227   client advertises, send a fatal "no_application_protocol" alert.
4228   This behaviour is SHALL in RFC 7301, though it isn't universally
4229   implemented by other servers.
4230
4231   *Emilia Käsper*
4232
4233 * Add X25519 support.
4234   Add ASN.1 and EVP_PKEY methods for X25519. This includes support
4235   for public and private key encoding using the format documented in
4236   draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4237   key generation and key derivation.
4238
4239   TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4240   X25519(29).
4241
4242   *Steve Henson*
4243
4244 * Deprecate SRP_VBASE_get_by_user.
4245   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
4246   In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4247   SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
4248   seed, even if the seed is configured.
4249
4250   Users should use SRP_VBASE_get1_by_user instead. Note that in
4251   SRP_VBASE_get1_by_user, caller must free the returned value. Note
4252   also that even though configuring the SRP seed attempts to hide
4253   invalid usernames by continuing the handshake with fake
4254   credentials, this behaviour is not constant time and no strong
4255   guarantees are made that the handshake is indistinguishable from
4256   that of a valid user.
4257
4258   *Emilia Käsper*
4259
4260 * Configuration change; it's now possible to build dynamic engines
4261   without having to build shared libraries and vice versa.  This
4262   only applies to the engines in `engines/`, those in `crypto/engine/`
4263   will always be built into libcrypto (i.e. "static").
4264
4265   Building dynamic engines is enabled by default; to disable, use
4266   the configuration option "disable-dynamic-engine".
4267
4268   The only requirements for building dynamic engines are the
4269   presence of the DSO module and building with position independent
4270   code, so they will also automatically be disabled if configuring
4271   with "disable-dso" or "disable-pic".
4272
4273   The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
4274   are also taken away from openssl/opensslconf.h, as they are
4275   irrelevant.
4276
4277   *Richard Levitte*
4278
4279 * Configuration change; if there is a known flag to compile
4280   position independent code, it will always be applied on the
4281   libcrypto and libssl object files, and never on the application
4282   object files.  This means other libraries that use routines from
4283   libcrypto / libssl can be made into shared libraries regardless
4284   of how OpenSSL was configured.
4285
4286   If this isn't desirable, the configuration options "disable-pic"
4287   or "no-pic" can be used to disable the use of PIC.  This will
4288   also disable building shared libraries and dynamic engines.
4289
4290   *Richard Levitte*
4291
4292 * Removed JPAKE code.  It was experimental and has no wide use.
4293
4294   *Rich Salz*
4295
4296 * The INSTALL_PREFIX Makefile variable has been renamed to
4297   DESTDIR.  That makes for less confusion on what this variable
4298   is for.  Also, the configuration option --install_prefix is
4299   removed.
4300
4301   *Richard Levitte*
4302
4303 * Heartbeat for TLS has been removed and is disabled by default
4304   for DTLS; configure with enable-heartbeats.  Code that uses the
4305   old #define's might need to be updated.
4306
4307   *Emilia Käsper, Rich Salz*
4308
4309 * Rename REF_CHECK to REF_DEBUG.
4310
4311   *Rich Salz*
4312
4313 * New "unified" build system
4314
4315   The "unified" build system is aimed to be a common system for all
4316   platforms we support.  With it comes new support for VMS.
4317
4318   This system builds supports building in a different directory tree
4319   than the source tree.  It produces one Makefile (for unix family
4320   or lookalikes), or one descrip.mms (for VMS).
4321
4322   The source of information to make the Makefile / descrip.mms is
4323   small files called 'build.info', holding the necessary
4324   information for each directory with source to compile, and a
4325   template in Configurations, like unix-Makefile.tmpl or
4326   descrip.mms.tmpl.
4327
4328   With this change, the library names were also renamed on Windows
4329   and on VMS.  They now have names that are closer to the standard
4330   on Unix, and include the major version number, and in certain
4331   cases, the architecture they are built for.  See "Notes on shared
4332   libraries" in INSTALL.
4333
4334   We rely heavily on the perl module Text::Template.
4335
4336   *Richard Levitte*
4337
4338 * Added support for auto-initialisation and de-initialisation of the library.
4339   OpenSSL no longer requires explicit init or deinit routines to be called,
4340   except in certain circumstances. See the OPENSSL_init_crypto() and
4341   OPENSSL_init_ssl() man pages for further information.
4342
4343   *Matt Caswell*
4344
4345 * The arguments to the DTLSv1_listen function have changed. Specifically the
4346   "peer" argument is now expected to be a BIO_ADDR object.
4347
4348 * Rewrite of BIO networking library. The BIO library lacked consistent
4349   support of IPv6, and adding it required some more extensive
4350   modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
4351   which hold all types of addresses and chains of address information.
4352   It also introduces a new API, with functions like BIO_socket,
4353   BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
4354   The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
4355   have been adapted accordingly.
4356
4357   *Richard Levitte*
4358
4359 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
4360   the leading 0-byte.
4361
4362   *Emilia Käsper*
4363
4364 * CRIME protection: disable compression by default, even if OpenSSL is
4365   compiled with zlib enabled. Applications can still enable compression
4366   by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
4367   using the SSL_CONF library to configure compression.
4368
4369   *Emilia Käsper*
4370
4371 * The signature of the session callback configured with
4372   SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4373   was explicitly marked as `const unsigned char*` instead of
4374   `unsigned char*`.
4375
4376   *Emilia Käsper*
4377
4378 * Always DPURIFY. Remove the use of uninitialized memory in the
4379   RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4380
4381   *Emilia Käsper*
4382
4383 * Removed many obsolete configuration items, including
4384      DES_PTR, DES_RISC1, DES_RISC2, DES_INT
4385      MD2_CHAR, MD2_INT, MD2_LONG
4386      BF_PTR, BF_PTR2
4387      IDEA_SHORT, IDEA_LONG
4388      RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
4389
4390   *Rich Salz, with advice from Andy Polyakov*
4391
4392 * Many BN internals have been moved to an internal header file.
4393
4394   *Rich Salz with help from Andy Polyakov*
4395
4396 * Configuration and writing out the results from it has changed.
4397   Files such as Makefile include/openssl/opensslconf.h and are now
4398   produced through general templates, such as Makefile.in and
4399   crypto/opensslconf.h.in and some help from the perl module
4400   Text::Template.
4401
4402   Also, the center of configuration information is no longer
4403   Makefile.  Instead, Configure produces a perl module in
4404   configdata.pm which holds most of the config data (in the hash
4405   table %config), the target data that comes from the target
4406   configuration in one of the `Configurations/*.conf` files (in
4407   %target).
4408
4409   *Richard Levitte*
4410
4411 * To clarify their intended purposes, the Configure options
4412   --prefix and --openssldir change their semantics, and become more
4413   straightforward and less interdependent.
4414
4415   --prefix shall be used exclusively to give the location INSTALLTOP
4416   where programs, scripts, libraries, include files and manuals are
4417   going to be installed.  The default is now /usr/local.
4418
4419   --openssldir shall be used exclusively to give the default
4420   location OPENSSLDIR where certificates, private keys, CRLs are
4421   managed.  This is also where the default openssl.cnf gets
4422   installed.
4423   If the directory given with this option is a relative path, the
4424   values of both the --prefix value and the --openssldir value will
4425   be combined to become OPENSSLDIR.
4426   The default for --openssldir is INSTALLTOP/ssl.
4427
4428   Anyone who uses --openssldir to specify where OpenSSL is to be
4429   installed MUST change to use --prefix instead.
4430
4431   *Richard Levitte*
4432
4433 * The GOST engine was out of date and therefore it has been removed. An up
4434   to date GOST engine is now being maintained in an external repository.
4435   See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains
4436   support for GOST ciphersuites (these are only activated if a GOST engine
4437   is present).
4438
4439   *Matt Caswell*
4440
4441 * EGD is no longer supported by default; use enable-egd when
4442   configuring.
4443
4444   *Ben Kaduk and Rich Salz*
4445
4446 * The distribution now has Makefile.in files, which are used to
4447   create Makefile's when Configure is run.  *Configure must be run
4448   before trying to build now.*
4449
4450   *Rich Salz*
4451
4452 * The return value for SSL_CIPHER_description() for error conditions
4453   has changed.
4454
4455   *Rich Salz*
4456
4457 * Support for RFC6698/RFC7671 DANE TLSA peer authentication.
4458
4459   Obtaining and performing DNSSEC validation of TLSA records is
4460   the application's responsibility.  The application provides
4461   the TLSA records of its choice to OpenSSL, and these are then
4462   used to authenticate the peer.
4463
4464   The TLSA records need not even come from DNS.  They can, for
4465   example, be used to implement local end-entity certificate or
4466   trust-anchor "pinning", where the "pin" data takes the form
4467   of TLSA records, which can augment or replace verification
4468   based on the usual WebPKI public certification authorities.
4469
4470   *Viktor Dukhovni*
4471
4472 * Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
4473   continues to support deprecated interfaces in default builds.
4474   However, applications are strongly advised to compile their
4475   source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4476   the declarations of all interfaces deprecated in 0.9.8, 1.0.0
4477   or the 1.1.0 releases.
4478
4479   In environments in which all applications have been ported to
4480   not use any deprecated interfaces OpenSSL's Configure script
4481   should be used with the --api=1.1.0 option to entirely remove
4482   support for the deprecated features from the library and
4483   unconditionally disable them in the installed headers.
4484   Essentially the same effect can be achieved with the "no-deprecated"
4485   argument to Configure, except that this will always restrict
4486   the build to just the latest API, rather than a fixed API
4487   version.
4488
4489   As applications are ported to future revisions of the API,
4490   they should update their compile-time OPENSSL_API_COMPAT define
4491   accordingly, but in most cases should be able to continue to
4492   compile with later releases.
4493
4494   The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
4495   0x10000000L and 0x00908000L, respectively.  However those
4496   versions did not support the OPENSSL_API_COMPAT feature, and
4497   so applications are not typically tested for explicit support
4498   of just the undeprecated features of either release.
4499
4500   *Viktor Dukhovni*
4501
4502 * Add support for setting the minimum and maximum supported protocol.
4503   It can bet set via the SSL_set_min_proto_version() and
4504   SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
4505   MaxProtocol.  It's recommended to use the new APIs to disable
4506   protocols instead of disabling individual protocols using
4507   SSL_set_options() or SSL_CONF's Protocol.  This change also
4508   removes support for disabling TLS 1.2 in the OpenSSL TLS
4509   client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
4510
4511   *Kurt Roeckx*
4512
4513 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
4514
4515   *Andy Polyakov*
4516
4517 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
4518   and integrates ECDSA and ECDH functionality into EC. Implementations can
4519   now redirect key generation and no longer need to convert to or from
4520   ECDSA_SIG format.
4521
4522   Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
4523   include the ec.h header file instead.
4524
4525   *Steve Henson*
4526
4527 * Remove support for all 40 and 56 bit ciphers.  This includes all the export
4528   ciphers who are no longer supported and drops support the ephemeral RSA key
4529   exchange. The LOW ciphers currently doesn't have any ciphers in it.
4530
4531   *Kurt Roeckx*
4532
4533 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
4534   opaque.  For HMAC_CTX, the following constructors and destructors
4535   were added:
4536
4537       HMAC_CTX *HMAC_CTX_new(void);
4538       void HMAC_CTX_free(HMAC_CTX *ctx);
4539
4540   For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
4541   destroy such methods has been added.  See EVP_MD_meth_new(3) and
4542   EVP_CIPHER_meth_new(3) for documentation.
4543
4544   Additional changes:
4545   1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and
4546      `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and
4547      `EVP_MD_CTX_reset()` should be called instead to reinitialise
4548      an already created structure.
4549   2) For consistency with the majority of our object creators and
4550      destructors, `EVP_MD_CTX_(create|destroy)` were renamed to
4551      `EVP_MD_CTX_(new|free)`.  The old names are retained as macros
4552      for deprecated builds.
4553
4554   *Richard Levitte*
4555
4556 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4557   cryptographic operations to be performed asynchronously as long as an
4558   asynchronous capable engine is used. See the ASYNC_start_job() man page for
4559   further details. Libssl has also had this capability integrated with the
4560   introduction of the new mode SSL_MODE_ASYNC and associated error
4561   SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
4562   pages. This work was developed in partnership with Intel Corp.
4563
4564   *Matt Caswell*
4565
4566 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
4567   always enabled now.  If you want to disable the support you should
4568   exclude it using the list of supported ciphers. This also means that the
4569   "-no_ecdhe" option has been removed from s_server.
4570
4571   *Kurt Roeckx*
4572
4573 * SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
4574   SSL_{CTX_}set1_curves() which can set a list.
4575
4576   *Kurt Roeckx*
4577
4578 * Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the
4579   curve you want to support using SSL_{CTX_}set1_curves().
4580
4581   *Kurt Roeckx*
4582
4583 * State machine rewrite. The state machine code has been significantly
4584   refactored in order to remove much duplication of code and solve issues
4585   with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for
4586   further details). This change does have some associated API changes.
4587   Notably the SSL_state() function has been removed and replaced by
4588   SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int.
4589   SSL_set_state() has been removed altogether. The previous handshake states
4590   defined in ssl.h and ssl3.h have also been removed.
4591
4592   *Matt Caswell*
4593
4594 * All instances of the string "ssleay" in the public API were replaced
4595   with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4596   Some error codes related to internal RSA_eay API's were renamed.
4597
4598   *Rich Salz*
4599
4600 * The demo files in crypto/threads were moved to demo/threads.
4601
4602   *Rich Salz*
4603
4604 * Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
4605   sureware and ubsec.
4606
4607   *Matt Caswell, Rich Salz*
4608
4609 * New ASN.1 embed macro.
4610
4611   New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
4612   structure is not allocated: it is part of the parent. That is instead of
4613
4614           FOO *x;
4615
4616   it must be:
4617
4618           FOO x;
4619
4620   This reduces memory fragmentation and make it impossible to accidentally
4621   set a mandatory field to NULL.
4622
4623   This currently only works for some fields specifically a SEQUENCE, CHOICE,
4624   or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
4625   equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
4626   SEQUENCE OF.
4627
4628   *Steve Henson*
4629
4630 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4631
4632   *Emilia Käsper*
4633
4634 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
4635   in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
4636   an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
4637   DES and RC4 ciphersuites.
4638
4639   *Matt Caswell*
4640
4641 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
4642   This changes the decoding behaviour for some invalid messages,
4643   though the change is mostly in the more lenient direction, and
4644   legacy behaviour is preserved as much as possible.
4645
4646   *Emilia Käsper*
4647
4648 * Fix no-stdio build.
4649   *David Woodhouse <David.Woodhouse@intel.com> and also*
4650   *Ivan Nestlerode <ivan.nestlerode@sonos.com>*
4651
4652 * New testing framework
4653   The testing framework has been largely rewritten and is now using
4654   perl and the perl modules Test::Harness and an extended variant of
4655   Test::More called OpenSSL::Test to do its work.  All test scripts in
4656   test/ have been rewritten into test recipes, and all direct calls to
4657   executables in test/Makefile have become individual recipes using the
4658   simplified testing OpenSSL::Test::Simple.
4659
4660   For documentation on our testing modules, do:
4661
4662           perldoc test/testlib/OpenSSL/Test/Simple.pm
4663           perldoc test/testlib/OpenSSL/Test.pm
4664
4665   *Richard Levitte*
4666
4667 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4668   are used; the latter aborts on memory leaks (usually checked on exit).
4669   Some undocumented "set malloc, etc., hooks" functions were removed
4670   and others were changed.  All are now documented.
4671
4672   *Rich Salz*
4673
4674 * In DSA_generate_parameters_ex, if the provided seed is too short,
4675   return an error
4676
4677   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
4678
4679 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
4680   from RFC4279, RFC4785, RFC5487, RFC5489.
4681
4682   Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
4683   original RSA_PSK patch.
4684
4685   *Steve Henson*
4686
4687 * Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
4688   era flag was never set throughout the codebase (only read). Also removed
4689   SSL3_FLAGS_POP_BUFFER which was only used if
4690   SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
4691
4692   *Matt Caswell*
4693
4694 * Changed the default name options in the "ca", "crl", "req" and "x509"
4695   to be "oneline" instead of "compat".
4696
4697   *Richard Levitte*
4698
4699 * Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
4700   not aware of clients that still exhibit this bug, and the workaround
4701   hasn't been working properly for a while.
4702
4703   *Emilia Käsper*
4704
4705 * The return type of BIO_number_read() and BIO_number_written() as well as
4706   the corresponding num_read and num_write members in the BIO structure has
4707   changed from unsigned long to uint64_t. On platforms where an unsigned
4708   long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
4709   transferred.
4710
4711   *Matt Caswell*
4712
4713 * Given the pervasive nature of TLS extensions it is inadvisable to run
4714   OpenSSL without support for them. It also means that maintaining
4715   the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
4716   not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
4717
4718   *Matt Caswell*
4719
4720 * Removed support for the two export grade static DH ciphersuites
4721   EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4722   were newly added (along with a number of other static DH ciphersuites) to
4723   1.0.2. However the two export ones have *never* worked since they were
4724   introduced. It seems strange in any case to be adding new export
4725   ciphersuites, and given "logjam" it also does not seem correct to fix them.
4726
4727   *Matt Caswell*
4728
4729 * Version negotiation has been rewritten. In particular SSLv23_method(),
4730   SSLv23_client_method() and SSLv23_server_method() have been deprecated,
4731   and turned into macros which simply call the new preferred function names
4732   TLS_method(), TLS_client_method() and TLS_server_method(). All new code
4733   should use the new names instead. Also as part of this change the ssl23.h
4734   header file has been removed.
4735
4736   *Matt Caswell*
4737
4738 * Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
4739   code and the associated standard is no longer considered fit-for-purpose.
4740
4741   *Matt Caswell*
4742
4743 * RT2547 was closed.  When generating a private key, try to make the
4744   output file readable only by the owner.  This behavior change might
4745   be noticeable when interacting with other software.
4746
4747 * Documented all exdata functions.  Added CRYPTO_free_ex_index.
4748   Added a test.
4749
4750   *Rich Salz*
4751
4752 * Added HTTP GET support to the ocsp command.
4753
4754   *Rich Salz*
4755
4756 * Changed default digest for the dgst and enc commands from MD5 to
4757   sha256
4758
4759   *Rich Salz*
4760
4761 * RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
4762
4763   *Matt Caswell*
4764
4765 * Added support for TLS extended master secret from
4766   draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4767   initial patch which was a great help during development.
4768
4769   *Steve Henson*
4770
4771 * All libssl internal structures have been removed from the public header
4772   files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
4773   now redundant). Users should not attempt to access internal structures
4774   directly. Instead they should use the provided API functions.
4775
4776   *Matt Caswell*
4777
4778 * config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
4779   Access to deprecated functions can be re-enabled by running config with
4780   "enable-deprecated". In addition applications wishing to use deprecated
4781   functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
4782   will, by default, disable some transitive includes that previously existed
4783   in the header files (e.g. ec.h will no longer, by default, include bn.h)
4784
4785   *Matt Caswell*
4786
4787 * Added support for OCB mode. OpenSSL has been granted a patent license
4788   compatible with the OpenSSL license for use of OCB. Details are available
4789   at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4790   for OCB can be removed by calling config with no-ocb.
4791
4792   *Matt Caswell*
4793
4794 * SSLv2 support has been removed.  It still supports receiving a SSLv2
4795   compatible client hello.
4796
4797   *Kurt Roeckx*
4798
4799 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
4800   done while fixing the error code for the key-too-small case.
4801
4802   *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4803
4804 * CA.sh has been removed; use CA.pl instead.
4805
4806   *Rich Salz*
4807
4808 * Removed old DES API.
4809
4810   *Rich Salz*
4811
4812 * Remove various unsupported platforms:
4813      Sony NEWS4
4814      BEOS and BEOS_R5
4815      NeXT
4816      SUNOS
4817      MPE/iX
4818      Sinix/ReliantUNIX RM400
4819      DGUX
4820      NCR
4821      Tandem
4822      Cray
4823      16-bit platforms such as WIN16
4824
4825   *Rich Salz*
4826
4827 * Clean up OPENSSL_NO_xxx #define's
4828   - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4829   - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4830   - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4831   - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4832   - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4833   - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4834     OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
4835     OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
4836     OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
4837   - Remove MS_STATIC; it's a relic from platforms <32 bits.
4838
4839   *Rich Salz*
4840
4841 * Cleaned up dead code
4842     Remove all but one '#ifdef undef' which is to be looked at.
4843
4844   *Rich Salz*
4845
4846 * Clean up calling of xxx_free routines.
4847      Just like free(), fix most of the xxx_free routines to accept
4848      NULL.  Remove the non-null checks from callers.  Save much code.
4849
4850   *Rich Salz*
4851
4852 * Add secure heap for storage of private keys (when possible).
4853   Add BIO_s_secmem(), CBIGNUM, etc.
4854   Contributed by Akamai Technologies under our Corporate CLA.
4855
4856   *Rich Salz*
4857
4858 * Experimental support for a new, fast, unbiased prime candidate generator,
4859   bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
4860
4861   *Felix Laurie von Massenbach <felix@erbridge.co.uk>*
4862
4863 * New output format NSS in the sess_id command line tool. This allows
4864   exporting the session id and the master key in NSS keylog format.
4865
4866   *Martin Kaiser <martin@kaiser.cx>*
4867
4868 * Harmonize version and its documentation. -f flag is used to display
4869   compilation flags.
4870
4871   *mancha <mancha1@zoho.com>*
4872
4873 * Fix eckey_priv_encode so it immediately returns an error upon a failure
4874   in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
4875
4876   *mancha <mancha1@zoho.com>*
4877
4878 * Fix some double frees. These are not thought to be exploitable.
4879
4880   *mancha <mancha1@zoho.com>*
4881
4882 * A missing bounds check in the handling of the TLS heartbeat extension
4883   can be used to reveal up to 64k of memory to a connected client or
4884   server.
4885
4886   Thanks for Neel Mehta of Google Security for discovering this bug and to
4887   Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
4888   preparing the fix ([CVE-2014-0160])
4889
4890   *Adam Langley, Bodo Moeller*
4891
4892 * Fix for the attack described in the paper "Recovering OpenSSL
4893   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
4894   by Yuval Yarom and Naomi Benger. Details can be obtained from:
4895   <http://eprint.iacr.org/2014/140>
4896
4897   Thanks to Yuval Yarom and Naomi Benger for discovering this
4898   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
4899
4900   *Yuval Yarom and Naomi Benger*
4901
4902 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
4903   this fixes a limitation in previous versions of OpenSSL.
4904
4905   *Steve Henson*
4906
4907 * Experimental encrypt-then-mac support.
4908
4909   Experimental support for encrypt then mac from
4910   draft-gutmann-tls-encrypt-then-mac-02.txt
4911
4912   To enable it set the appropriate extension number (0x42 for the test
4913   server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
4914
4915   For non-compliant peers (i.e. just about everything) this should have no
4916   effect.
4917
4918   WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
4919
4920   *Steve Henson*
4921
4922 * Add EVP support for key wrapping algorithms, to avoid problems with
4923   existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
4924   the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
4925   algorithms and include tests cases.
4926
4927   *Steve Henson*
4928
4929 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
4930   enveloped data.
4931
4932   *Steve Henson*
4933
4934 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
4935   MGF1 digest and OAEP label.
4936
4937   *Steve Henson*
4938
4939 * Make openssl verify return errors.
4940
4941   *Chris Palmer <palmer@google.com> and Ben Laurie*
4942
4943 * New function ASN1_TIME_diff to calculate the difference between two
4944   ASN1_TIME structures or one structure and the current time.
4945
4946   *Steve Henson*
4947
4948 * Update fips_test_suite to support multiple command line options. New
4949   test to induce all self test errors in sequence and check expected
4950   failures.
4951
4952   *Steve Henson*
4953
4954 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
4955   sign or verify all in one operation.
4956
4957   *Steve Henson*
4958
4959 * Add fips_algvs: a multicall fips utility incorporating all the algorithm
4960   test programs and fips_test_suite. Includes functionality to parse
4961   the minimal script output of fipsalgest.pl directly.
4962
4963   *Steve Henson*
4964
4965 * Add authorisation parameter to FIPS_module_mode_set().
4966
4967   *Steve Henson*
4968
4969 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
4970
4971   *Steve Henson*
4972
4973 * Use separate DRBG fields for internal and external flags. New function
4974   FIPS_drbg_health_check() to perform on demand health checking. Add
4975   generation tests to fips_test_suite with reduced health check interval to
4976   demonstrate periodic health checking. Add "nodh" option to
4977   fips_test_suite to skip very slow DH test.
4978
4979   *Steve Henson*
4980
4981 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
4982   based on NID.
4983
4984   *Steve Henson*
4985
4986 * More extensive health check for DRBG checking many more failure modes.
4987   New function FIPS_selftest_drbg_all() to handle every possible DRBG
4988   combination: call this in fips_test_suite.
4989
4990   *Steve Henson*
4991
4992 * Add support for canonical generation of DSA parameter 'g'. See
4993   FIPS 186-3 A.2.3.
4994
4995 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
4996   POST to handle HMAC cases.
4997
4998   *Steve Henson*
4999
5000 * Add functions FIPS_module_version() and FIPS_module_version_text()
5001   to return numerical and string versions of the FIPS module number.
5002
5003   *Steve Henson*
5004
5005 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
5006   FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
5007   outside the validated module in the FIPS capable OpenSSL.
5008
5009   *Steve Henson*
5010
5011 * Minor change to DRBG entropy callback semantics. In some cases
5012   there is no multiple of the block length between min_len and
5013   max_len. Allow the callback to return more than max_len bytes
5014   of entropy but discard any extra: it is the callback's responsibility
5015   to ensure that the extra data discarded does not impact the
5016   requested amount of entropy.
5017
5018   *Steve Henson*
5019
5020 * Add PRNG security strength checks to RSA, DSA and ECDSA using
5021   information in FIPS186-3, SP800-57 and SP800-131A.
5022
5023   *Steve Henson*
5024
5025 * CCM support via EVP. Interface is very similar to GCM case except we
5026   must supply all data in one chunk (i.e. no update, final) and the
5027   message length must be supplied if AAD is used. Add algorithm test
5028   support.
5029
5030   *Steve Henson*
5031
5032 * Initial version of POST overhaul. Add POST callback to allow the status
5033   of POST to be monitored and/or failures induced. Modify fips_test_suite
5034   to use callback. Always run all selftests even if one fails.
5035
5036   *Steve Henson*
5037
5038 * XTS support including algorithm test driver in the fips_gcmtest program.
5039   Note: this does increase the maximum key length from 32 to 64 bytes but
5040   there should be no binary compatibility issues as existing applications
5041   will never use XTS mode.
5042
5043   *Steve Henson*
5044
5045 * Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
5046   to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
5047   performs algorithm blocking for unapproved PRNG types. Also do not
5048   set PRNG type in FIPS_mode_set(): leave this to the application.
5049   Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
5050   the standard OpenSSL PRNG: set additional data to a date time vector.
5051
5052   *Steve Henson*
5053
5054 * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`.
5055   This shouldn't present any incompatibility problems because applications
5056   shouldn't be using these directly and any that are will need to rethink
5057   anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5058
5059   *Steve Henson*
5060
5061 * Extensive self tests and health checking required by SP800-90 DRBG.
5062   Remove strength parameter from FIPS_drbg_instantiate and always
5063   instantiate at maximum supported strength.
5064
5065   *Steve Henson*
5066
5067 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
5068
5069   *Steve Henson*
5070
5071 * New algorithm test program fips_dhvs to handle DH primitives only testing.
5072
5073   *Steve Henson*
5074
5075 * New function DH_compute_key_padded() to compute a DH key and pad with
5076   leading zeroes if needed: this complies with SP800-56A et al.
5077
5078   *Steve Henson*
5079
5080 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5081   anything, incomplete, subject to change and largely untested at present.
5082
5083   *Steve Henson*
5084
5085 * Modify fipscanisteronly build option to only build the necessary object
5086   files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
5087
5088   *Steve Henson*
5089
5090 * Add experimental option FIPSSYMS to give all symbols in
5091   fipscanister.o and FIPS or fips prefix. This will avoid
5092   conflicts with future versions of OpenSSL. Add perl script
5093   util/fipsas.pl to preprocess assembly language source files
5094   and rename any affected symbols.
5095
5096   *Steve Henson*
5097
5098 * Add selftest checks and algorithm block of non-fips algorithms in
5099   FIPS mode. Remove DES2 from selftests.
5100
5101   *Steve Henson*
5102
5103 * Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
5104   return internal method without any ENGINE dependencies. Add new
5105   tiny fips sign and verify functions.
5106
5107   *Steve Henson*
5108
5109 * New build option no-ec2m to disable characteristic 2 code.
5110
5111   *Steve Henson*
5112
5113 * New build option "fipscanisteronly". This only builds fipscanister.o
5114   and (currently) associated fips utilities. Uses the file Makefile.fips
5115   instead of Makefile.org as the prototype.
5116
5117   *Steve Henson*
5118
5119 * Add some FIPS mode restrictions to GCM. Add internal IV generator.
5120   Update fips_gcmtest to use IV generator.
5121
5122   *Steve Henson*
5123
5124 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5125   setting output buffer to NULL. The `*Final` function must be
5126   called although it will not retrieve any additional data. The tag
5127   can be set or retrieved with a ctrl. The IV length is by default 12
5128   bytes (96 bits) but can be set to an alternative value. If the IV
5129   length exceeds the maximum IV length (currently 16 bytes) it cannot be
5130   set before the key.
5131
5132   *Steve Henson*
5133
5134 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
5135   underlying do_cipher function handles all cipher semantics itself
5136   including padding and finalisation. This is useful if (for example)
5137   an ENGINE cipher handles block padding itself. The behaviour of
5138   do_cipher is subtly changed if this flag is set: the return value
5139   is the number of characters written to the output buffer (zero is
5140   no longer an error code) or a negative error code. Also if the
5141   input buffer is NULL and length 0 finalisation should be performed.
5142
5143   *Steve Henson*
5144
5145 * If a candidate issuer certificate is already part of the constructed
5146   path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
5147
5148   *Steve Henson*
5149
5150 * Improve forward-security support: add functions
5151
5152           void SSL_CTX_set_not_resumable_session_callback(
5153                    SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
5154           void SSL_set_not_resumable_session_callback(
5155                    SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
5156
5157   for use by SSL/TLS servers; the callback function will be called whenever a
5158   new session is created, and gets to decide whether the session may be
5159   cached to make it resumable (return 0) or not (return 1).  (As by the
5160   SSL/TLS protocol specifications, the session_id sent by the server will be
5161   empty to indicate that the session is not resumable; also, the server will
5162   not generate RFC 4507 (RFC 5077) session tickets.)
5163
5164   A simple reasonable callback implementation is to return is_forward_secure.
5165   This parameter will be set to 1 or 0 depending on the ciphersuite selected
5166   by the SSL/TLS server library, indicating whether it can provide forward
5167   security.
5168
5169   *Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)*
5170
5171 * New -verify_name option in command line utilities to set verification
5172   parameters by name.
5173
5174   *Steve Henson*
5175
5176 * Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
5177   Add CMAC pkey methods.
5178
5179   *Steve Henson*
5180
5181 * Experimental renegotiation in s_server -www mode. If the client
5182   browses /reneg connection is renegotiated. If /renegcert it is
5183   renegotiated requesting a certificate.
5184
5185   *Steve Henson*
5186
5187 * Add an "external" session cache for debugging purposes to s_server. This
5188   should help trace issues which normally are only apparent in deployed
5189   multi-process servers.
5190
5191   *Steve Henson*
5192
5193 * Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
5194   return value is ignored. NB. The functions RAND_add(), RAND_seed(),
5195   BIO_set_cipher() and some obscure PEM functions were changed so they
5196   can now return an error. The RAND changes required a change to the
5197   RAND_METHOD structure.
5198
5199   *Steve Henson*
5200
5201 * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of
5202   a gcc attribute to warn if the result of a function is ignored. This
5203   is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
5204   whose return value is often ignored.
5205
5206   *Steve Henson*
5207
5208 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5209   These allow SCTs (signed certificate timestamps) to be requested and
5210   validated when establishing a connection.
5211
5212   *Rob Percival <robpercival@google.com>*
5213
5214OpenSSL 1.0.2
5215-------------
5216
5217### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
5218
5219 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5220   used even when parsing explicit parameters, when loading a encoded key
5221   or calling `EC_GROUP_new_from_ecpkparameters()`/
5222   `EC_GROUP_new_from_ecparameters()`.
5223   This prevents bypass of security hardening and performance gains,
5224   especially for curves with specialized EC_METHODs.
5225   By default, if a key encoded with explicit parameters is loaded and later
5226   encoded, the output is still encoded with explicit parameters, even if
5227   internally a "named" EC_GROUP is used for computation.
5228
5229   *Nicola Tuveri*
5230
5231 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
5232   this change, EC_GROUP_set_generator would accept order and/or cofactor as
5233   NULL. After this change, only the cofactor parameter can be NULL. It also
5234   does some minimal sanity checks on the passed order.
5235   ([CVE-2019-1547])
5236
5237   *Billy Bob Brumley*
5238
5239 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
5240   An attack is simple, if the first CMS_recipientInfo is valid but the
5241   second CMS_recipientInfo is chosen ciphertext. If the second
5242   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
5243   encryption key will be replaced by garbage, and the message cannot be
5244   decoded, but if the RSA decryption fails, the correct encryption key is
5245   used and the recipient will not notice the attack.
5246   As a work around for this potential attack the length of the decrypted
5247   key must be equal to the cipher default key length, in case the
5248   certifiate is not given and all recipientInfo are tried out.
5249   The old behaviour can be re-enabled in the CMS code by setting the
5250   CMS_DEBUG_DECRYPT flag.
5251   ([CVE-2019-1563])
5252
5253   *Bernd Edlinger*
5254
5255 * Document issue with installation paths in diverse Windows builds
5256
5257   '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
5258   binaries and run-time config file.
5259   ([CVE-2019-1552])
5260
5261   *Richard Levitte*
5262
5263### Changes between 1.0.2r and 1.0.2s [28 May 2019]
5264
5265 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
5266   This changes the size when using the `genpkey` command when no size is given.
5267   It fixes an omission in earlier changes that changed all RSA, DSA and DH
5268   generation commands to use 2048 bits by default.
5269
5270   *Kurt Roeckx*
5271
5272 * Add FIPS support for Android Arm 64-bit
5273
5274   Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5275   Module in Version 2.0.10. For some reason, the corresponding target
5276   'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5277   built with FIPS support on Android Arm 64-bit. This omission has been
5278   fixed.
5279
5280   *Matthias St. Pierre*
5281
5282### Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
5283
5284 * 0-byte record padding oracle
5285
5286   If an application encounters a fatal protocol error and then calls
5287   SSL_shutdown() twice (once to send a close_notify, and once to receive one)
5288   then OpenSSL can respond differently to the calling application if a 0 byte
5289   record is received with invalid padding compared to if a 0 byte record is
5290   received with an invalid MAC. If the application then behaves differently
5291   based on that in a way that is detectable to the remote peer, then this
5292   amounts to a padding oracle that could be used to decrypt data.
5293
5294   In order for this to be exploitable "non-stitched" ciphersuites must be in
5295   use. Stitched ciphersuites are optimised implementations of certain
5296   commonly used ciphersuites. Also the application must call SSL_shutdown()
5297   twice even if a protocol error has occurred (applications should not do
5298   this but some do anyway).
5299
5300   This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
5301   Aviram, with additional investigation by Steven Collison and Andrew
5302   Hourselt. It was reported to OpenSSL on 10th December 2018.
5303   ([CVE-2019-1559])
5304
5305   *Matt Caswell*
5306
5307 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
5308
5309   *Richard Levitte*
5310
5311### Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
5312
5313 * Microarchitecture timing vulnerability in ECC scalar multiplication
5314
5315   OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
5316   shown to be vulnerable to a microarchitecture timing side channel attack.
5317   An attacker with sufficient access to mount local timing attacks during
5318   ECDSA signature generation could recover the private key.
5319
5320   This issue was reported to OpenSSL on 26th October 2018 by Alejandro
5321   Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
5322   Nicola Tuveri.
5323   ([CVE-2018-5407])
5324
5325   *Billy Brumley*
5326
5327 * Timing vulnerability in DSA signature generation
5328
5329   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
5330   timing side channel attack. An attacker could use variations in the signing
5331   algorithm to recover the private key.
5332
5333   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
5334   ([CVE-2018-0734])
5335
5336   *Paul Dale*
5337
5338 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
5339   Module, accidentally introduced while backporting security fixes from the
5340   development branch and hindering the use of ECC in FIPS mode.
5341
5342   *Nicola Tuveri*
5343
5344### Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
5345
5346 * Client DoS due to large DH parameter
5347
5348   During key agreement in a TLS handshake using a DH(E) based ciphersuite a
5349   malicious server can send a very large prime value to the client. This will
5350   cause the client to spend an unreasonably long period of time generating a
5351   key for this prime resulting in a hang until the client has finished. This
5352   could be exploited in a Denial Of Service attack.
5353
5354   This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
5355   ([CVE-2018-0732])
5356
5357   *Guido Vranken*
5358
5359 * Cache timing vulnerability in RSA Key Generation
5360
5361   The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
5362   a cache timing side channel attack. An attacker with sufficient access to
5363   mount cache timing attacks during the RSA key generation process could
5364   recover the private key.
5365
5366   This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
5367   Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
5368   ([CVE-2018-0737])
5369
5370   *Billy Brumley*
5371
5372 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
5373   parameter is no longer accepted, as it leads to a corrupt table.  NULL
5374   pem_str is reserved for alias entries only.
5375
5376   *Richard Levitte*
5377
5378 * Revert blinding in ECDSA sign and instead make problematic addition
5379   length-invariant. Switch even to fixed-length Montgomery multiplication.
5380
5381   *Andy Polyakov*
5382
5383 * Change generating and checking of primes so that the error rate of not
5384   being prime depends on the intended use based on the size of the input.
5385   For larger primes this will result in more rounds of Miller-Rabin.
5386   The maximal error rate for primes with more than 1080 bits is lowered
5387   to 2^-128.
5388
5389   *Kurt Roeckx, Annie Yousar*
5390
5391 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5392
5393   *Kurt Roeckx*
5394
5395 * Add blinding to ECDSA and DSA signatures to protect against side channel
5396   attacks discovered by Keegan Ryan (NCC Group).
5397
5398   *Matt Caswell*
5399
5400 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
5401   now allow empty (zero character) pass phrases.
5402
5403   *Richard Levitte*
5404
5405 * Certificate time validation (X509_cmp_time) enforces stricter
5406   compliance with RFC 5280. Fractional seconds and timezone offsets
5407   are no longer allowed.
5408
5409   *Emilia Käsper*
5410
5411### Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
5412
5413 * Constructed ASN.1 types with a recursive definition could exceed the stack
5414
5415   Constructed ASN.1 types with a recursive definition (such as can be found
5416   in PKCS7) could eventually exceed the stack given malicious input with
5417   excessive recursion. This could result in a Denial Of Service attack. There
5418   are no such structures used within SSL/TLS that come from untrusted sources
5419   so this is considered safe.
5420
5421   This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5422   project.
5423   ([CVE-2018-0739])
5424
5425   *Matt Caswell*
5426
5427### Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
5428
5429 * Read/write after SSL object in error state
5430
5431   OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
5432   mechanism. The intent was that if a fatal error occurred during a handshake
5433   then OpenSSL would move into the error state and would immediately fail if
5434   you attempted to continue the handshake. This works as designed for the
5435   explicit handshake functions (SSL_do_handshake(), SSL_accept() and
5436   SSL_connect()), however due to a bug it does not work correctly if
5437   SSL_read() or SSL_write() is called directly. In that scenario, if the
5438   handshake fails then a fatal error will be returned in the initial function
5439   call. If SSL_read()/SSL_write() is subsequently called by the application
5440   for the same SSL object then it will succeed and the data is passed without
5441   being decrypted/encrypted directly from the SSL/TLS record layer.
5442
5443   In order to exploit this issue an application bug would have to be present
5444   that resulted in a call to SSL_read()/SSL_write() being issued after having
5445   already received a fatal error.
5446
5447   This issue was reported to OpenSSL by David Benjamin (Google).
5448   ([CVE-2017-3737])
5449
5450   *Matt Caswell*
5451
5452 * rsaz_1024_mul_avx2 overflow bug on x86_64
5453
5454   There is an overflow bug in the AVX2 Montgomery multiplication procedure
5455   used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5456   Analysis suggests that attacks against RSA and DSA as a result of this
5457   defect would be very difficult to perform and are not believed likely.
5458   Attacks against DH1024 are considered just feasible, because most of the
5459   work necessary to deduce information about a private key may be performed
5460   offline. The amount of resources required for such an attack would be
5461   significant. However, for an attack on TLS to be meaningful, the server
5462   would have to share the DH1024 private key among multiple clients, which is
5463   no longer an option since CVE-2016-0701.
5464
5465   This only affects processors that support the AVX2 but not ADX extensions
5466   like Intel Haswell (4th generation).
5467
5468   This issue was reported to OpenSSL by David Benjamin (Google). The issue
5469   was originally found via the OSS-Fuzz project.
5470   ([CVE-2017-3738])
5471
5472   *Andy Polyakov*
5473
5474### Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
5475
5476 * bn_sqrx8x_internal carry bug on x86_64
5477
5478   There is a carry propagating bug in the x86_64 Montgomery squaring
5479   procedure. No EC algorithms are affected. Analysis suggests that attacks
5480   against RSA and DSA as a result of this defect would be very difficult to
5481   perform and are not believed likely. Attacks against DH are considered just
5482   feasible (although very difficult) because most of the work necessary to
5483   deduce information about a private key may be performed offline. The amount
5484   of resources required for such an attack would be very significant and
5485   likely only accessible to a limited number of attackers. An attacker would
5486   additionally need online access to an unpatched system using the target
5487   private key in a scenario with persistent DH parameters and a private
5488   key that is shared between multiple clients.
5489
5490   This only affects processors that support the BMI1, BMI2 and ADX extensions
5491   like Intel Broadwell (5th generation) and later or AMD Ryzen.
5492
5493   This issue was reported to OpenSSL by the OSS-Fuzz project.
5494   ([CVE-2017-3736])
5495
5496   *Andy Polyakov*
5497
5498 * Malformed X.509 IPAddressFamily could cause OOB read
5499
5500   If an X.509 certificate has a malformed IPAddressFamily extension,
5501   OpenSSL could do a one-byte buffer overread. The most likely result
5502   would be an erroneous display of the certificate in text format.
5503
5504   This issue was reported to OpenSSL by the OSS-Fuzz project.
5505
5506   *Rich Salz*
5507
5508### Changes between 1.0.2k and 1.0.2l [25 May 2017]
5509
5510 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5511   platform rather than 'mingw'.
5512
5513   *Richard Levitte*
5514
5515### Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
5516
5517 * Truncated packet could crash via OOB read
5518
5519   If one side of an SSL/TLS path is running on a 32-bit host and a specific
5520   cipher is being used, then a truncated packet can cause that host to
5521   perform an out-of-bounds read, usually resulting in a crash.
5522
5523   This issue was reported to OpenSSL by Robert Święcki of Google.
5524   ([CVE-2017-3731])
5525
5526   *Andy Polyakov*
5527
5528 * BN_mod_exp may produce incorrect results on x86_64
5529
5530   There is a carry propagating bug in the x86_64 Montgomery squaring
5531   procedure. No EC algorithms are affected. Analysis suggests that attacks
5532   against RSA and DSA as a result of this defect would be very difficult to
5533   perform and are not believed likely. Attacks against DH are considered just
5534   feasible (although very difficult) because most of the work necessary to
5535   deduce information about a private key may be performed offline. The amount
5536   of resources required for such an attack would be very significant and
5537   likely only accessible to a limited number of attackers. An attacker would
5538   additionally need online access to an unpatched system using the target
5539   private key in a scenario with persistent DH parameters and a private
5540   key that is shared between multiple clients. For example this can occur by
5541   default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
5542   similar to CVE-2015-3193 but must be treated as a separate problem.
5543
5544   This issue was reported to OpenSSL by the OSS-Fuzz project.
5545   ([CVE-2017-3732])
5546
5547   *Andy Polyakov*
5548
5549 * Montgomery multiplication may produce incorrect results
5550
5551   There is a carry propagating bug in the Broadwell-specific Montgomery
5552   multiplication procedure that handles input lengths divisible by, but
5553   longer than 256 bits. Analysis suggests that attacks against RSA, DSA
5554   and DH private keys are impossible. This is because the subroutine in
5555   question is not used in operations with the private key itself and an input
5556   of the attacker's direct choice. Otherwise the bug can manifest itself as
5557   transient authentication and key negotiation failures or reproducible
5558   erroneous outcome of public-key operations with specially crafted input.
5559   Among EC algorithms only Brainpool P-512 curves are affected and one
5560   presumably can attack ECDH key negotiation. Impact was not analyzed in
5561   detail, because pre-requisites for attack are considered unlikely. Namely
5562   multiple clients have to choose the curve in question and the server has to
5563   share the private key among them, neither of which is default behaviour.
5564   Even then only clients that chose the curve will be affected.
5565
5566   This issue was publicly reported as transient failures and was not
5567   initially recognized as a security issue. Thanks to Richard Morgan for
5568   providing reproducible case.
5569   ([CVE-2016-7055])
5570
5571   *Andy Polyakov*
5572
5573 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0
5574   or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
5575   prevent issues where no progress is being made and the peer continually
5576   sends unrecognised record types, using up resources processing them.
5577
5578   *Matt Caswell*
5579
5580### Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
5581
5582 * Missing CRL sanity check
5583
5584   A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
5585   but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
5586   CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
5587
5588   This issue only affects the OpenSSL 1.0.2i
5589   ([CVE-2016-7052])
5590
5591   *Matt Caswell*
5592
5593### Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
5594
5595 * OCSP Status Request extension unbounded memory growth
5596
5597   A malicious client can send an excessively large OCSP Status Request
5598   extension. If that client continually requests renegotiation, sending a
5599   large OCSP Status Request extension each time, then there will be unbounded
5600   memory growth on the server. This will eventually lead to a Denial Of
5601   Service attack through memory exhaustion. Servers with a default
5602   configuration are vulnerable even if they do not support OCSP. Builds using
5603   the "no-ocsp" build time option are not affected.
5604
5605   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5606   ([CVE-2016-6304])
5607
5608   *Matt Caswell*
5609
5610 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
5611   HIGH to MEDIUM.
5612
5613   This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
5614   Leurent (INRIA)
5615   ([CVE-2016-2183])
5616
5617   *Rich Salz*
5618
5619 * OOB write in MDC2_Update()
5620
5621   An overflow can occur in MDC2_Update() either if called directly or
5622   through the EVP_DigestUpdate() function using MDC2. If an attacker
5623   is able to supply very large amounts of input data after a previous
5624   call to EVP_EncryptUpdate() with a partial block then a length check
5625   can overflow resulting in a heap corruption.
5626
5627   The amount of data needed is comparable to SIZE_MAX which is impractical
5628   on most platforms.
5629
5630   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5631   ([CVE-2016-6303])
5632
5633   *Stephen Henson*
5634
5635 * Malformed SHA512 ticket DoS
5636
5637   If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
5638   DoS attack where a malformed ticket will result in an OOB read which will
5639   ultimately crash.
5640
5641   The use of SHA512 in TLS session tickets is comparatively rare as it requires
5642   a custom server callback and ticket lookup mechanism.
5643
5644   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5645   ([CVE-2016-6302])
5646
5647   *Stephen Henson*
5648
5649 * OOB write in BN_bn2dec()
5650
5651   The function BN_bn2dec() does not check the return value of BN_div_word().
5652   This can cause an OOB write if an application uses this function with an
5653   overly large BIGNUM. This could be a problem if an overly large certificate
5654   or CRL is printed out from an untrusted source. TLS is not affected because
5655   record limits will reject an oversized certificate before it is parsed.
5656
5657   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5658   ([CVE-2016-2182])
5659
5660   *Stephen Henson*
5661
5662 * OOB read in TS_OBJ_print_bio()
5663
5664   The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
5665   the total length the OID text representation would use and not the amount
5666   of data written. This will result in OOB reads when large OIDs are
5667   presented.
5668
5669   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5670   ([CVE-2016-2180])
5671
5672   *Stephen Henson*
5673
5674 * Pointer arithmetic undefined behaviour
5675
5676   Avoid some undefined pointer arithmetic
5677
5678   A common idiom in the codebase is to check limits in the following manner:
5679   "p + len > limit"
5680
5681   Where "p" points to some malloc'd data of SIZE bytes and
5682   limit == p + SIZE
5683
5684   "len" here could be from some externally supplied data (e.g. from a TLS
5685   message).
5686
5687   The rules of C pointer arithmetic are such that "p + len" is only well
5688   defined where len <= SIZE. Therefore the above idiom is actually
5689   undefined behaviour.
5690
5691   For example this could cause problems if some malloc implementation
5692   provides an address for "p" such that "p + len" actually overflows for
5693   values of len that are too big and therefore p + len < limit.
5694
5695   This issue was reported to OpenSSL by Guido Vranken
5696   ([CVE-2016-2177])
5697
5698   *Matt Caswell*
5699
5700 * Constant time flag not preserved in DSA signing
5701
5702   Operations in the DSA signing algorithm should run in constant time in
5703   order to avoid side channel attacks. A flaw in the OpenSSL DSA
5704   implementation means that a non-constant time codepath is followed for
5705   certain operations. This has been demonstrated through a cache-timing
5706   attack to be sufficient for an attacker to recover the private DSA key.
5707
5708   This issue was reported by César Pereida (Aalto University), Billy Brumley
5709   (Tampere University of Technology), and Yuval Yarom (The University of
5710   Adelaide and NICTA).
5711   ([CVE-2016-2178])
5712
5713   *César Pereida*
5714
5715 * DTLS buffered message DoS
5716
5717   In a DTLS connection where handshake messages are delivered out-of-order
5718   those messages that OpenSSL is not yet ready to process will be buffered
5719   for later use. Under certain circumstances, a flaw in the logic means that
5720   those messages do not get removed from the buffer even though the handshake
5721   has been completed. An attacker could force up to approx. 15 messages to
5722   remain in the buffer when they are no longer required. These messages will
5723   be cleared when the DTLS connection is closed. The default maximum size for
5724   a message is 100k. Therefore the attacker could force an additional 1500k
5725   to be consumed per connection. By opening many simulataneous connections an
5726   attacker could cause a DoS attack through memory exhaustion.
5727
5728   This issue was reported to OpenSSL by Quan Luo.
5729   ([CVE-2016-2179])
5730
5731   *Matt Caswell*
5732
5733 * DTLS replay protection DoS
5734
5735   A flaw in the DTLS replay attack protection mechanism means that records
5736   that arrive for future epochs update the replay protection "window" before
5737   the MAC for the record has been validated. This could be exploited by an
5738   attacker by sending a record for the next epoch (which does not have to
5739   decrypt or have a valid MAC), with a very large sequence number. This means
5740   that all subsequent legitimate packets are dropped causing a denial of
5741   service for a specific DTLS connection.
5742
5743   This issue was reported to OpenSSL by the OCAP audit team.
5744   ([CVE-2016-2181])
5745
5746   *Matt Caswell*
5747
5748 * Certificate message OOB reads
5749
5750   In OpenSSL 1.0.2 and earlier some missing message length checks can result
5751   in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
5752   theoretical DoS risk but this has not been observed in practice on common
5753   platforms.
5754
5755   The messages affected are client certificate, client certificate request
5756   and server certificate. As a result the attack can only be performed
5757   against a client or a server which enables client authentication.
5758
5759   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5760   ([CVE-2016-6306])
5761
5762   *Stephen Henson*
5763
5764### Changes between 1.0.2g and 1.0.2h [3 May 2016]
5765
5766 * Prevent padding oracle in AES-NI CBC MAC check
5767
5768   A MITM attacker can use a padding oracle attack to decrypt traffic
5769   when the connection uses an AES CBC cipher and the server support
5770   AES-NI.
5771
5772   This issue was introduced as part of the fix for Lucky 13 padding
5773   attack ([CVE-2013-0169]). The padding check was rewritten to be in
5774   constant time by making sure that always the same bytes are read and
5775   compared against either the MAC or padding bytes. But it no longer
5776   checked that there was enough data to have both the MAC and padding
5777   bytes.
5778
5779   This issue was reported by Juraj Somorovsky using TLS-Attacker.
5780
5781   *Kurt Roeckx*
5782
5783 * Fix EVP_EncodeUpdate overflow
5784
5785   An overflow can occur in the EVP_EncodeUpdate() function which is used for
5786   Base64 encoding of binary data. If an attacker is able to supply very large
5787   amounts of input data then a length check can overflow resulting in a heap
5788   corruption.
5789
5790   Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
5791   the `PEM_write_bio*` family of functions. These are mainly used within the
5792   OpenSSL command line applications, so any application which processes data
5793   from an untrusted source and outputs it as a PEM file should be considered
5794   vulnerable to this issue. User applications that call these APIs directly
5795   with large amounts of untrusted data may also be vulnerable.
5796
5797   This issue was reported by Guido Vranken.
5798   ([CVE-2016-2105])
5799
5800   *Matt Caswell*
5801
5802 * Fix EVP_EncryptUpdate overflow
5803
5804   An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
5805   is able to supply very large amounts of input data after a previous call to
5806   EVP_EncryptUpdate() with a partial block then a length check can overflow
5807   resulting in a heap corruption. Following an analysis of all OpenSSL
5808   internal usage of the EVP_EncryptUpdate() function all usage is one of two
5809   forms. The first form is where the EVP_EncryptUpdate() call is known to be
5810   the first called function after an EVP_EncryptInit(), and therefore that
5811   specific call must be safe. The second form is where the length passed to
5812   EVP_EncryptUpdate() can be seen from the code to be some small value and
5813   therefore there is no possibility of an overflow. Since all instances are
5814   one of these two forms, it is believed that there can be no overflows in
5815   internal code due to this problem. It should be noted that
5816   EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
5817   Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
5818   of these calls have also been analysed too and it is believed there are no
5819   instances in internal usage where an overflow could occur.
5820
5821   This issue was reported by Guido Vranken.
5822   ([CVE-2016-2106])
5823
5824   *Matt Caswell*
5825
5826 * Prevent ASN.1 BIO excessive memory allocation
5827
5828   When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
5829   a short invalid encoding can cause allocation of large amounts of memory
5830   potentially consuming excessive resources or exhausting memory.
5831
5832   Any application parsing untrusted data through d2i BIO functions is
5833   affected. The memory based functions such as d2i_X509() are *not* affected.
5834   Since the memory based functions are used by the TLS library, TLS
5835   applications are not affected.
5836
5837   This issue was reported by Brian Carpenter.
5838   ([CVE-2016-2109])
5839
5840   *Stephen Henson*
5841
5842 * EBCDIC overread
5843
5844   ASN1 Strings that are over 1024 bytes can cause an overread in applications
5845   using the X509_NAME_oneline() function on EBCDIC systems. This could result
5846   in arbitrary stack data being returned in the buffer.
5847
5848   This issue was reported by Guido Vranken.
5849   ([CVE-2016-2176])
5850
5851   *Matt Caswell*
5852
5853 * Modify behavior of ALPN to invoke callback after SNI/servername
5854   callback, such that updates to the SSL_CTX affect ALPN.
5855
5856   *Todd Short*
5857
5858 * Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
5859   default.
5860
5861   *Kurt Roeckx*
5862
5863 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
5864   methods are enabled and ssl2 is disabled the methods return NULL.
5865
5866   *Kurt Roeckx*
5867
5868### Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
5869
5870* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
5871  Builds that are not configured with "enable-weak-ssl-ciphers" will not
5872  provide any "EXPORT" or "LOW" strength ciphers.
5873
5874  *Viktor Dukhovni*
5875
5876* Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
5877  is by default disabled at build-time.  Builds that are not configured with
5878  "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
5879  users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
5880  will need to explicitly call either of:
5881
5882      SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
5883  or
5884      SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
5885
5886  as appropriate.  Even if either of those is used, or the application
5887  explicitly uses the version-specific SSLv2_method() or its client and
5888  server variants, SSLv2 ciphers vulnerable to exhaustive search key
5889  recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
5890  ciphers, and SSLv2 56-bit DES are no longer available.
5891  ([CVE-2016-0800])
5892
5893   *Viktor Dukhovni*
5894
5895 * Fix a double-free in DSA code
5896
5897   A double free bug was discovered when OpenSSL parses malformed DSA private
5898   keys and could lead to a DoS attack or memory corruption for applications
5899   that receive DSA private keys from untrusted sources.  This scenario is
5900   considered rare.
5901
5902   This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
5903   libFuzzer.
5904   ([CVE-2016-0705])
5905
5906   *Stephen Henson*
5907
5908 * Disable SRP fake user seed to address a server memory leak.
5909
5910   Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
5911
5912   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
5913   In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
5914   was changed to ignore the "fake user" SRP seed, even if the seed
5915   is configured.
5916
5917   Users should use SRP_VBASE_get1_by_user instead. Note that in
5918   SRP_VBASE_get1_by_user, caller must free the returned value. Note
5919   also that even though configuring the SRP seed attempts to hide
5920   invalid usernames by continuing the handshake with fake
5921   credentials, this behaviour is not constant time and no strong
5922   guarantees are made that the handshake is indistinguishable from
5923   that of a valid user.
5924   ([CVE-2016-0798])
5925
5926   *Emilia Käsper*
5927
5928 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
5929
5930   In the BN_hex2bn function the number of hex digits is calculated using an
5931   int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
5932   large values of `i` this can result in `bn_expand` not allocating any
5933   memory because `i * 4` is negative. This can leave the internal BIGNUM data
5934   field as NULL leading to a subsequent NULL ptr deref. For very large values
5935   of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
5936   In this case memory is allocated to the internal BIGNUM data field, but it
5937   is insufficiently sized leading to heap corruption. A similar issue exists
5938   in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
5939   is ever called by user applications with very large untrusted hex/dec data.
5940   This is anticipated to be a rare occurrence.
5941
5942   All OpenSSL internal usage of these functions use data that is not expected
5943   to be untrusted, e.g. config file data or application command line
5944   arguments. If user developed applications generate config file data based
5945   on untrusted data then it is possible that this could also lead to security
5946   consequences. This is also anticipated to be rare.
5947
5948   This issue was reported to OpenSSL by Guido Vranken.
5949   ([CVE-2016-0797])
5950
5951   *Matt Caswell*
5952
5953 * Fix memory issues in `BIO_*printf` functions
5954
5955   The internal `fmtstr` function used in processing a "%s" format string in
5956   the `BIO_*printf` functions could overflow while calculating the length of a
5957   string and cause an OOB read when printing very long strings.
5958
5959   Additionally the internal `doapr_outch` function can attempt to write to an
5960   OOB memory location (at an offset from the NULL pointer) in the event of a
5961   memory allocation failure. In 1.0.2 and below this could be caused where
5962   the size of a buffer to be allocated is greater than INT_MAX. E.g. this
5963   could be in processing a very long "%s" format string. Memory leaks can
5964   also occur.
5965
5966   The first issue may mask the second issue dependent on compiler behaviour.
5967   These problems could enable attacks where large amounts of untrusted data
5968   is passed to the `BIO_*printf` functions. If applications use these functions
5969   in this way then they could be vulnerable. OpenSSL itself uses these
5970   functions when printing out human-readable dumps of ASN.1 data. Therefore
5971   applications that print this data could be vulnerable if the data is from
5972   untrusted sources. OpenSSL command line applications could also be
5973   vulnerable where they print out ASN.1 data, or if untrusted data is passed
5974   as command line arguments.
5975
5976   Libssl is not considered directly vulnerable. Additionally certificates etc
5977   received via remote connections via libssl are also unlikely to be able to
5978   trigger these issues because of message size limits enforced within libssl.
5979
5980   This issue was reported to OpenSSL Guido Vranken.
5981   ([CVE-2016-0799])
5982
5983   *Matt Caswell*
5984
5985 * Side channel attack on modular exponentiation
5986
5987   A side-channel attack was found which makes use of cache-bank conflicts on
5988   the Intel Sandy-Bridge microarchitecture which could lead to the recovery
5989   of RSA keys.  The ability to exploit this issue is limited as it relies on
5990   an attacker who has control of code in a thread running on the same
5991   hyper-threaded core as the victim thread which is performing decryptions.
5992
5993   This issue was reported to OpenSSL by Yuval Yarom, The University of
5994   Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
5995   Nadia Heninger, University of Pennsylvania with more information at
5996   <http://cachebleed.info>.
5997   ([CVE-2016-0702])
5998
5999   *Andy Polyakov*
6000
6001 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6002   if no keysize is specified with default_bits. This fixes an
6003   omission in an earlier change that changed all RSA/DSA key generation
6004   commands to use 2048 bits by default.
6005
6006   *Emilia Käsper*
6007
6008### Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
6009
6010 * DH small subgroups
6011
6012   Historically OpenSSL only ever generated DH parameters based on "safe"
6013   primes. More recently (in version 1.0.2) support was provided for
6014   generating X9.42 style parameter files such as those required for RFC 5114
6015   support. The primes used in such files may not be "safe". Where an
6016   application is using DH configured with parameters based on primes that are
6017   not "safe" then an attacker could use this fact to find a peer's private
6018   DH exponent. This attack requires that the attacker complete multiple
6019   handshakes in which the peer uses the same private DH exponent. For example
6020   this could be used to discover a TLS server's private DH exponent if it's
6021   reusing the private DH exponent or it's using a static DH ciphersuite.
6022
6023   OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
6024   TLS. It is not on by default. If the option is not set then the server
6025   reuses the same private DH exponent for the life of the server process and
6026   would be vulnerable to this attack. It is believed that many popular
6027   applications do set this option and would therefore not be at risk.
6028
6029   The fix for this issue adds an additional check where a "q" parameter is
6030   available (as is the case in X9.42 based parameters). This detects the
6031   only known attack, and is the only possible defense for static DH
6032   ciphersuites. This could have some performance impact.
6033
6034   Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
6035   default and cannot be disabled. This could have some performance impact.
6036
6037   This issue was reported to OpenSSL by Antonio Sanso (Adobe).
6038   ([CVE-2016-0701])
6039
6040   *Matt Caswell*
6041
6042 * SSLv2 doesn't block disabled ciphers
6043
6044   A malicious client can negotiate SSLv2 ciphers that have been disabled on
6045   the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
6046   been disabled, provided that the SSLv2 protocol was not also disabled via
6047   SSL_OP_NO_SSLv2.
6048
6049   This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
6050   and Sebastian Schinzel.
6051   ([CVE-2015-3197])
6052
6053   *Viktor Dukhovni*
6054
6055### Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
6056
6057 * BN_mod_exp may produce incorrect results on x86_64
6058
6059   There is a carry propagating bug in the x86_64 Montgomery squaring
6060   procedure. No EC algorithms are affected. Analysis suggests that attacks
6061   against RSA and DSA as a result of this defect would be very difficult to
6062   perform and are not believed likely. Attacks against DH are considered just
6063   feasible (although very difficult) because most of the work necessary to
6064   deduce information about a private key may be performed offline. The amount
6065   of resources required for such an attack would be very significant and
6066   likely only accessible to a limited number of attackers. An attacker would
6067   additionally need online access to an unpatched system using the target
6068   private key in a scenario with persistent DH parameters and a private
6069   key that is shared between multiple clients. For example this can occur by
6070   default in OpenSSL DHE based SSL/TLS ciphersuites.
6071
6072   This issue was reported to OpenSSL by Hanno Böck.
6073   ([CVE-2015-3193])
6074
6075   *Andy Polyakov*
6076
6077 * Certificate verify crash with missing PSS parameter
6078
6079   The signature verification routines will crash with a NULL pointer
6080   dereference if presented with an ASN.1 signature using the RSA PSS
6081   algorithm and absent mask generation function parameter. Since these
6082   routines are used to verify certificate signature algorithms this can be
6083   used to crash any certificate verification operation and exploited in a
6084   DoS attack. Any application which performs certificate verification is
6085   vulnerable including OpenSSL clients and servers which enable client
6086   authentication.
6087
6088   This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
6089   ([CVE-2015-3194])
6090
6091   *Stephen Henson*
6092
6093 * X509_ATTRIBUTE memory leak
6094
6095   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
6096   memory. This structure is used by the PKCS#7 and CMS routines so any
6097   application which reads PKCS#7 or CMS data from untrusted sources is
6098   affected. SSL/TLS is not affected.
6099
6100   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
6101   libFuzzer.
6102   ([CVE-2015-3195])
6103
6104   *Stephen Henson*
6105
6106 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
6107   This changes the decoding behaviour for some invalid messages,
6108   though the change is mostly in the more lenient direction, and
6109   legacy behaviour is preserved as much as possible.
6110
6111   *Emilia Käsper*
6112
6113 * In DSA_generate_parameters_ex, if the provided seed is too short,
6114   return an error
6115
6116   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
6117
6118### Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
6119
6120 * Alternate chains certificate forgery
6121
6122   During certificate verification, OpenSSL will attempt to find an
6123   alternative certificate chain if the first attempt to build such a chain
6124   fails. An error in the implementation of this logic can mean that an
6125   attacker could cause certain checks on untrusted certificates to be
6126   bypassed, such as the CA flag, enabling them to use a valid leaf
6127   certificate to act as a CA and "issue" an invalid certificate.
6128
6129   This issue was reported to OpenSSL by Adam Langley/David Benjamin
6130   (Google/BoringSSL).
6131
6132   *Matt Caswell*
6133
6134### Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
6135
6136 * Fix HMAC ABI incompatibility. The previous version introduced an ABI
6137   incompatibility in the handling of HMAC. The previous ABI has now been
6138   restored.
6139
6140   *Matt Caswell*
6141
6142### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
6143
6144 * Malformed ECParameters causes infinite loop
6145
6146   When processing an ECParameters structure OpenSSL enters an infinite loop
6147   if the curve specified is over a specially malformed binary polynomial
6148   field.
6149
6150   This can be used to perform denial of service against any
6151   system which processes public keys, certificate requests or
6152   certificates.  This includes TLS clients and TLS servers with
6153   client authentication enabled.
6154
6155   This issue was reported to OpenSSL by Joseph Barr-Pixton.
6156   ([CVE-2015-1788])
6157
6158   *Andy Polyakov*
6159
6160 * Exploitable out-of-bounds read in X509_cmp_time
6161
6162   X509_cmp_time does not properly check the length of the ASN1_TIME
6163   string and can read a few bytes out of bounds. In addition,
6164   X509_cmp_time accepts an arbitrary number of fractional seconds in the
6165   time string.
6166
6167   An attacker can use this to craft malformed certificates and CRLs of
6168   various sizes and potentially cause a segmentation fault, resulting in
6169   a DoS on applications that verify certificates or CRLs. TLS clients
6170   that verify CRLs are affected. TLS clients and servers with client
6171   authentication enabled may be affected if they use custom verification
6172   callbacks.
6173
6174   This issue was reported to OpenSSL by Robert Swiecki (Google), and
6175   independently by Hanno Böck.
6176   ([CVE-2015-1789])
6177
6178   *Emilia Käsper*
6179
6180 * PKCS7 crash with missing EnvelopedContent
6181
6182   The PKCS#7 parsing code does not handle missing inner EncryptedContent
6183   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6184   with missing content and trigger a NULL pointer dereference on parsing.
6185
6186   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
6187   structures from untrusted sources are affected. OpenSSL clients and
6188   servers are not affected.
6189
6190   This issue was reported to OpenSSL by Michal Zalewski (Google).
6191   ([CVE-2015-1790])
6192
6193   *Emilia Käsper*
6194
6195 * CMS verify infinite loop with unknown hash function
6196
6197   When verifying a signedData message the CMS code can enter an infinite loop
6198   if presented with an unknown hash function OID. This can be used to perform
6199   denial of service against any system which verifies signedData messages using
6200   the CMS code.
6201   This issue was reported to OpenSSL by Johannes Bauer.
6202   ([CVE-2015-1792])
6203
6204   *Stephen Henson*
6205
6206 * Race condition handling NewSessionTicket
6207
6208   If a NewSessionTicket is received by a multi-threaded client when attempting to
6209   reuse a previous ticket then a race condition can occur potentially leading to
6210   a double free of the ticket data.
6211   ([CVE-2015-1791])
6212
6213   *Matt Caswell*
6214
6215 * Only support 256-bit or stronger elliptic curves with the
6216   'ecdh_auto' setting (server) or by default (client). Of supported
6217   curves, prefer P-256 (both).
6218
6219   *Emilia Kasper*
6220
6221### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
6222
6223 * ClientHello sigalgs DoS fix
6224
6225   If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
6226   invalid signature algorithms extension a NULL pointer dereference will
6227   occur. This can be exploited in a DoS attack against the server.
6228
6229   This issue was was reported to OpenSSL by David Ramos of Stanford
6230   University.
6231   ([CVE-2015-0291])
6232
6233   *Stephen Henson and Matt Caswell*
6234
6235 * Multiblock corrupted pointer fix
6236
6237   OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
6238   feature only applies on 64 bit x86 architecture platforms that support AES
6239   NI instructions. A defect in the implementation of "multiblock" can cause
6240   OpenSSL's internal write buffer to become incorrectly set to NULL when
6241   using non-blocking IO. Typically, when the user application is using a
6242   socket BIO for writing, this will only result in a failed connection.
6243   However if some other BIO is used then it is likely that a segmentation
6244   fault will be triggered, thus enabling a potential DoS attack.
6245
6246   This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
6247   ([CVE-2015-0290])
6248
6249   *Matt Caswell*
6250
6251 * Segmentation fault in DTLSv1_listen fix
6252
6253   The DTLSv1_listen function is intended to be stateless and processes the
6254   initial ClientHello from many peers. It is common for user code to loop
6255   over the call to DTLSv1_listen until a valid ClientHello is received with
6256   an associated cookie. A defect in the implementation of DTLSv1_listen means
6257   that state is preserved in the SSL object from one invocation to the next
6258   that can lead to a segmentation fault. Errors processing the initial
6259   ClientHello can trigger this scenario. An example of such an error could be
6260   that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
6261   server.
6262
6263   This issue was reported to OpenSSL by Per Allansson.
6264   ([CVE-2015-0207])
6265
6266   *Matt Caswell*
6267
6268 * Segmentation fault in ASN1_TYPE_cmp fix
6269
6270   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
6271   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
6272   certificate signature algorithm consistency this can be used to crash any
6273   certificate verification operation and exploited in a DoS attack. Any
6274   application which performs certificate verification is vulnerable including
6275   OpenSSL clients and servers which enable client authentication.
6276   ([CVE-2015-0286])
6277
6278   *Stephen Henson*
6279
6280 * Segmentation fault for invalid PSS parameters fix
6281
6282   The signature verification routines will crash with a NULL pointer
6283   dereference if presented with an ASN.1 signature using the RSA PSS
6284   algorithm and invalid parameters. Since these routines are used to verify
6285   certificate signature algorithms this can be used to crash any
6286   certificate verification operation and exploited in a DoS attack. Any
6287   application which performs certificate verification is vulnerable including
6288   OpenSSL clients and servers which enable client authentication.
6289
6290   This issue was was reported to OpenSSL by Brian Carpenter.
6291   ([CVE-2015-0208])
6292
6293   *Stephen Henson*
6294
6295 * ASN.1 structure reuse memory corruption fix
6296
6297   Reusing a structure in ASN.1 parsing may allow an attacker to cause
6298   memory corruption via an invalid write. Such reuse is and has been
6299   strongly discouraged and is believed to be rare.
6300
6301   Applications that parse structures containing CHOICE or ANY DEFINED BY
6302   components may be affected. Certificate parsing (d2i_X509 and related
6303   functions) are however not affected. OpenSSL clients and servers are
6304   not affected.
6305   ([CVE-2015-0287])
6306
6307   *Stephen Henson*
6308
6309 * PKCS7 NULL pointer dereferences fix
6310
6311   The PKCS#7 parsing code does not handle missing outer ContentInfo
6312   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6313   missing content and trigger a NULL pointer dereference on parsing.
6314
6315   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
6316   otherwise parse PKCS#7 structures from untrusted sources are
6317   affected. OpenSSL clients and servers are not affected.
6318
6319   This issue was reported to OpenSSL by Michal Zalewski (Google).
6320   ([CVE-2015-0289])
6321
6322   *Emilia Käsper*
6323
6324 * DoS via reachable assert in SSLv2 servers fix
6325
6326   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
6327   servers that both support SSLv2 and enable export cipher suites by sending
6328   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6329
6330   This issue was discovered by Sean Burford (Google) and Emilia Käsper
6331   (OpenSSL development team).
6332   ([CVE-2015-0293])
6333
6334   *Emilia Käsper*
6335
6336 * Empty CKE with client auth and DHE fix
6337
6338   If client auth is used then a server can seg fault in the event of a DHE
6339   ciphersuite being selected and a zero length ClientKeyExchange message
6340   being sent by the client. This could be exploited in a DoS attack.
6341   ([CVE-2015-1787])
6342
6343   *Matt Caswell*
6344
6345 * Handshake with unseeded PRNG fix
6346
6347   Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
6348   with an unseeded PRNG. The conditions are:
6349   - The client is on a platform where the PRNG has not been seeded
6350   automatically, and the user has not seeded manually
6351   - A protocol specific client method version has been used (i.e. not
6352   SSL_client_methodv23)
6353   - A ciphersuite is used that does not require additional random data from
6354   the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6355
6356   If the handshake succeeds then the client random that has been used will
6357   have been generated from a PRNG with insufficient entropy and therefore the
6358   output may be predictable.
6359
6360   For example using the following command with an unseeded openssl will
6361   succeed on an unpatched platform:
6362
6363   openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6364   ([CVE-2015-0285])
6365
6366   *Matt Caswell*
6367
6368 * Use After Free following d2i_ECPrivatekey error fix
6369
6370   A malformed EC private key file consumed via the d2i_ECPrivateKey function
6371   could cause a use after free condition. This, in turn, could cause a double
6372   free in several private key parsing functions (such as d2i_PrivateKey
6373   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
6374   for applications that receive EC private keys from untrusted
6375   sources. This scenario is considered rare.
6376
6377   This issue was discovered by the BoringSSL project and fixed in their
6378   commit 517073cd4b.
6379   ([CVE-2015-0209])
6380
6381   *Matt Caswell*
6382
6383 * X509_to_X509_REQ NULL pointer deref fix
6384
6385   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
6386   the certificate key is invalid. This function is rarely used in practice.
6387
6388   This issue was discovered by Brian Carpenter.
6389   ([CVE-2015-0288])
6390
6391   *Stephen Henson*
6392
6393 * Removed the export ciphers from the DEFAULT ciphers
6394
6395   *Kurt Roeckx*
6396
6397### Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
6398
6399 * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
6400   ARMv5 through ARMv8, as opposite to "locking" it to single one.
6401   So far those who have to target multiple platforms would compromise
6402   and argue that binary targeting say ARMv5 would still execute on
6403   ARMv8. "Universal" build resolves this compromise by providing
6404   near-optimal performance even on newer platforms.
6405
6406   *Andy Polyakov*
6407
6408 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6409   (other platforms pending).
6410
6411   *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov*
6412
6413 * Add support for the SignedCertificateTimestampList certificate and
6414   OCSP response extensions from RFC6962.
6415
6416   *Rob Stradling*
6417
6418 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
6419   for corner cases. (Certain input points at infinity could lead to
6420   bogus results, with non-infinity inputs mapped to infinity too.)
6421
6422   *Bodo Moeller*
6423
6424 * Initial support for PowerISA 2.0.7, first implemented in POWER8.
6425   This covers AES, SHA256/512 and GHASH. "Initial" means that most
6426   common cases are optimized and there still is room for further
6427   improvements. Vector Permutation AES for Altivec is also added.
6428
6429   *Andy Polyakov*
6430
6431 * Add support for little-endian ppc64 Linux target.
6432
6433   *Marcelo Cerri (IBM)*
6434
6435 * Initial support for AMRv8 ISA crypto extensions. This covers AES,
6436   SHA1, SHA256 and GHASH. "Initial" means that most common cases
6437   are optimized and there still is room for further improvements.
6438   Both 32- and 64-bit modes are supported.
6439
6440   *Andy Polyakov, Ard Biesheuvel (Linaro)*
6441
6442 * Improved ARMv7 NEON support.
6443
6444   *Andy Polyakov*
6445
6446 * Support for SPARC Architecture 2011 crypto extensions, first
6447   implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
6448   SHA256/512, MD5, GHASH and modular exponentiation.
6449
6450   *Andy Polyakov, David Miller*
6451
6452 * Accelerated modular exponentiation for Intel processors, a.k.a.
6453   RSAZ.
6454
6455   *Shay Gueron & Vlad Krasnov (Intel Corp)*
6456
6457 * Support for new and upcoming Intel processors, including AVX2,
6458   BMI and SHA ISA extensions. This includes additional "stitched"
6459   implementations, AESNI-SHA256 and GCM, and multi-buffer support
6460   for TLS encrypt.
6461
6462   This work was sponsored by Intel Corp.
6463
6464   *Andy Polyakov*
6465
6466 * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
6467   supports both DTLS 1.2 and 1.0 and should use whatever version the peer
6468   supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
6469
6470   *Steve Henson*
6471
6472 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
6473   this fixes a limitation in previous versions of OpenSSL.
6474
6475   *Steve Henson*
6476
6477 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
6478   MGF1 digest and OAEP label.
6479
6480   *Steve Henson*
6481
6482 * Add EVP support for key wrapping algorithms, to avoid problems with
6483   existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
6484   the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
6485   algorithms and include tests cases.
6486
6487   *Steve Henson*
6488
6489 * Add functions to allocate and set the fields of an ECDSA_METHOD
6490   structure.
6491
6492   *Douglas E. Engert, Steve Henson*
6493
6494 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
6495   difference in days and seconds between two tm or ASN1_TIME structures.
6496
6497   *Steve Henson*
6498
6499 * Add -rev test option to s_server to just reverse order of characters
6500   received by client and send back to server. Also prints an abbreviated
6501   summary of the connection parameters.
6502
6503   *Steve Henson*
6504
6505 * New option -brief for s_client and s_server to print out a brief summary
6506   of connection parameters.
6507
6508   *Steve Henson*
6509
6510 * Add callbacks for arbitrary TLS extensions.
6511
6512   *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
6513
6514 * New option -crl_download in several openssl utilities to download CRLs
6515   from CRLDP extension in certificates.
6516
6517   *Steve Henson*
6518
6519 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6520
6521   *Steve Henson*
6522
6523 * New function X509_CRL_diff to generate a delta CRL from the difference
6524   of two full CRLs. Add support to "crl" utility.
6525
6526   *Steve Henson*
6527
6528 * New functions to set lookup_crls function and to retrieve
6529   X509_STORE from X509_STORE_CTX.
6530
6531   *Steve Henson*
6532
6533 * Print out deprecated issuer and subject unique ID fields in
6534   certificates.
6535
6536   *Steve Henson*
6537
6538 * Extend OCSP I/O functions so they can be used for simple general purpose
6539   HTTP as well as OCSP. New wrapper function which can be used to download
6540   CRLs using the OCSP API.
6541
6542   *Steve Henson*
6543
6544 * Delegate command line handling in s_client/s_server to SSL_CONF APIs.
6545
6546   *Steve Henson*
6547
6548 * `SSL_CONF*` functions. These provide a common framework for application
6549   configuration using configuration files or command lines.
6550
6551   *Steve Henson*
6552
6553 * SSL/TLS tracing code. This parses out SSL/TLS records using the
6554   message callback and prints the results. Needs compile time option
6555   "enable-ssl-trace". New options to s_client and s_server to enable
6556   tracing.
6557
6558   *Steve Henson*
6559
6560 * New ctrl and macro to retrieve supported points extensions.
6561   Print out extension in s_server and s_client.
6562
6563   *Steve Henson*
6564
6565 * New functions to retrieve certificate signature and signature
6566   OID NID.
6567
6568   *Steve Henson*
6569
6570 * Add functions to retrieve and manipulate the raw cipherlist sent by a
6571   client to OpenSSL.
6572
6573   *Steve Henson*
6574
6575 * New Suite B modes for TLS code. These use and enforce the requirements
6576   of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
6577   only use Suite B curves. The Suite B modes can be set by using the
6578   strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
6579
6580   *Steve Henson*
6581
6582 * New chain verification flags for Suite B levels of security. Check
6583   algorithms are acceptable when flags are set in X509_verify_cert.
6584
6585   *Steve Henson*
6586
6587 * Make tls1_check_chain return a set of flags indicating checks passed
6588   by a certificate chain. Add additional tests to handle client
6589   certificates: checks for matching certificate type and issuer name
6590   comparison.
6591
6592   *Steve Henson*
6593
6594 * If an attempt is made to use a signature algorithm not in the peer
6595   preference list abort the handshake. If client has no suitable
6596   signature algorithms in response to a certificate request do not
6597   use the certificate.
6598
6599   *Steve Henson*
6600
6601 * If server EC tmp key is not in client preference list abort handshake.
6602
6603   *Steve Henson*
6604
6605 * Add support for certificate stores in CERT structure. This makes it
6606   possible to have different stores per SSL structure or one store in
6607   the parent SSL_CTX. Include distinct stores for certificate chain
6608   verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
6609   to build and store a certificate chain in CERT structure: returning
6610   an error if the chain cannot be built: this will allow applications
6611   to test if a chain is correctly configured.
6612
6613   Note: if the CERT based stores are not set then the parent SSL_CTX
6614   store is used to retain compatibility with existing behaviour.
6615
6616   *Steve Henson*
6617
6618 * New function ssl_set_client_disabled to set a ciphersuite disabled
6619   mask based on the current session, check mask when sending client
6620   hello and checking the requested ciphersuite.
6621
6622   *Steve Henson*
6623
6624 * New ctrls to retrieve and set certificate types in a certificate
6625   request message. Print out received values in s_client. If certificate
6626   types is not set with custom values set sensible values based on
6627   supported signature algorithms.
6628
6629   *Steve Henson*
6630
6631 * Support for distinct client and server supported signature algorithms.
6632
6633   *Steve Henson*
6634
6635 * Add certificate callback. If set this is called whenever a certificate
6636   is required by client or server. An application can decide which
6637   certificate chain to present based on arbitrary criteria: for example
6638   supported signature algorithms. Add very simple example to s_server.
6639   This fixes many of the problems and restrictions of the existing client
6640   certificate callback: for example you can now clear an existing
6641   certificate and specify the whole chain.
6642
6643   *Steve Henson*
6644
6645 * Add new "valid_flags" field to CERT_PKEY structure which determines what
6646   the certificate can be used for (if anything). Set valid_flags field
6647   in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
6648   to have similar checks in it.
6649
6650   Add new "cert_flags" field to CERT structure and include a "strict mode".
6651   This enforces some TLS certificate requirements (such as only permitting
6652   certificate signature algorithms contained in the supported algorithms
6653   extension) which some implementations ignore: this option should be used
6654   with caution as it could cause interoperability issues.
6655
6656   *Steve Henson*
6657
6658 * Update and tidy signature algorithm extension processing. Work out
6659   shared signature algorithms based on preferences and peer algorithms
6660   and print them out in s_client and s_server. Abort handshake if no
6661   shared signature algorithms.
6662
6663   *Steve Henson*
6664
6665 * Add new functions to allow customised supported signature algorithms
6666   for SSL and SSL_CTX structures. Add options to s_client and s_server
6667   to support them.
6668
6669   *Steve Henson*
6670
6671 * New function SSL_certs_clear() to delete all references to certificates
6672   from an SSL structure. Before this once a certificate had been added
6673   it couldn't be removed.
6674
6675   *Steve Henson*
6676
6677 * Integrate hostname, email address and IP address checking with certificate
6678   verification. New verify options supporting checking in openssl utility.
6679
6680   *Steve Henson*
6681
6682 * Fixes and wildcard matching support to hostname and email checking
6683   functions. Add manual page.
6684
6685   *Florian Weimer (Red Hat Product Security Team)*
6686
6687 * New functions to check a hostname email or IP address against a
6688   certificate. Add options x509 utility to print results of checks against
6689   a certificate.
6690
6691   *Steve Henson*
6692
6693 * Fix OCSP checking.
6694
6695   *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
6696
6697 * Initial experimental support for explicitly trusted non-root CAs.
6698   OpenSSL still tries to build a complete chain to a root but if an
6699   intermediate CA has a trust setting included that is used. The first
6700   setting is used: whether to trust (e.g., -addtrust option to the x509
6701   utility) or reject.
6702
6703   *Steve Henson*
6704
6705 * Add -trusted_first option which attempts to find certificates in the
6706   trusted store even if an untrusted chain is also supplied.
6707
6708   *Steve Henson*
6709
6710 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
6711   platform support for Linux and Android.
6712
6713   *Andy Polyakov*
6714
6715 * Support for linux-x32, ILP32 environment in x86_64 framework.
6716
6717   *Andy Polyakov*
6718
6719 * Experimental multi-implementation support for FIPS capable OpenSSL.
6720   When in FIPS mode the approved implementations are used as normal,
6721   when not in FIPS mode the internal unapproved versions are used instead.
6722   This means that the FIPS capable OpenSSL isn't forced to use the
6723   (often lower performance) FIPS implementations outside FIPS mode.
6724
6725   *Steve Henson*
6726
6727 * Transparently support X9.42 DH parameters when calling
6728   PEM_read_bio_DHparameters. This means existing applications can handle
6729   the new parameter format automatically.
6730
6731   *Steve Henson*
6732
6733 * Initial experimental support for X9.42 DH parameter format: mainly
6734   to support use of 'q' parameter for RFC5114 parameters.
6735
6736   *Steve Henson*
6737
6738 * Add DH parameters from RFC5114 including test data to dhtest.
6739
6740   *Steve Henson*
6741
6742 * Support for automatic EC temporary key parameter selection. If enabled
6743   the most preferred EC parameters are automatically used instead of
6744   hardcoded fixed parameters. Now a server just has to call:
6745   SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
6746   support ECDH and use the most appropriate parameters.
6747
6748   *Steve Henson*
6749
6750 * Enhance and tidy EC curve and point format TLS extension code. Use
6751   static structures instead of allocation if default values are used.
6752   New ctrls to set curves we wish to support and to retrieve shared curves.
6753   Print out shared curves in s_server. New options to s_server and s_client
6754   to set list of supported curves.
6755
6756   *Steve Henson*
6757
6758 * New ctrls to retrieve supported signature algorithms and
6759   supported curve values as an array of NIDs. Extend openssl utility
6760   to print out received values.
6761
6762   *Steve Henson*
6763
6764 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
6765   between NIDs and the more common NIST names such as "P-256". Enhance
6766   ecparam utility and ECC method to recognise the NIST names for curves.
6767
6768   *Steve Henson*
6769
6770 * Enhance SSL/TLS certificate chain handling to support different
6771   chains for each certificate instead of one chain in the parent SSL_CTX.
6772
6773   *Steve Henson*
6774
6775 * Support for fixed DH ciphersuite client authentication: where both
6776   server and client use DH certificates with common parameters.
6777
6778   *Steve Henson*
6779
6780 * Support for fixed DH ciphersuites: those requiring DH server
6781   certificates.
6782
6783   *Steve Henson*
6784
6785 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6786   the certificate.
6787   Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6788   X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
6789   X509_CINF_get_signature were reverted post internal team review.
6790
6791OpenSSL 1.0.1
6792-------------
6793
6794### Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
6795
6796 * OCSP Status Request extension unbounded memory growth
6797
6798   A malicious client can send an excessively large OCSP Status Request
6799   extension. If that client continually requests renegotiation, sending a
6800   large OCSP Status Request extension each time, then there will be unbounded
6801   memory growth on the server. This will eventually lead to a Denial Of
6802   Service attack through memory exhaustion. Servers with a default
6803   configuration are vulnerable even if they do not support OCSP. Builds using
6804   the "no-ocsp" build time option are not affected.
6805
6806   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6807   ([CVE-2016-6304])
6808
6809   *Matt Caswell*
6810
6811 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
6812   HIGH to MEDIUM.
6813
6814   This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
6815   Leurent (INRIA)
6816   ([CVE-2016-2183])
6817
6818   *Rich Salz*
6819
6820 * OOB write in MDC2_Update()
6821
6822   An overflow can occur in MDC2_Update() either if called directly or
6823   through the EVP_DigestUpdate() function using MDC2. If an attacker
6824   is able to supply very large amounts of input data after a previous
6825   call to EVP_EncryptUpdate() with a partial block then a length check
6826   can overflow resulting in a heap corruption.
6827
6828   The amount of data needed is comparable to SIZE_MAX which is impractical
6829   on most platforms.
6830
6831   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6832   ([CVE-2016-6303])
6833
6834   *Stephen Henson*
6835
6836 * Malformed SHA512 ticket DoS
6837
6838   If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
6839   DoS attack where a malformed ticket will result in an OOB read which will
6840   ultimately crash.
6841
6842   The use of SHA512 in TLS session tickets is comparatively rare as it requires
6843   a custom server callback and ticket lookup mechanism.
6844
6845   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6846   ([CVE-2016-6302])
6847
6848   *Stephen Henson*
6849
6850 * OOB write in BN_bn2dec()
6851
6852   The function BN_bn2dec() does not check the return value of BN_div_word().
6853   This can cause an OOB write if an application uses this function with an
6854   overly large BIGNUM. This could be a problem if an overly large certificate
6855   or CRL is printed out from an untrusted source. TLS is not affected because
6856   record limits will reject an oversized certificate before it is parsed.
6857
6858   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6859   ([CVE-2016-2182])
6860
6861   *Stephen Henson*
6862
6863 * OOB read in TS_OBJ_print_bio()
6864
6865   The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
6866   the total length the OID text representation would use and not the amount
6867   of data written. This will result in OOB reads when large OIDs are
6868   presented.
6869
6870   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6871   ([CVE-2016-2180])
6872
6873   *Stephen Henson*
6874
6875 * Pointer arithmetic undefined behaviour
6876
6877   Avoid some undefined pointer arithmetic
6878
6879   A common idiom in the codebase is to check limits in the following manner:
6880   "p + len > limit"
6881
6882   Where "p" points to some malloc'd data of SIZE bytes and
6883   limit == p + SIZE
6884
6885   "len" here could be from some externally supplied data (e.g. from a TLS
6886   message).
6887
6888   The rules of C pointer arithmetic are such that "p + len" is only well
6889   defined where len <= SIZE. Therefore the above idiom is actually
6890   undefined behaviour.
6891
6892   For example this could cause problems if some malloc implementation
6893   provides an address for "p" such that "p + len" actually overflows for
6894   values of len that are too big and therefore p + len < limit.
6895
6896   This issue was reported to OpenSSL by Guido Vranken
6897   ([CVE-2016-2177])
6898
6899   *Matt Caswell*
6900
6901 * Constant time flag not preserved in DSA signing
6902
6903   Operations in the DSA signing algorithm should run in constant time in
6904   order to avoid side channel attacks. A flaw in the OpenSSL DSA
6905   implementation means that a non-constant time codepath is followed for
6906   certain operations. This has been demonstrated through a cache-timing
6907   attack to be sufficient for an attacker to recover the private DSA key.
6908
6909   This issue was reported by César Pereida (Aalto University), Billy Brumley
6910   (Tampere University of Technology), and Yuval Yarom (The University of
6911   Adelaide and NICTA).
6912   ([CVE-2016-2178])
6913
6914   *César Pereida*
6915
6916 * DTLS buffered message DoS
6917
6918   In a DTLS connection where handshake messages are delivered out-of-order
6919   those messages that OpenSSL is not yet ready to process will be buffered
6920   for later use. Under certain circumstances, a flaw in the logic means that
6921   those messages do not get removed from the buffer even though the handshake
6922   has been completed. An attacker could force up to approx. 15 messages to
6923   remain in the buffer when they are no longer required. These messages will
6924   be cleared when the DTLS connection is closed. The default maximum size for
6925   a message is 100k. Therefore the attacker could force an additional 1500k
6926   to be consumed per connection. By opening many simulataneous connections an
6927   attacker could cause a DoS attack through memory exhaustion.
6928
6929   This issue was reported to OpenSSL by Quan Luo.
6930   ([CVE-2016-2179])
6931
6932   *Matt Caswell*
6933
6934 * DTLS replay protection DoS
6935
6936   A flaw in the DTLS replay attack protection mechanism means that records
6937   that arrive for future epochs update the replay protection "window" before
6938   the MAC for the record has been validated. This could be exploited by an
6939   attacker by sending a record for the next epoch (which does not have to
6940   decrypt or have a valid MAC), with a very large sequence number. This means
6941   that all subsequent legitimate packets are dropped causing a denial of
6942   service for a specific DTLS connection.
6943
6944   This issue was reported to OpenSSL by the OCAP audit team.
6945   ([CVE-2016-2181])
6946
6947   *Matt Caswell*
6948
6949 * Certificate message OOB reads
6950
6951   In OpenSSL 1.0.2 and earlier some missing message length checks can result
6952   in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
6953   theoretical DoS risk but this has not been observed in practice on common
6954   platforms.
6955
6956   The messages affected are client certificate, client certificate request
6957   and server certificate. As a result the attack can only be performed
6958   against a client or a server which enables client authentication.
6959
6960   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6961   ([CVE-2016-6306])
6962
6963   *Stephen Henson*
6964
6965### Changes between 1.0.1s and 1.0.1t [3 May 2016]
6966
6967 * Prevent padding oracle in AES-NI CBC MAC check
6968
6969   A MITM attacker can use a padding oracle attack to decrypt traffic
6970   when the connection uses an AES CBC cipher and the server support
6971   AES-NI.
6972
6973   This issue was introduced as part of the fix for Lucky 13 padding
6974   attack ([CVE-2013-0169]). The padding check was rewritten to be in
6975   constant time by making sure that always the same bytes are read and
6976   compared against either the MAC or padding bytes. But it no longer
6977   checked that there was enough data to have both the MAC and padding
6978   bytes.
6979
6980   This issue was reported by Juraj Somorovsky using TLS-Attacker.
6981   ([CVE-2016-2107])
6982
6983   *Kurt Roeckx*
6984
6985 * Fix EVP_EncodeUpdate overflow
6986
6987   An overflow can occur in the EVP_EncodeUpdate() function which is used for
6988   Base64 encoding of binary data. If an attacker is able to supply very large
6989   amounts of input data then a length check can overflow resulting in a heap
6990   corruption.
6991
6992   Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
6993   the `PEM_write_bio*` family of functions. These are mainly used within the
6994   OpenSSL command line applications, so any application which processes data
6995   from an untrusted source and outputs it as a PEM file should be considered
6996   vulnerable to this issue. User applications that call these APIs directly
6997   with large amounts of untrusted data may also be vulnerable.
6998
6999   This issue was reported by Guido Vranken.
7000   ([CVE-2016-2105])
7001
7002   *Matt Caswell*
7003
7004 * Fix EVP_EncryptUpdate overflow
7005
7006   An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
7007   is able to supply very large amounts of input data after a previous call to
7008   EVP_EncryptUpdate() with a partial block then a length check can overflow
7009   resulting in a heap corruption. Following an analysis of all OpenSSL
7010   internal usage of the EVP_EncryptUpdate() function all usage is one of two
7011   forms. The first form is where the EVP_EncryptUpdate() call is known to be
7012   the first called function after an EVP_EncryptInit(), and therefore that
7013   specific call must be safe. The second form is where the length passed to
7014   EVP_EncryptUpdate() can be seen from the code to be some small value and
7015   therefore there is no possibility of an overflow. Since all instances are
7016   one of these two forms, it is believed that there can be no overflows in
7017   internal code due to this problem. It should be noted that
7018   EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
7019   Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
7020   of these calls have also been analysed too and it is believed there are no
7021   instances in internal usage where an overflow could occur.
7022
7023   This issue was reported by Guido Vranken.
7024   ([CVE-2016-2106])
7025
7026   *Matt Caswell*
7027
7028 * Prevent ASN.1 BIO excessive memory allocation
7029
7030   When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
7031   a short invalid encoding can casuse allocation of large amounts of memory
7032   potentially consuming excessive resources or exhausting memory.
7033
7034   Any application parsing untrusted data through d2i BIO functions is
7035   affected. The memory based functions such as d2i_X509() are *not* affected.
7036   Since the memory based functions are used by the TLS library, TLS
7037   applications are not affected.
7038
7039   This issue was reported by Brian Carpenter.
7040   ([CVE-2016-2109])
7041
7042   *Stephen Henson*
7043
7044 * EBCDIC overread
7045
7046   ASN1 Strings that are over 1024 bytes can cause an overread in applications
7047   using the X509_NAME_oneline() function on EBCDIC systems. This could result
7048   in arbitrary stack data being returned in the buffer.
7049
7050   This issue was reported by Guido Vranken.
7051   ([CVE-2016-2176])
7052
7053   *Matt Caswell*
7054
7055 * Modify behavior of ALPN to invoke callback after SNI/servername
7056   callback, such that updates to the SSL_CTX affect ALPN.
7057
7058   *Todd Short*
7059
7060 * Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
7061   default.
7062
7063   *Kurt Roeckx*
7064
7065 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7066   methods are enabled and ssl2 is disabled the methods return NULL.
7067
7068   *Kurt Roeckx*
7069
7070### Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
7071
7072* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
7073  Builds that are not configured with "enable-weak-ssl-ciphers" will not
7074  provide any "EXPORT" or "LOW" strength ciphers.
7075
7076  *Viktor Dukhovni*
7077
7078* Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
7079  is by default disabled at build-time.  Builds that are not configured with
7080  "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
7081  users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7082  will need to explicitly call either of:
7083
7084      SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
7085  or
7086      SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
7087
7088  as appropriate.  Even if either of those is used, or the application
7089  explicitly uses the version-specific SSLv2_method() or its client and
7090  server variants, SSLv2 ciphers vulnerable to exhaustive search key
7091  recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
7092  ciphers, and SSLv2 56-bit DES are no longer available.
7093  ([CVE-2016-0800])
7094
7095  *Viktor Dukhovni*
7096
7097 * Fix a double-free in DSA code
7098
7099   A double free bug was discovered when OpenSSL parses malformed DSA private
7100   keys and could lead to a DoS attack or memory corruption for applications
7101   that receive DSA private keys from untrusted sources.  This scenario is
7102   considered rare.
7103
7104   This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
7105   libFuzzer.
7106   ([CVE-2016-0705])
7107
7108   *Stephen Henson*
7109
7110 * Disable SRP fake user seed to address a server memory leak.
7111
7112   Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
7113
7114   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
7115   In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
7116   was changed to ignore the "fake user" SRP seed, even if the seed
7117   is configured.
7118
7119   Users should use SRP_VBASE_get1_by_user instead. Note that in
7120   SRP_VBASE_get1_by_user, caller must free the returned value. Note
7121   also that even though configuring the SRP seed attempts to hide
7122   invalid usernames by continuing the handshake with fake
7123   credentials, this behaviour is not constant time and no strong
7124   guarantees are made that the handshake is indistinguishable from
7125   that of a valid user.
7126   ([CVE-2016-0798])
7127
7128   *Emilia Käsper*
7129
7130 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
7131
7132   In the BN_hex2bn function the number of hex digits is calculated using an
7133   int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
7134   large values of `i` this can result in `bn_expand` not allocating any
7135   memory because `i * 4` is negative. This can leave the internal BIGNUM data
7136   field as NULL leading to a subsequent NULL ptr deref. For very large values
7137   of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
7138   In this case memory is allocated to the internal BIGNUM data field, but it
7139   is insufficiently sized leading to heap corruption. A similar issue exists
7140   in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
7141   is ever called by user applications with very large untrusted hex/dec data.
7142   This is anticipated to be a rare occurrence.
7143
7144   All OpenSSL internal usage of these functions use data that is not expected
7145   to be untrusted, e.g. config file data or application command line
7146   arguments. If user developed applications generate config file data based
7147   on untrusted data then it is possible that this could also lead to security
7148   consequences. This is also anticipated to be rare.
7149
7150   This issue was reported to OpenSSL by Guido Vranken.
7151   ([CVE-2016-0797])
7152
7153   *Matt Caswell*
7154
7155 * Fix memory issues in `BIO_*printf` functions
7156
7157   The internal `fmtstr` function used in processing a "%s" format string in
7158   the `BIO_*printf` functions could overflow while calculating the length of a
7159   string and cause an OOB read when printing very long strings.
7160
7161   Additionally the internal `doapr_outch` function can attempt to write to an
7162   OOB memory location (at an offset from the NULL pointer) in the event of a
7163   memory allocation failure. In 1.0.2 and below this could be caused where
7164   the size of a buffer to be allocated is greater than INT_MAX. E.g. this
7165   could be in processing a very long "%s" format string. Memory leaks can
7166   also occur.
7167
7168   The first issue may mask the second issue dependent on compiler behaviour.
7169   These problems could enable attacks where large amounts of untrusted data
7170   is passed to the `BIO_*printf` functions. If applications use these functions
7171   in this way then they could be vulnerable. OpenSSL itself uses these
7172   functions when printing out human-readable dumps of ASN.1 data. Therefore
7173   applications that print this data could be vulnerable if the data is from
7174   untrusted sources. OpenSSL command line applications could also be
7175   vulnerable where they print out ASN.1 data, or if untrusted data is passed
7176   as command line arguments.
7177
7178   Libssl is not considered directly vulnerable. Additionally certificates etc
7179   received via remote connections via libssl are also unlikely to be able to
7180   trigger these issues because of message size limits enforced within libssl.
7181
7182   This issue was reported to OpenSSL Guido Vranken.
7183   ([CVE-2016-0799])
7184
7185   *Matt Caswell*
7186
7187 * Side channel attack on modular exponentiation
7188
7189   A side-channel attack was found which makes use of cache-bank conflicts on
7190   the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7191   of RSA keys.  The ability to exploit this issue is limited as it relies on
7192   an attacker who has control of code in a thread running on the same
7193   hyper-threaded core as the victim thread which is performing decryptions.
7194
7195   This issue was reported to OpenSSL by Yuval Yarom, The University of
7196   Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
7197   Nadia Heninger, University of Pennsylvania with more information at
7198   <http://cachebleed.info>.
7199   ([CVE-2016-0702])
7200
7201   *Andy Polyakov*
7202
7203 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7204   if no keysize is specified with default_bits. This fixes an
7205   omission in an earlier change that changed all RSA/DSA key generation
7206   commands to use 2048 bits by default.
7207
7208   *Emilia Käsper*
7209
7210### Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
7211
7212 * Protection for DH small subgroup attacks
7213
7214   As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
7215   switched on by default and cannot be disabled. This could have some
7216   performance impact.
7217
7218   *Matt Caswell*
7219
7220 * SSLv2 doesn't block disabled ciphers
7221
7222   A malicious client can negotiate SSLv2 ciphers that have been disabled on
7223   the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
7224   been disabled, provided that the SSLv2 protocol was not also disabled via
7225   SSL_OP_NO_SSLv2.
7226
7227   This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
7228   and Sebastian Schinzel.
7229   ([CVE-2015-3197])
7230
7231   *Viktor Dukhovni*
7232
7233 * Reject DH handshakes with parameters shorter than 1024 bits.
7234
7235   *Kurt Roeckx*
7236
7237### Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
7238
7239 * Certificate verify crash with missing PSS parameter
7240
7241   The signature verification routines will crash with a NULL pointer
7242   dereference if presented with an ASN.1 signature using the RSA PSS
7243   algorithm and absent mask generation function parameter. Since these
7244   routines are used to verify certificate signature algorithms this can be
7245   used to crash any certificate verification operation and exploited in a
7246   DoS attack. Any application which performs certificate verification is
7247   vulnerable including OpenSSL clients and servers which enable client
7248   authentication.
7249
7250   This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
7251   ([CVE-2015-3194])
7252
7253   *Stephen Henson*
7254
7255 * X509_ATTRIBUTE memory leak
7256
7257   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
7258   memory. This structure is used by the PKCS#7 and CMS routines so any
7259   application which reads PKCS#7 or CMS data from untrusted sources is
7260   affected. SSL/TLS is not affected.
7261
7262   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
7263   libFuzzer.
7264   ([CVE-2015-3195])
7265
7266   *Stephen Henson*
7267
7268 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
7269   This changes the decoding behaviour for some invalid messages,
7270   though the change is mostly in the more lenient direction, and
7271   legacy behaviour is preserved as much as possible.
7272
7273   *Emilia Käsper*
7274
7275 * In DSA_generate_parameters_ex, if the provided seed is too short,
7276   use a random seed, as already documented.
7277
7278   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
7279
7280### Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
7281
7282 * Alternate chains certificate forgery
7283
7284   During certificate verfification, OpenSSL will attempt to find an
7285   alternative certificate chain if the first attempt to build such a chain
7286   fails. An error in the implementation of this logic can mean that an
7287   attacker could cause certain checks on untrusted certificates to be
7288   bypassed, such as the CA flag, enabling them to use a valid leaf
7289   certificate to act as a CA and "issue" an invalid certificate.
7290
7291   This issue was reported to OpenSSL by Adam Langley/David Benjamin
7292   (Google/BoringSSL).
7293   ([CVE-2015-1793])
7294
7295   *Matt Caswell*
7296
7297 * Race condition handling PSK identify hint
7298
7299   If PSK identity hints are received by a multi-threaded client then
7300   the values are wrongly updated in the parent SSL_CTX structure. This can
7301   result in a race condition potentially leading to a double free of the
7302   identify hint data.
7303   ([CVE-2015-3196])
7304
7305   *Stephen Henson*
7306
7307### Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
7308
7309 * Fix HMAC ABI incompatibility. The previous version introduced an ABI
7310   incompatibility in the handling of HMAC. The previous ABI has now been
7311   restored.
7312
7313### Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
7314
7315 * Malformed ECParameters causes infinite loop
7316
7317   When processing an ECParameters structure OpenSSL enters an infinite loop
7318   if the curve specified is over a specially malformed binary polynomial
7319   field.
7320
7321   This can be used to perform denial of service against any
7322   system which processes public keys, certificate requests or
7323   certificates.  This includes TLS clients and TLS servers with
7324   client authentication enabled.
7325
7326   This issue was reported to OpenSSL by Joseph Barr-Pixton.
7327   ([CVE-2015-1788])
7328
7329   *Andy Polyakov*
7330
7331 * Exploitable out-of-bounds read in X509_cmp_time
7332
7333   X509_cmp_time does not properly check the length of the ASN1_TIME
7334   string and can read a few bytes out of bounds. In addition,
7335   X509_cmp_time accepts an arbitrary number of fractional seconds in the
7336   time string.
7337
7338   An attacker can use this to craft malformed certificates and CRLs of
7339   various sizes and potentially cause a segmentation fault, resulting in
7340   a DoS on applications that verify certificates or CRLs. TLS clients
7341   that verify CRLs are affected. TLS clients and servers with client
7342   authentication enabled may be affected if they use custom verification
7343   callbacks.
7344
7345   This issue was reported to OpenSSL by Robert Swiecki (Google), and
7346   independently by Hanno Böck.
7347   ([CVE-2015-1789])
7348
7349   *Emilia Käsper*
7350
7351 * PKCS7 crash with missing EnvelopedContent
7352
7353   The PKCS#7 parsing code does not handle missing inner EncryptedContent
7354   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7355   with missing content and trigger a NULL pointer dereference on parsing.
7356
7357   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
7358   structures from untrusted sources are affected. OpenSSL clients and
7359   servers are not affected.
7360
7361   This issue was reported to OpenSSL by Michal Zalewski (Google).
7362   ([CVE-2015-1790])
7363
7364   *Emilia Käsper*
7365
7366 * CMS verify infinite loop with unknown hash function
7367
7368   When verifying a signedData message the CMS code can enter an infinite loop
7369   if presented with an unknown hash function OID. This can be used to perform
7370   denial of service against any system which verifies signedData messages using
7371   the CMS code.
7372   This issue was reported to OpenSSL by Johannes Bauer.
7373   ([CVE-2015-1792])
7374
7375   *Stephen Henson*
7376
7377 * Race condition handling NewSessionTicket
7378
7379   If a NewSessionTicket is received by a multi-threaded client when attempting to
7380   reuse a previous ticket then a race condition can occur potentially leading to
7381   a double free of the ticket data.
7382   ([CVE-2015-1791])
7383
7384   *Matt Caswell*
7385
7386 * Reject DH handshakes with parameters shorter than 768 bits.
7387
7388   *Kurt Roeckx and Emilia Kasper*
7389
7390 * dhparam: generate 2048-bit parameters by default.
7391
7392   *Kurt Roeckx and Emilia Kasper*
7393
7394### Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
7395
7396 * Segmentation fault in ASN1_TYPE_cmp fix
7397
7398   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
7399   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
7400   certificate signature algorithm consistency this can be used to crash any
7401   certificate verification operation and exploited in a DoS attack. Any
7402   application which performs certificate verification is vulnerable including
7403   OpenSSL clients and servers which enable client authentication.
7404   ([CVE-2015-0286])
7405
7406   *Stephen Henson*
7407
7408 * ASN.1 structure reuse memory corruption fix
7409
7410   Reusing a structure in ASN.1 parsing may allow an attacker to cause
7411   memory corruption via an invalid write. Such reuse is and has been
7412   strongly discouraged and is believed to be rare.
7413
7414   Applications that parse structures containing CHOICE or ANY DEFINED BY
7415   components may be affected. Certificate parsing (d2i_X509 and related
7416   functions) are however not affected. OpenSSL clients and servers are
7417   not affected.
7418   ([CVE-2015-0287])
7419
7420   *Stephen Henson*
7421
7422 * PKCS7 NULL pointer dereferences fix
7423
7424   The PKCS#7 parsing code does not handle missing outer ContentInfo
7425   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7426   missing content and trigger a NULL pointer dereference on parsing.
7427
7428   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
7429   otherwise parse PKCS#7 structures from untrusted sources are
7430   affected. OpenSSL clients and servers are not affected.
7431
7432   This issue was reported to OpenSSL by Michal Zalewski (Google).
7433   ([CVE-2015-0289])
7434
7435   *Emilia Käsper*
7436
7437 * DoS via reachable assert in SSLv2 servers fix
7438
7439   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
7440   servers that both support SSLv2 and enable export cipher suites by sending
7441   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7442
7443   This issue was discovered by Sean Burford (Google) and Emilia Käsper
7444   (OpenSSL development team).
7445   ([CVE-2015-0293])
7446
7447   *Emilia Käsper*
7448
7449 * Use After Free following d2i_ECPrivatekey error fix
7450
7451   A malformed EC private key file consumed via the d2i_ECPrivateKey function
7452   could cause a use after free condition. This, in turn, could cause a double
7453   free in several private key parsing functions (such as d2i_PrivateKey
7454   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
7455   for applications that receive EC private keys from untrusted
7456   sources. This scenario is considered rare.
7457
7458   This issue was discovered by the BoringSSL project and fixed in their
7459   commit 517073cd4b.
7460   ([CVE-2015-0209])
7461
7462   *Matt Caswell*
7463
7464 * X509_to_X509_REQ NULL pointer deref fix
7465
7466   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
7467   the certificate key is invalid. This function is rarely used in practice.
7468
7469   This issue was discovered by Brian Carpenter.
7470   ([CVE-2015-0288])
7471
7472   *Stephen Henson*
7473
7474 * Removed the export ciphers from the DEFAULT ciphers
7475
7476   *Kurt Roeckx*
7477
7478### Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
7479
7480 * Build fixes for the Windows and OpenVMS platforms
7481
7482   *Matt Caswell and Richard Levitte*
7483
7484### Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
7485
7486 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
7487   message can cause a segmentation fault in OpenSSL due to a NULL pointer
7488   dereference. This could lead to a Denial Of Service attack. Thanks to
7489   Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
7490   ([CVE-2014-3571])
7491
7492   *Steve Henson*
7493
7494 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
7495   dtls1_buffer_record function under certain conditions. In particular this
7496   could occur if an attacker sent repeated DTLS records with the same
7497   sequence number but for the next epoch. The memory leak could be exploited
7498   by an attacker in a Denial of Service attack through memory exhaustion.
7499   Thanks to Chris Mueller for reporting this issue.
7500   ([CVE-2015-0206])
7501
7502   *Matt Caswell*
7503
7504 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7505   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7506   method would be set to NULL which could later result in a NULL pointer
7507   dereference. Thanks to Frank Schmirler for reporting this issue.
7508   ([CVE-2014-3569])
7509
7510   *Kurt Roeckx*
7511
7512 * Abort handshake if server key exchange message is omitted for ephemeral
7513   ECDH ciphersuites.
7514
7515   Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
7516   reporting this issue.
7517   ([CVE-2014-3572])
7518
7519   *Steve Henson*
7520
7521 * Remove non-export ephemeral RSA code on client and server. This code
7522   violated the TLS standard by allowing the use of temporary RSA keys in
7523   non-export ciphersuites and could be used by a server to effectively
7524   downgrade the RSA key length used to a value smaller than the server
7525   certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
7526   INRIA or reporting this issue.
7527   ([CVE-2015-0204])
7528
7529   *Steve Henson*
7530
7531 * Fixed issue where DH client certificates are accepted without verification.
7532   An OpenSSL server will accept a DH certificate for client authentication
7533   without the certificate verify message. This effectively allows a client to
7534   authenticate without the use of a private key. This only affects servers
7535   which trust a client certificate authority which issues certificates
7536   containing DH keys: these are extremely rare and hardly ever encountered.
7537   Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
7538   this issue.
7539   ([CVE-2015-0205])
7540
7541   *Steve Henson*
7542
7543 * Ensure that the session ID context of an SSL is updated when its
7544   SSL_CTX is updated via SSL_set_SSL_CTX.
7545
7546   The session ID context is typically set from the parent SSL_CTX,
7547   and can vary with the CTX.
7548
7549   *Adam Langley*
7550
7551 * Fix various certificate fingerprint issues.
7552
7553   By using non-DER or invalid encodings outside the signed portion of a
7554   certificate the fingerprint can be changed without breaking the signature.
7555   Although no details of the signed portion of the certificate can be changed
7556   this can cause problems with some applications: e.g. those using the
7557   certificate fingerprint for blacklists.
7558
7559   1. Reject signatures with non zero unused bits.
7560
7561   If the BIT STRING containing the signature has non zero unused bits reject
7562   the signature. All current signature algorithms require zero unused bits.
7563
7564   2. Check certificate algorithm consistency.
7565
7566   Check the AlgorithmIdentifier inside TBS matches the one in the
7567   certificate signature. NB: this will result in signature failure
7568   errors for some broken certificates.
7569
7570   Thanks to Konrad Kraszewski from Google for reporting this issue.
7571
7572   3. Check DSA/ECDSA signatures use DER.
7573
7574   Re-encode DSA/ECDSA signatures and compare with the original received
7575   signature. Return an error if there is a mismatch.
7576
7577   This will reject various cases including garbage after signature
7578   (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
7579   program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
7580   (negative or with leading zeroes).
7581
7582   Further analysis was conducted and fixes were developed by Stephen Henson
7583   of the OpenSSL core team.
7584
7585   ([CVE-2014-8275])
7586
7587   *Steve Henson*
7588
7589 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
7590   results on some platforms, including x86_64. This bug occurs at random
7591   with a very low probability, and is not known to be exploitable in any
7592   way, though its exact impact is difficult to determine. Thanks to Pieter
7593   Wuille (Blockstream) who reported this issue and also suggested an initial
7594   fix. Further analysis was conducted by the OpenSSL development team and
7595   Adam Langley of Google. The final fix was developed by Andy Polyakov of
7596   the OpenSSL core team.
7597   ([CVE-2014-3570])
7598
7599   *Andy Polyakov*
7600
7601 * Do not resume sessions on the server if the negotiated protocol
7602   version does not match the session's version. Resuming with a different
7603   version, while not strictly forbidden by the RFC, is of questionable
7604   sanity and breaks all known clients.
7605
7606   *David Benjamin, Emilia Käsper*
7607
7608 * Tighten handling of the ChangeCipherSpec (CCS) message: reject
7609   early CCS messages during renegotiation. (Note that because
7610   renegotiation is encrypted, this early CCS was not exploitable.)
7611
7612   *Emilia Käsper*
7613
7614 * Tighten client-side session ticket handling during renegotiation:
7615   ensure that the client only accepts a session ticket if the server sends
7616   the extension anew in the ServerHello. Previously, a TLS client would
7617   reuse the old extension state and thus accept a session ticket if one was
7618   announced in the initial ServerHello.
7619
7620   Similarly, ensure that the client requires a session ticket if one
7621   was advertised in the ServerHello. Previously, a TLS client would
7622   ignore a missing NewSessionTicket message.
7623
7624   *Emilia Käsper*
7625
7626### Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
7627
7628 * SRTP Memory Leak.
7629
7630   A flaw in the DTLS SRTP extension parsing code allows an attacker, who
7631   sends a carefully crafted handshake message, to cause OpenSSL to fail
7632   to free up to 64k of memory causing a memory leak. This could be
7633   exploited in a Denial Of Service attack. This issue affects OpenSSL
7634   1.0.1 server implementations for both SSL/TLS and DTLS regardless of
7635   whether SRTP is used or configured. Implementations of OpenSSL that
7636   have been compiled with OPENSSL_NO_SRTP defined are not affected.
7637
7638   The fix was developed by the OpenSSL team.
7639   ([CVE-2014-3513])
7640
7641   *OpenSSL team*
7642
7643 * Session Ticket Memory Leak.
7644
7645   When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
7646   integrity of that ticket is first verified. In the event of a session
7647   ticket integrity check failing, OpenSSL will fail to free memory
7648   causing a memory leak. By sending a large number of invalid session
7649   tickets an attacker could exploit this issue in a Denial Of Service
7650   attack.
7651   ([CVE-2014-3567])
7652
7653   *Steve Henson*
7654
7655 * Build option no-ssl3 is incomplete.
7656
7657   When OpenSSL is configured with "no-ssl3" as a build option, servers
7658   could accept and complete a SSL 3.0 handshake, and clients could be
7659   configured to send them.
7660   ([CVE-2014-3568])
7661
7662   *Akamai and the OpenSSL team*
7663
7664 * Add support for TLS_FALLBACK_SCSV.
7665   Client applications doing fallback retries should call
7666   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
7667   ([CVE-2014-3566])
7668
7669   *Adam Langley, Bodo Moeller*
7670
7671 * Add additional DigestInfo checks.
7672
7673   Re-encode DigestInto in DER and check against the original when
7674   verifying RSA signature: this will reject any improperly encoded
7675   DigestInfo structures.
7676
7677   Note: this is a precautionary measure and no attacks are currently known.
7678
7679   *Steve Henson*
7680
7681### Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
7682
7683 * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
7684   SRP code can be overrun an internal buffer. Add sanity check that
7685   g, A, B < N to SRP code.
7686
7687   Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
7688   Group for discovering this issue.
7689   ([CVE-2014-3512])
7690
7691   *Steve Henson*
7692
7693 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
7694   TLS 1.0 instead of higher protocol versions when the ClientHello message
7695   is badly fragmented. This allows a man-in-the-middle attacker to force a
7696   downgrade to TLS 1.0 even if both the server and the client support a
7697   higher protocol version, by modifying the client's TLS records.
7698
7699   Thanks to David Benjamin and Adam Langley (Google) for discovering and
7700   researching this issue.
7701   ([CVE-2014-3511])
7702
7703   *David Benjamin*
7704
7705 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
7706   to a denial of service attack. A malicious server can crash the client
7707   with a null pointer dereference (read) by specifying an anonymous (EC)DH
7708   ciphersuite and sending carefully crafted handshake messages.
7709
7710   Thanks to Felix Gröbert (Google) for discovering and researching this
7711   issue.
7712   ([CVE-2014-3510])
7713
7714   *Emilia Käsper*
7715
7716 * By sending carefully crafted DTLS packets an attacker could cause openssl
7717   to leak memory. This can be exploited through a Denial of Service attack.
7718   Thanks to Adam Langley for discovering and researching this issue.
7719   ([CVE-2014-3507])
7720
7721   *Adam Langley*
7722
7723 * An attacker can force openssl to consume large amounts of memory whilst
7724   processing DTLS handshake messages. This can be exploited through a
7725   Denial of Service attack.
7726   Thanks to Adam Langley for discovering and researching this issue.
7727   ([CVE-2014-3506])
7728
7729   *Adam Langley*
7730
7731 * An attacker can force an error condition which causes openssl to crash
7732   whilst processing DTLS packets due to memory being freed twice. This
7733   can be exploited through a Denial of Service attack.
7734   Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7735   this issue.
7736   ([CVE-2014-3505])
7737
7738   *Adam Langley*
7739
7740 * If a multithreaded client connects to a malicious server using a resumed
7741   session and the server sends an ec point format extension it could write
7742   up to 255 bytes to freed memory.
7743
7744   Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
7745   issue.
7746   ([CVE-2014-3509])
7747
7748   *Gabor Tyukasz*
7749
7750 * A malicious server can crash an OpenSSL client with a null pointer
7751   dereference (read) by specifying an SRP ciphersuite even though it was not
7752   properly negotiated with the client. This can be exploited through a
7753   Denial of Service attack.
7754
7755   Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
7756   discovering and researching this issue.
7757   ([CVE-2014-5139])
7758
7759   *Steve Henson*
7760
7761 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
7762   X509_name_oneline, X509_name_print_ex et al. to leak some information
7763   from the stack. Applications may be affected if they echo pretty printing
7764   output to the attacker.
7765
7766   Thanks to Ivan Fratric (Google) for discovering this issue.
7767   ([CVE-2014-3508])
7768
7769   *Emilia Käsper, and Steve Henson*
7770
7771 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
7772   for corner cases. (Certain input points at infinity could lead to
7773   bogus results, with non-infinity inputs mapped to infinity too.)
7774
7775   *Bodo Moeller*
7776
7777### Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
7778
7779 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
7780   handshake can force the use of weak keying material in OpenSSL
7781   SSL/TLS clients and servers.
7782
7783   Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
7784   researching this issue. ([CVE-2014-0224])
7785
7786   *KIKUCHI Masashi, Steve Henson*
7787
7788 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
7789   OpenSSL DTLS client the code can be made to recurse eventually crashing
7790   in a DoS attack.
7791
7792   Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7793   ([CVE-2014-0221])
7794
7795   *Imre Rad, Steve Henson*
7796
7797 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
7798   be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
7799   client or server. This is potentially exploitable to run arbitrary
7800   code on a vulnerable client or server.
7801
7802   Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7803
7804   *Jüri Aedla, Steve Henson*
7805
7806 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
7807   are subject to a denial of service attack.
7808
7809   Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
7810   this issue. ([CVE-2014-3470])
7811
7812   *Felix Gröbert, Ivan Fratric, Steve Henson*
7813
7814 * Harmonize version and its documentation. -f flag is used to display
7815   compilation flags.
7816
7817   *mancha <mancha1@zoho.com>*
7818
7819 * Fix eckey_priv_encode so it immediately returns an error upon a failure
7820   in i2d_ECPrivateKey.
7821
7822   *mancha <mancha1@zoho.com>*
7823
7824 * Fix some double frees. These are not thought to be exploitable.
7825
7826   *mancha <mancha1@zoho.com>*
7827
7828### Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
7829
7830 * A missing bounds check in the handling of the TLS heartbeat extension
7831   can be used to reveal up to 64k of memory to a connected client or
7832   server.
7833
7834   Thanks for Neel Mehta of Google Security for discovering this bug and to
7835   Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
7836   preparing the fix ([CVE-2014-0160])
7837
7838   *Adam Langley, Bodo Moeller*
7839
7840 * Fix for the attack described in the paper "Recovering OpenSSL
7841   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7842   by Yuval Yarom and Naomi Benger. Details can be obtained from:
7843   <http://eprint.iacr.org/2014/140>
7844
7845   Thanks to Yuval Yarom and Naomi Benger for discovering this
7846   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7847
7848   *Yuval Yarom and Naomi Benger*
7849
7850 * TLS pad extension: draft-agl-tls-padding-03
7851
7852   Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
7853   TLS client Hello record length value would otherwise be > 255 and
7854   less that 512 pad with a dummy extension containing zeroes so it
7855   is at least 512 bytes long.
7856
7857   *Adam Langley, Steve Henson*
7858
7859### Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
7860
7861 * Fix for TLS record tampering bug. A carefully crafted invalid
7862   handshake could crash OpenSSL with a NULL pointer exception.
7863   Thanks to Anton Johansson for reporting this issues.
7864   ([CVE-2013-4353])
7865
7866 * Keep original DTLS digest and encryption contexts in retransmission
7867   structures so we can use the previous session parameters if they need
7868   to be resent. ([CVE-2013-6450])
7869
7870   *Steve Henson*
7871
7872 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
7873   avoids preferring ECDHE-ECDSA ciphers when the client appears to be
7874   Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
7875   several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
7876   is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
7877   10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
7878
7879   *Rob Stradling, Adam Langley*
7880
7881### Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
7882
7883 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7884   supporting platforms or when small records were transferred.
7885
7886   *Andy Polyakov, Steve Henson*
7887
7888### Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
7889
7890 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
7891
7892   This addresses the flaw in CBC record processing discovered by
7893   Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
7894   at: <http://www.isg.rhul.ac.uk/tls/>
7895
7896   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
7897   Security Group at Royal Holloway, University of London
7898   (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
7899   Emilia Käsper for the initial patch.
7900   ([CVE-2013-0169])
7901
7902   *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
7903
7904 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
7905   ciphersuites which can be exploited in a denial of service attack.
7906   Thanks go to and to Adam Langley <agl@chromium.org> for discovering
7907   and detecting this bug and to Wolfgang Ettlinger
7908   <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
7909   ([CVE-2012-2686])
7910
7911   *Adam Langley*
7912
7913 * Return an error when checking OCSP signatures when key is NULL.
7914   This fixes a DoS attack. ([CVE-2013-0166])
7915
7916   *Steve Henson*
7917
7918 * Make openssl verify return errors.
7919
7920   *Chris Palmer <palmer@google.com> and Ben Laurie*
7921
7922 * Call OCSP Stapling callback after ciphersuite has been chosen, so
7923   the right response is stapled. Also change SSL_get_certificate()
7924   so it returns the certificate actually sent.
7925   See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
7926
7927   *Rob Stradling <rob.stradling@comodo.com>*
7928
7929 * Fix possible deadlock when decoding public keys.
7930
7931   *Steve Henson*
7932
7933 * Don't use TLS 1.0 record version number in initial client hello
7934   if renegotiating.
7935
7936   *Steve Henson*
7937
7938### Changes between 1.0.1b and 1.0.1c [10 May 2012]
7939
7940 * Sanity check record length before skipping explicit IV in TLS
7941   1.2, 1.1 and DTLS to fix DoS attack.
7942
7943   Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
7944   fuzzing as a service testing platform.
7945   ([CVE-2012-2333])
7946
7947   *Steve Henson*
7948
7949 * Initialise tkeylen properly when encrypting CMS messages.
7950   Thanks to Solar Designer of Openwall for reporting this issue.
7951
7952   *Steve Henson*
7953
7954 * In FIPS mode don't try to use composite ciphers as they are not
7955   approved.
7956
7957   *Steve Henson*
7958
7959### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
7960
7961 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
7962   1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
7963   mean any application compiled against OpenSSL 1.0.0 headers setting
7964   SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
7965   TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
7966   0x10000000L Any application which was previously compiled against
7967   OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
7968   will need to be recompiled as a result. Letting be results in
7969   inability to disable specifically TLS 1.1 and in client context,
7970   in unlike event, limit maximum offered version to TLS 1.0 [see below].
7971
7972   *Steve Henson*
7973
7974 * In order to ensure interoperability SSL_OP_NO_protocolX does not
7975   disable just protocol X, but all protocols above X *if* there are
7976   protocols *below* X still enabled. In more practical terms it means
7977   that if application wants to disable TLS1.0 in favor of TLS1.1 and
7978   above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass
7979   `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to
7980   client side.
7981
7982   *Andy Polyakov*
7983
7984### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
7985
7986 * Check for potentially exploitable overflows in asn1_d2i_read_bio
7987   BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
7988   in CRYPTO_realloc_clean.
7989
7990   Thanks to Tavis Ormandy, Google Security Team, for discovering this
7991   issue and to Adam Langley <agl@chromium.org> for fixing it.
7992   ([CVE-2012-2110])
7993
7994   *Adam Langley (Google), Tavis Ormandy, Google Security Team*
7995
7996 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
7997
7998   *Adam Langley*
7999
8000 * Workarounds for some broken servers that "hang" if a client hello
8001   record length exceeds 255 bytes.
8002
8003   1. Do not use record version number > TLS 1.0 in initial client
8004      hello: some (but not all) hanging servers will now work.
8005   2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
8006      the number of ciphers sent in the client hello. This should be
8007      set to an even number, such as 50, for example by passing:
8008      -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8009      Most broken servers should now work.
8010   3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
8011      TLS 1.2 client support entirely.
8012
8013   *Steve Henson*
8014
8015 * Fix SEGV in Vector Permutation AES module observed in OpenSSH.
8016
8017   *Andy Polyakov*
8018
8019### Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
8020
8021 * Add compatibility with old MDC2 signatures which use an ASN1 OCTET
8022   STRING form instead of a DigestInfo.
8023
8024   *Steve Henson*
8025
8026 * The format used for MDC2 RSA signatures is inconsistent between EVP
8027   and the RSA_sign/RSA_verify functions. This was made more apparent when
8028   OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
8029   those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
8030   the correct format in RSA_verify so both forms transparently work.
8031
8032   *Steve Henson*
8033
8034 * Some servers which support TLS 1.0 can choke if we initially indicate
8035   support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
8036   encrypted premaster secret. As a workaround use the maximum permitted
8037   client version in client hello, this should keep such servers happy
8038   and still work with previous versions of OpenSSL.
8039
8040   *Steve Henson*
8041
8042 * Add support for TLS/DTLS heartbeats.
8043
8044   *Robin Seggelmann <seggelmann@fh-muenster.de>*
8045
8046 * Add support for SCTP.
8047
8048   *Robin Seggelmann <seggelmann@fh-muenster.de>*
8049
8050 * Improved PRNG seeding for VOS.
8051
8052   *Paul Green <Paul.Green@stratus.com>*
8053
8054 * Extensive assembler packs updates, most notably:
8055
8056   - x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
8057   - x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
8058   - x86_64:       bit-sliced AES implementation;
8059   - ARM:          NEON support, contemporary platforms optimizations;
8060   - s390x:        z196 support;
8061   - `*`:            GHASH and GF(2^m) multiplication implementations;
8062
8063   *Andy Polyakov*
8064
8065 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8066   (removal of unnecessary code)
8067
8068   *Peter Sylvester <peter.sylvester@edelweb.fr>*
8069
8070 * Add TLS key material exporter from RFC 5705.
8071
8072   *Eric Rescorla*
8073
8074 * Add DTLS-SRTP negotiation from RFC 5764.
8075
8076   *Eric Rescorla*
8077
8078 * Add Next Protocol Negotiation,
8079   <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8080   disabled with a no-npn flag to config or Configure. Code donated
8081   by Google.
8082
8083   *Adam Langley <agl@google.com> and Ben Laurie*
8084
8085 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8086   NIST-P256, NIST-P521, with constant-time single point multiplication on
8087   typical inputs. Compiler support for the nonstandard type `__uint128_t` is
8088   required to use this (present in gcc 4.4 and later, for 64-bit builds).
8089   Code made available under Apache License version 2.0.
8090
8091   Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8092   line to include this in your build of OpenSSL, and run "make depend" (or
8093   "make update"). This enables the following EC_METHODs:
8094
8095           EC_GFp_nistp224_method()
8096           EC_GFp_nistp256_method()
8097           EC_GFp_nistp521_method()
8098
8099   EC_GROUP_new_by_curve_name() will automatically use these (while
8100   EC_GROUP_new_curve_GFp() currently prefers the more flexible
8101   implementations).
8102
8103   *Emilia Käsper, Adam Langley, Bodo Moeller (Google)*
8104
8105 * Use type ossl_ssize_t instead of ssize_t which isn't available on
8106   all platforms. Move ssize_t definition from e_os.h to the public
8107   header file e_os2.h as it now appears in public header file cms.h
8108
8109   *Steve Henson*
8110
8111 * New -sigopt option to the ca, req and x509 utilities. Additional
8112   signature parameters can be passed using this option and in
8113   particular PSS.
8114
8115   *Steve Henson*
8116
8117 * Add RSA PSS signing function. This will generate and set the
8118   appropriate AlgorithmIdentifiers for PSS based on those in the
8119   corresponding EVP_MD_CTX structure. No application support yet.
8120
8121   *Steve Henson*
8122
8123 * Support for companion algorithm specific ASN1 signing routines.
8124   New function ASN1_item_sign_ctx() signs a pre-initialised
8125   EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
8126   the appropriate parameters.
8127
8128   *Steve Henson*
8129
8130 * Add new algorithm specific ASN1 verification initialisation function
8131   to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
8132   handling will be the same no matter what EVP_PKEY_METHOD is used.
8133   Add a PSS handler to support verification of PSS signatures: checked
8134   against a number of sample certificates.
8135
8136   *Steve Henson*
8137
8138 * Add signature printing for PSS. Add PSS OIDs.
8139
8140   *Steve Henson, Martin Kaiser <lists@kaiser.cx>*
8141
8142 * Add algorithm specific signature printing. An individual ASN1 method
8143   can now print out signatures instead of the standard hex dump.
8144
8145   More complex signatures (e.g. PSS) can print out more meaningful
8146   information. Include DSA version that prints out the signature
8147   parameters r, s.
8148
8149   *Steve Henson*
8150
8151 * Password based recipient info support for CMS library: implementing
8152   RFC3211.
8153
8154   *Steve Henson*
8155
8156 * Split password based encryption into PBES2 and PBKDF2 functions. This
8157   neatly separates the code into cipher and PBE sections and is required
8158   for some algorithms that split PBES2 into separate pieces (such as
8159   password based CMS).
8160
8161   *Steve Henson*
8162
8163 * Session-handling fixes:
8164   - Fix handling of connections that are resuming with a session ID,
8165     but also support Session Tickets.
8166   - Fix a bug that suppressed issuing of a new ticket if the client
8167     presented a ticket with an expired session.
8168   - Try to set the ticket lifetime hint to something reasonable.
8169   - Make tickets shorter by excluding irrelevant information.
8170   - On the client side, don't ignore renewed tickets.
8171
8172   *Adam Langley, Bodo Moeller (Google)*
8173
8174 * Fix PSK session representation.
8175
8176   *Bodo Moeller*
8177
8178 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8179
8180   This work was sponsored by Intel.
8181
8182   *Andy Polyakov*
8183
8184 * Add GCM support to TLS library. Some custom code is needed to split
8185   the IV between the fixed (from PRF) and explicit (from TLS record)
8186   portions. This adds all GCM ciphersuites supported by RFC5288 and
8187   RFC5289. Generalise some `AES*` cipherstrings to include GCM and
8188   add a special AESGCM string for GCM only.
8189
8190   *Steve Henson*
8191
8192 * Expand range of ctrls for AES GCM. Permit setting invocation
8193   field on decrypt and retrieval of invocation field only on encrypt.
8194
8195   *Steve Henson*
8196
8197 * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
8198   As required by RFC5289 these ciphersuites cannot be used if for
8199   versions of TLS earlier than 1.2.
8200
8201   *Steve Henson*
8202
8203 * For FIPS capable OpenSSL interpret a NULL default public key method
8204   as unset and return the appropriate default but do *not* set the default.
8205   This means we can return the appropriate method in applications that
8206   switch between FIPS and non-FIPS modes.
8207
8208   *Steve Henson*
8209
8210 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
8211   ENGINE is used then we cannot handle that in the FIPS module so we
8212   keep original code iff non-FIPS operations are allowed.
8213
8214   *Steve Henson*
8215
8216 * Add -attime option to openssl utilities.
8217
8218   *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
8219
8220 * Redirect DSA and DH operations to FIPS module in FIPS mode.
8221
8222   *Steve Henson*
8223
8224 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
8225   FIPS EC methods unconditionally for now.
8226
8227   *Steve Henson*
8228
8229 * New build option no-ec2m to disable characteristic 2 code.
8230
8231   *Steve Henson*
8232
8233 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8234   all cases can be covered as some introduce binary incompatibilities.
8235
8236   *Steve Henson*
8237
8238 * Redirect RSA operations to FIPS module including keygen,
8239   encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
8240
8241   *Steve Henson*
8242
8243 * Add similar low-level API blocking to ciphers.
8244
8245   *Steve Henson*
8246
8247 * low-level digest APIs are not approved in FIPS mode: any attempt
8248   to use these will cause a fatal error. Applications that *really* want
8249   to use them can use the `private_*` version instead.
8250
8251   *Steve Henson*
8252
8253 * Redirect cipher operations to FIPS module for FIPS builds.
8254
8255   *Steve Henson*
8256
8257 * Redirect digest operations to FIPS module for FIPS builds.
8258
8259   *Steve Henson*
8260
8261 * Update build system to add "fips" flag which will link in fipscanister.o
8262   for static and shared library builds embedding a signature if needed.
8263
8264   *Steve Henson*
8265
8266 * Output TLS supported curves in preference order instead of numerical
8267   order. This is currently hardcoded for the highest order curves first.
8268   This should be configurable so applications can judge speed vs strength.
8269
8270   *Steve Henson*
8271
8272 * Add TLS v1.2 server support for client authentication.
8273
8274   *Steve Henson*
8275
8276 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8277   and enable MD5.
8278
8279   *Steve Henson*
8280
8281 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
8282   FIPS modules versions.
8283
8284   *Steve Henson*
8285
8286 * Add TLS v1.2 client side support for client authentication. Keep cache
8287   of handshake records longer as we don't know the hash algorithm to use
8288   until after the certificate request message is received.
8289
8290   *Steve Henson*
8291
8292 * Initial TLS v1.2 client support. Add a default signature algorithms
8293   extension including all the algorithms we support. Parse new signature
8294   format in client key exchange. Relax some ECC signing restrictions for
8295   TLS v1.2 as indicated in RFC5246.
8296
8297   *Steve Henson*
8298
8299 * Add server support for TLS v1.2 signature algorithms extension. Switch
8300   to new signature format when needed using client digest preference.
8301   All server ciphersuites should now work correctly in TLS v1.2. No client
8302   support yet and no support for client certificates.
8303
8304   *Steve Henson*
8305
8306 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
8307   to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
8308   ciphersuites. At present only RSA key exchange ciphersuites work with
8309   TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
8310   SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
8311   and version checking.
8312
8313   *Steve Henson*
8314
8315 * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
8316   with this defined it will not be affected by any changes to ssl internal
8317   structures. Add several utility functions to allow openssl application
8318   to work with OPENSSL_NO_SSL_INTERN defined.
8319
8320   *Steve Henson*
8321
8322 * A long standing patch to add support for SRP from EdelWeb (Peter
8323   Sylvester and Christophe Renou) was integrated.
8324   *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
8325   <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
8326   Ben Laurie*
8327
8328 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
8329
8330   *Steve Henson*
8331
8332 * Permit abbreviated handshakes when renegotiating using the function
8333   SSL_renegotiate_abbreviated().
8334
8335   *Robin Seggelmann <seggelmann@fh-muenster.de>*
8336
8337 * Add call to ENGINE_register_all_complete() to
8338   ENGINE_load_builtin_engines(), so some implementations get used
8339   automatically instead of needing explicit application support.
8340
8341   *Steve Henson*
8342
8343 * Add support for TLS key exporter as described in RFC5705.
8344
8345   *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8346
8347 * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
8348   a few changes are required:
8349
8350     Add SSL_OP_NO_TLSv1_1 flag.
8351     Add TLSv1_1 methods.
8352     Update version checking logic to handle version 1.1.
8353     Add explicit IV handling (ported from DTLS code).
8354     Add command line options to s_client/s_server.
8355
8356   *Steve Henson*
8357
8358OpenSSL 1.0.0
8359-------------
8360
8361### Changes between 1.0.0s and 1.0.0t [3 Dec 2015]
8362
8363 * X509_ATTRIBUTE memory leak
8364
8365   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
8366   memory. This structure is used by the PKCS#7 and CMS routines so any
8367   application which reads PKCS#7 or CMS data from untrusted sources is
8368   affected. SSL/TLS is not affected.
8369
8370   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
8371   libFuzzer.
8372   ([CVE-2015-3195])
8373
8374   *Stephen Henson*
8375
8376 * Race condition handling PSK identify hint
8377
8378   If PSK identity hints are received by a multi-threaded client then
8379   the values are wrongly updated in the parent SSL_CTX structure. This can
8380   result in a race condition potentially leading to a double free of the
8381   identify hint data.
8382   ([CVE-2015-3196])
8383
8384   *Stephen Henson*
8385
8386### Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
8387
8388 * Malformed ECParameters causes infinite loop
8389
8390   When processing an ECParameters structure OpenSSL enters an infinite loop
8391   if the curve specified is over a specially malformed binary polynomial
8392   field.
8393
8394   This can be used to perform denial of service against any
8395   system which processes public keys, certificate requests or
8396   certificates.  This includes TLS clients and TLS servers with
8397   client authentication enabled.
8398
8399   This issue was reported to OpenSSL by Joseph Barr-Pixton.
8400   ([CVE-2015-1788])
8401
8402   *Andy Polyakov*
8403
8404 * Exploitable out-of-bounds read in X509_cmp_time
8405
8406   X509_cmp_time does not properly check the length of the ASN1_TIME
8407   string and can read a few bytes out of bounds. In addition,
8408   X509_cmp_time accepts an arbitrary number of fractional seconds in the
8409   time string.
8410
8411   An attacker can use this to craft malformed certificates and CRLs of
8412   various sizes and potentially cause a segmentation fault, resulting in
8413   a DoS on applications that verify certificates or CRLs. TLS clients
8414   that verify CRLs are affected. TLS clients and servers with client
8415   authentication enabled may be affected if they use custom verification
8416   callbacks.
8417
8418   This issue was reported to OpenSSL by Robert Swiecki (Google), and
8419   independently by Hanno Böck.
8420   ([CVE-2015-1789])
8421
8422   *Emilia Käsper*
8423
8424 * PKCS7 crash with missing EnvelopedContent
8425
8426   The PKCS#7 parsing code does not handle missing inner EncryptedContent
8427   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8428   with missing content and trigger a NULL pointer dereference on parsing.
8429
8430   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
8431   structures from untrusted sources are affected. OpenSSL clients and
8432   servers are not affected.
8433
8434   This issue was reported to OpenSSL by Michal Zalewski (Google).
8435   ([CVE-2015-1790])
8436
8437   *Emilia Käsper*
8438
8439 * CMS verify infinite loop with unknown hash function
8440
8441   When verifying a signedData message the CMS code can enter an infinite loop
8442   if presented with an unknown hash function OID. This can be used to perform
8443   denial of service against any system which verifies signedData messages using
8444   the CMS code.
8445   This issue was reported to OpenSSL by Johannes Bauer.
8446   ([CVE-2015-1792])
8447
8448   *Stephen Henson*
8449
8450 * Race condition handling NewSessionTicket
8451
8452   If a NewSessionTicket is received by a multi-threaded client when attempting to
8453   reuse a previous ticket then a race condition can occur potentially leading to
8454   a double free of the ticket data.
8455   ([CVE-2015-1791])
8456
8457   *Matt Caswell*
8458
8459### Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
8460
8461 * Segmentation fault in ASN1_TYPE_cmp fix
8462
8463   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
8464   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
8465   certificate signature algorithm consistency this can be used to crash any
8466   certificate verification operation and exploited in a DoS attack. Any
8467   application which performs certificate verification is vulnerable including
8468   OpenSSL clients and servers which enable client authentication.
8469   ([CVE-2015-0286])
8470
8471   *Stephen Henson*
8472
8473 * ASN.1 structure reuse memory corruption fix
8474
8475   Reusing a structure in ASN.1 parsing may allow an attacker to cause
8476   memory corruption via an invalid write. Such reuse is and has been
8477   strongly discouraged and is believed to be rare.
8478
8479   Applications that parse structures containing CHOICE or ANY DEFINED BY
8480   components may be affected. Certificate parsing (d2i_X509 and related
8481   functions) are however not affected. OpenSSL clients and servers are
8482   not affected.
8483   ([CVE-2015-0287])
8484
8485   *Stephen Henson*
8486
8487 * PKCS7 NULL pointer dereferences fix
8488
8489   The PKCS#7 parsing code does not handle missing outer ContentInfo
8490   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8491   missing content and trigger a NULL pointer dereference on parsing.
8492
8493   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
8494   otherwise parse PKCS#7 structures from untrusted sources are
8495   affected. OpenSSL clients and servers are not affected.
8496
8497   This issue was reported to OpenSSL by Michal Zalewski (Google).
8498   ([CVE-2015-0289])
8499
8500   *Emilia Käsper*
8501
8502 * DoS via reachable assert in SSLv2 servers fix
8503
8504   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
8505   servers that both support SSLv2 and enable export cipher suites by sending
8506   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8507
8508   This issue was discovered by Sean Burford (Google) and Emilia Käsper
8509   (OpenSSL development team).
8510   ([CVE-2015-0293])
8511
8512   *Emilia Käsper*
8513
8514 * Use After Free following d2i_ECPrivatekey error fix
8515
8516   A malformed EC private key file consumed via the d2i_ECPrivateKey function
8517   could cause a use after free condition. This, in turn, could cause a double
8518   free in several private key parsing functions (such as d2i_PrivateKey
8519   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
8520   for applications that receive EC private keys from untrusted
8521   sources. This scenario is considered rare.
8522
8523   This issue was discovered by the BoringSSL project and fixed in their
8524   commit 517073cd4b.
8525   ([CVE-2015-0209])
8526
8527   *Matt Caswell*
8528
8529 * X509_to_X509_REQ NULL pointer deref fix
8530
8531   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
8532   the certificate key is invalid. This function is rarely used in practice.
8533
8534   This issue was discovered by Brian Carpenter.
8535   ([CVE-2015-0288])
8536
8537   *Stephen Henson*
8538
8539 * Removed the export ciphers from the DEFAULT ciphers
8540
8541   *Kurt Roeckx*
8542
8543### Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
8544
8545 * Build fixes for the Windows and OpenVMS platforms
8546
8547   *Matt Caswell and Richard Levitte*
8548
8549### Changes between 1.0.0o and 1.0.0p [8 Jan 2015]
8550
8551 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
8552   message can cause a segmentation fault in OpenSSL due to a NULL pointer
8553   dereference. This could lead to a Denial Of Service attack. Thanks to
8554   Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
8555   ([CVE-2014-3571])
8556
8557   *Steve Henson*
8558
8559 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
8560   dtls1_buffer_record function under certain conditions. In particular this
8561   could occur if an attacker sent repeated DTLS records with the same
8562   sequence number but for the next epoch. The memory leak could be exploited
8563   by an attacker in a Denial of Service attack through memory exhaustion.
8564   Thanks to Chris Mueller for reporting this issue.
8565   ([CVE-2015-0206])
8566
8567   *Matt Caswell*
8568
8569 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8570   built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8571   method would be set to NULL which could later result in a NULL pointer
8572   dereference. Thanks to Frank Schmirler for reporting this issue.
8573   ([CVE-2014-3569])
8574
8575   *Kurt Roeckx*
8576
8577 * Abort handshake if server key exchange message is omitted for ephemeral
8578   ECDH ciphersuites.
8579
8580   Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
8581   reporting this issue.
8582   ([CVE-2014-3572])
8583
8584   *Steve Henson*
8585
8586 * Remove non-export ephemeral RSA code on client and server. This code
8587   violated the TLS standard by allowing the use of temporary RSA keys in
8588   non-export ciphersuites and could be used by a server to effectively
8589   downgrade the RSA key length used to a value smaller than the server
8590   certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
8591   INRIA or reporting this issue.
8592   ([CVE-2015-0204])
8593
8594   *Steve Henson*
8595
8596 * Fixed issue where DH client certificates are accepted without verification.
8597   An OpenSSL server will accept a DH certificate for client authentication
8598   without the certificate verify message. This effectively allows a client to
8599   authenticate without the use of a private key. This only affects servers
8600   which trust a client certificate authority which issues certificates
8601   containing DH keys: these are extremely rare and hardly ever encountered.
8602   Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
8603   this issue.
8604   ([CVE-2015-0205])
8605
8606   *Steve Henson*
8607
8608 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
8609   results on some platforms, including x86_64. This bug occurs at random
8610   with a very low probability, and is not known to be exploitable in any
8611   way, though its exact impact is difficult to determine. Thanks to Pieter
8612   Wuille (Blockstream) who reported this issue and also suggested an initial
8613   fix. Further analysis was conducted by the OpenSSL development team and
8614   Adam Langley of Google. The final fix was developed by Andy Polyakov of
8615   the OpenSSL core team.
8616   ([CVE-2014-3570])
8617
8618   *Andy Polyakov*
8619
8620 * Fix various certificate fingerprint issues.
8621
8622   By using non-DER or invalid encodings outside the signed portion of a
8623   certificate the fingerprint can be changed without breaking the signature.
8624   Although no details of the signed portion of the certificate can be changed
8625   this can cause problems with some applications: e.g. those using the
8626   certificate fingerprint for blacklists.
8627
8628   1. Reject signatures with non zero unused bits.
8629
8630   If the BIT STRING containing the signature has non zero unused bits reject
8631   the signature. All current signature algorithms require zero unused bits.
8632
8633   2. Check certificate algorithm consistency.
8634
8635   Check the AlgorithmIdentifier inside TBS matches the one in the
8636   certificate signature. NB: this will result in signature failure
8637   errors for some broken certificates.
8638
8639   Thanks to Konrad Kraszewski from Google for reporting this issue.
8640
8641   3. Check DSA/ECDSA signatures use DER.
8642
8643   Reencode DSA/ECDSA signatures and compare with the original received
8644   signature. Return an error if there is a mismatch.
8645
8646   This will reject various cases including garbage after signature
8647   (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
8648   program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
8649   (negative or with leading zeroes).
8650
8651   Further analysis was conducted and fixes were developed by Stephen Henson
8652   of the OpenSSL core team.
8653
8654   ([CVE-2014-8275])
8655
8656   *Steve Henson*
8657
8658### Changes between 1.0.0n and 1.0.0o [15 Oct 2014]
8659
8660 * Session Ticket Memory Leak.
8661
8662   When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
8663   integrity of that ticket is first verified. In the event of a session
8664   ticket integrity check failing, OpenSSL will fail to free memory
8665   causing a memory leak. By sending a large number of invalid session
8666   tickets an attacker could exploit this issue in a Denial Of Service
8667   attack.
8668   ([CVE-2014-3567])
8669
8670   *Steve Henson*
8671
8672 * Build option no-ssl3 is incomplete.
8673
8674   When OpenSSL is configured with "no-ssl3" as a build option, servers
8675   could accept and complete a SSL 3.0 handshake, and clients could be
8676   configured to send them.
8677   ([CVE-2014-3568])
8678
8679   *Akamai and the OpenSSL team*
8680
8681 * Add support for TLS_FALLBACK_SCSV.
8682   Client applications doing fallback retries should call
8683   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
8684   ([CVE-2014-3566])
8685
8686   *Adam Langley, Bodo Moeller*
8687
8688 * Add additional DigestInfo checks.
8689
8690   Reencode DigestInto in DER and check against the original when
8691   verifying RSA signature: this will reject any improperly encoded
8692   DigestInfo structures.
8693
8694   Note: this is a precautionary measure and no attacks are currently known.
8695
8696   *Steve Henson*
8697
8698### Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
8699
8700 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
8701   to a denial of service attack. A malicious server can crash the client
8702   with a null pointer dereference (read) by specifying an anonymous (EC)DH
8703   ciphersuite and sending carefully crafted handshake messages.
8704
8705   Thanks to Felix Gröbert (Google) for discovering and researching this
8706   issue.
8707   ([CVE-2014-3510])
8708
8709   *Emilia Käsper*
8710
8711 * By sending carefully crafted DTLS packets an attacker could cause openssl
8712   to leak memory. This can be exploited through a Denial of Service attack.
8713   Thanks to Adam Langley for discovering and researching this issue.
8714   ([CVE-2014-3507])
8715
8716   *Adam Langley*
8717
8718 * An attacker can force openssl to consume large amounts of memory whilst
8719   processing DTLS handshake messages. This can be exploited through a
8720   Denial of Service attack.
8721   Thanks to Adam Langley for discovering and researching this issue.
8722   ([CVE-2014-3506])
8723
8724   *Adam Langley*
8725
8726 * An attacker can force an error condition which causes openssl to crash
8727   whilst processing DTLS packets due to memory being freed twice. This
8728   can be exploited through a Denial of Service attack.
8729   Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8730   this issue.
8731   ([CVE-2014-3505])
8732
8733   *Adam Langley*
8734
8735 * If a multithreaded client connects to a malicious server using a resumed
8736   session and the server sends an ec point format extension it could write
8737   up to 255 bytes to freed memory.
8738
8739   Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
8740   issue.
8741   ([CVE-2014-3509])
8742
8743   *Gabor Tyukasz*
8744
8745 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
8746   X509_name_oneline, X509_name_print_ex et al. to leak some information
8747   from the stack. Applications may be affected if they echo pretty printing
8748   output to the attacker.
8749
8750   Thanks to Ivan Fratric (Google) for discovering this issue.
8751   ([CVE-2014-3508])
8752
8753   *Emilia Käsper, and Steve Henson*
8754
8755 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
8756   for corner cases. (Certain input points at infinity could lead to
8757   bogus results, with non-infinity inputs mapped to infinity too.)
8758
8759   *Bodo Moeller*
8760
8761### Changes between 1.0.0l and 1.0.0m [5 Jun 2014]
8762
8763 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
8764   handshake can force the use of weak keying material in OpenSSL
8765   SSL/TLS clients and servers.
8766
8767   Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
8768   researching this issue. ([CVE-2014-0224])
8769
8770   *KIKUCHI Masashi, Steve Henson*
8771
8772 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
8773   OpenSSL DTLS client the code can be made to recurse eventually crashing
8774   in a DoS attack.
8775
8776   Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8777   ([CVE-2014-0221])
8778
8779   *Imre Rad, Steve Henson*
8780
8781 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
8782   be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
8783   client or server. This is potentially exploitable to run arbitrary
8784   code on a vulnerable client or server.
8785
8786   Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8787
8788   *Jüri Aedla, Steve Henson*
8789
8790 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
8791   are subject to a denial of service attack.
8792
8793   Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
8794   this issue. ([CVE-2014-3470])
8795
8796   *Felix Gröbert, Ivan Fratric, Steve Henson*
8797
8798 * Harmonize version and its documentation. -f flag is used to display
8799   compilation flags.
8800
8801   *mancha <mancha1@zoho.com>*
8802
8803 * Fix eckey_priv_encode so it immediately returns an error upon a failure
8804   in i2d_ECPrivateKey.
8805
8806   *mancha <mancha1@zoho.com>*
8807
8808 * Fix some double frees. These are not thought to be exploitable.
8809
8810   *mancha <mancha1@zoho.com>*
8811
8812 * Fix for the attack described in the paper "Recovering OpenSSL
8813   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8814   by Yuval Yarom and Naomi Benger. Details can be obtained from:
8815   <http://eprint.iacr.org/2014/140>
8816
8817   Thanks to Yuval Yarom and Naomi Benger for discovering this
8818   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8819
8820   *Yuval Yarom and Naomi Benger*
8821
8822### Changes between 1.0.0k and 1.0.0l [6 Jan 2014]
8823
8824 * Keep original DTLS digest and encryption contexts in retransmission
8825   structures so we can use the previous session parameters if they need
8826   to be resent. ([CVE-2013-6450])
8827
8828   *Steve Henson*
8829
8830 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
8831   avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8832   Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
8833   several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
8834   is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
8835   10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
8836
8837   *Rob Stradling, Adam Langley*
8838
8839### Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
8840
8841 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
8842
8843   This addresses the flaw in CBC record processing discovered by
8844   Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
8845   at: <http://www.isg.rhul.ac.uk/tls/>
8846
8847   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
8848   Security Group at Royal Holloway, University of London
8849   (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
8850   Emilia Käsper for the initial patch.
8851   ([CVE-2013-0169])
8852
8853   *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
8854
8855 * Return an error when checking OCSP signatures when key is NULL.
8856   This fixes a DoS attack. ([CVE-2013-0166])
8857
8858   *Steve Henson*
8859
8860 * Call OCSP Stapling callback after ciphersuite has been chosen, so
8861   the right response is stapled. Also change SSL_get_certificate()
8862   so it returns the certificate actually sent.
8863   See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
8864   (This is a backport)
8865
8866   *Rob Stradling <rob.stradling@comodo.com>*
8867
8868 * Fix possible deadlock when decoding public keys.
8869
8870   *Steve Henson*
8871
8872### Changes between 1.0.0i and 1.0.0j [10 May 2012]
8873
8874[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
8875OpenSSL 1.0.1.]
8876
8877 * Sanity check record length before skipping explicit IV in DTLS
8878   to fix DoS attack.
8879
8880   Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8881   fuzzing as a service testing platform.
8882   ([CVE-2012-2333])
8883
8884   *Steve Henson*
8885
8886 * Initialise tkeylen properly when encrypting CMS messages.
8887   Thanks to Solar Designer of Openwall for reporting this issue.
8888
8889   *Steve Henson*
8890
8891### Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
8892
8893 * Check for potentially exploitable overflows in asn1_d2i_read_bio
8894   BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
8895   in CRYPTO_realloc_clean.
8896
8897   Thanks to Tavis Ormandy, Google Security Team, for discovering this
8898   issue and to Adam Langley <agl@chromium.org> for fixing it.
8899   ([CVE-2012-2110])
8900
8901   *Adam Langley (Google), Tavis Ormandy, Google Security Team*
8902
8903### Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
8904
8905 * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
8906   in CMS and PKCS7 code. When RSA decryption fails use a random key for
8907   content decryption and always return the same error. Note: this attack
8908   needs on average 2^20 messages so it only affects automated senders. The
8909   old behaviour can be re-enabled in the CMS code by setting the
8910   CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
8911   an MMA defence is not necessary.
8912   Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
8913   this issue. ([CVE-2012-0884])
8914
8915   *Steve Henson*
8916
8917 * Fix CVE-2011-4619: make sure we really are receiving a
8918   client hello before rejecting multiple SGC restarts. Thanks to
8919   Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
8920
8921   *Steve Henson*
8922
8923### Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
8924
8925 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
8926   Thanks to Antonio Martin, Enterprise Secure Access Research and
8927   Development, Cisco Systems, Inc. for discovering this bug and
8928   preparing a fix. ([CVE-2012-0050])
8929
8930   *Antonio Martin*
8931
8932### Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
8933
8934 * Nadhem Alfardan and Kenny Paterson have discovered an extension
8935   of the Vaudenay padding oracle attack on CBC mode encryption
8936   which enables an efficient plaintext recovery attack against
8937   the OpenSSL implementation of DTLS. Their attack exploits timing
8938   differences arising during decryption processing. A research
8939   paper describing this attack can be found at:
8940   <http://www.isg.rhul.ac.uk/~kp/dtls.pdf>
8941   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
8942   Security Group at Royal Holloway, University of London
8943   (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
8944   <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
8945   for preparing the fix. ([CVE-2011-4108])
8946
8947   *Robin Seggelmann, Michael Tuexen*
8948
8949 * Clear bytes used for block padding of SSL 3.0 records.
8950   ([CVE-2011-4576])
8951
8952   *Adam Langley (Google)*
8953
8954 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George
8955   Kadianakis <desnacked@gmail.com> for discovering this issue and
8956   Adam Langley for preparing the fix. ([CVE-2011-4619])
8957
8958   *Adam Langley (Google)*
8959
8960 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
8961
8962   *Andrey Kulikov <amdeich@gmail.com>*
8963
8964 * Prevent malformed RFC3779 data triggering an assertion failure.
8965   Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
8966   and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
8967
8968   *Rob Austein <sra@hactrn.net>*
8969
8970 * Improved PRNG seeding for VOS.
8971
8972   *Paul Green <Paul.Green@stratus.com>*
8973
8974 * Fix ssl_ciph.c set-up race.
8975
8976   *Adam Langley (Google)*
8977
8978 * Fix spurious failures in ecdsatest.c.
8979
8980   *Emilia Käsper (Google)*
8981
8982 * Fix the BIO_f_buffer() implementation (which was mixing different
8983   interpretations of the `..._len` fields).
8984
8985   *Adam Langley (Google)*
8986
8987 * Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
8988   BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
8989   threads won't reuse the same blinding coefficients.
8990
8991   This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
8992   lock to call BN_BLINDING_invert_ex, and avoids one use of
8993   BN_BLINDING_update for each BN_BLINDING structure (previously,
8994   the last update always remained unused).
8995
8996   *Emilia Käsper (Google)*
8997
8998 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
8999
9000   *Bob Buckholz (Google)*
9001
9002### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
9003
9004 * Fix bug where CRLs with nextUpdate in the past are sometimes accepted
9005   by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9006
9007   *Kaspar Brand <ossl@velox.ch>*
9008
9009 * Fix SSL memory handling for (EC)DH ciphersuites, in particular
9010   for multi-threaded use of ECDH. ([CVE-2011-3210])
9011
9012   *Adam Langley (Google)*
9013
9014 * Fix x509_name_ex_d2i memory leak on bad inputs.
9015
9016   *Bodo Moeller*
9017
9018 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
9019   signature public key algorithm by using OID xref utilities instead.
9020   Before this you could only use some ECC ciphersuites with SHA1 only.
9021
9022   *Steve Henson*
9023
9024 * Add protection against ECDSA timing attacks as mentioned in the paper
9025   by Billy Bob Brumley and Nicola Tuveri, see:
9026   <http://eprint.iacr.org/2011/232.pdf>
9027
9028   *Billy Bob Brumley and Nicola Tuveri*
9029
9030### Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
9031
9032 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9033
9034   *Neel Mehta, Adam Langley, Bodo Moeller (Google)*
9035
9036 * Fix bug in string printing code: if *any* escaping is enabled we must
9037   escape the escape character (backslash) or the resulting string is
9038   ambiguous.
9039
9040   *Steve Henson*
9041
9042### Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
9043
9044 * Disable code workaround for ancient and obsolete Netscape browsers
9045   and servers: an attacker can use it in a ciphersuite downgrade attack.
9046   Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9047
9048   *Steve Henson*
9049
9050 * Fixed J-PAKE implementation error, originally discovered by
9051   Sebastien Martini, further info and confirmation from Stefan
9052   Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9053
9054   *Ben Laurie*
9055
9056### Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
9057
9058 * Fix extension code to avoid race conditions which can result in a buffer
9059   overrun vulnerability: resumed sessions must not be modified as they can
9060   be shared by multiple threads. CVE-2010-3864
9061
9062   *Steve Henson*
9063
9064 * Fix WIN32 build system to correctly link an ENGINE directory into
9065   a DLL.
9066
9067   *Steve Henson*
9068
9069### Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
9070
9071 * Check return value of int_rsa_verify in pkey_rsa_verifyrecover
9072   ([CVE-2010-1633])
9073
9074   *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9075
9076### Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
9077
9078 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
9079   context. The operation can be customised via the ctrl mechanism in
9080   case ENGINEs want to include additional functionality.
9081
9082   *Steve Henson*
9083
9084 * Tolerate yet another broken PKCS#8 key format: private key value negative.
9085
9086   *Steve Henson*
9087
9088 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9089   output hashes compatible with older versions of OpenSSL.
9090
9091   *Willy Weisz <weisz@vcpc.univie.ac.at>*
9092
9093 * Fix compression algorithm handling: if resuming a session use the
9094   compression algorithm of the resumed session instead of determining
9095   it from client hello again. Don't allow server to change algorithm.
9096
9097   *Steve Henson*
9098
9099 * Add load_crls() function to commands tidying load_certs() too. Add option
9100   to verify utility to allow additional CRLs to be included.
9101
9102   *Steve Henson*
9103
9104 * Update OCSP request code to permit adding custom headers to the request:
9105   some responders need this.
9106
9107   *Steve Henson*
9108
9109 * The function EVP_PKEY_sign() returns <=0 on error: check return code
9110   correctly.
9111
9112   *Julia Lawall <julia@diku.dk>*
9113
9114 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it
9115   needlessly dereferenced structures, used obsolete functions and
9116   didn't handle all updated verify codes correctly.
9117
9118   *Steve Henson*
9119
9120 * Disable MD2 in the default configuration.
9121
9122   *Steve Henson*
9123
9124 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
9125   indicate the initial BIO being pushed or popped. This makes it possible
9126   to determine whether the BIO is the one explicitly called or as a result
9127   of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
9128   it handles reference counts correctly and doesn't zero out the I/O bio
9129   when it is not being explicitly popped. WARNING: applications which
9130   included workarounds for the old buggy behaviour will need to be modified
9131   or they could free up already freed BIOs.
9132
9133   *Steve Henson*
9134
9135 * Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
9136   renaming to all platforms (within the 0.9.8 branch, this was
9137   done conditionally on Netware platforms to avoid a name clash).
9138
9139   *Guenter <lists@gknw.net>*
9140
9141 * Add ECDHE and PSK support to DTLS.
9142
9143   *Michael Tuexen <tuexen@fh-muenster.de>*
9144
9145 * Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
9146   be used on C++.
9147
9148   *Steve Henson*
9149
9150 * Add "missing" function EVP_MD_flags() (without this the only way to
9151   retrieve a digest flags is by accessing the structure directly. Update
9152   `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
9153   or cipher is registered as in the "from" argument. Print out all
9154   registered digests in the dgst usage message instead of manually
9155   attempting to work them out.
9156
9157   *Steve Henson*
9158
9159 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
9160   this allows the use of compression and extensions. Change default cipher
9161   string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
9162   by default unless an application cipher string requests it.
9163
9164   *Steve Henson*
9165
9166 * Alter match criteria in PKCS12_parse(). It used to try to use local
9167   key ids to find matching certificates and keys but some PKCS#12 files
9168   don't follow the (somewhat unwritten) rules and this strategy fails.
9169   Now just gather all certificates together and the first private key
9170   then look for the first certificate that matches the key.
9171
9172   *Steve Henson*
9173
9174 * Support use of registered digest and cipher names for dgst and cipher
9175   commands instead of having to add each one as a special case. So now
9176   you can do:
9177
9178           openssl sha256 foo
9179
9180   as well as:
9181
9182           openssl dgst -sha256 foo
9183
9184   and this works for ENGINE based algorithms too.
9185
9186   *Steve Henson*
9187
9188 * Update Gost ENGINE to support parameter files.
9189
9190   *Victor B. Wagner <vitus@cryptocom.ru>*
9191
9192 * Support GeneralizedTime in ca utility.
9193
9194   *Oliver Martin <oliver@volatilevoid.net>, Steve Henson*
9195
9196 * Enhance the hash format used for certificate directory links. The new
9197   form uses the canonical encoding (meaning equivalent names will work
9198   even if they aren't identical) and uses SHA1 instead of MD5. This form
9199   is incompatible with the older format and as a result c_rehash should
9200   be used to rebuild symbolic links.
9201
9202   *Steve Henson*
9203
9204 * Make PKCS#8 the default write format for private keys, replacing the
9205   traditional format. This form is standardised, more secure and doesn't
9206   include an implicit MD5 dependency.
9207
9208   *Steve Henson*
9209
9210 * Add a $gcc_devteam_warn option to Configure. The idea is that any code
9211   committed to OpenSSL should pass this lot as a minimum.
9212
9213   *Steve Henson*
9214
9215 * Add session ticket override functionality for use by EAP-FAST.
9216
9217   *Jouni Malinen <j@w1.fi>*
9218
9219 * Modify HMAC functions to return a value. Since these can be implemented
9220   in an ENGINE errors can occur.
9221
9222   *Steve Henson*
9223
9224 * Type-checked OBJ_bsearch_ex.
9225
9226   *Ben Laurie*
9227
9228 * Type-checked OBJ_bsearch. Also some constification necessitated
9229   by type-checking.  Still to come: TXT_DB, bsearch(?),
9230   OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
9231   CONF_VALUE.
9232
9233   *Ben Laurie*
9234
9235 * New function OPENSSL_gmtime_adj() to add a specific number of days and
9236   seconds to a tm structure directly, instead of going through OS
9237   specific date routines. This avoids any issues with OS routines such
9238   as the year 2038 bug. New `*_adj()` functions for ASN1 time structures
9239   and X509_time_adj_ex() to cover the extended range. The existing
9240   X509_time_adj() is still usable and will no longer have any date issues.
9241
9242   *Steve Henson*
9243
9244 * Delta CRL support. New use deltas option which will attempt to locate
9245   and search any appropriate delta CRLs available.
9246
9247   This work was sponsored by Google.
9248
9249   *Steve Henson*
9250
9251 * Support for CRLs partitioned by reason code. Reorganise CRL processing
9252   code and add additional score elements. Validate alternate CRL paths
9253   as part of the CRL checking and indicate a new error "CRL path validation
9254   error" in this case. Applications wanting additional details can use
9255   the verify callback and check the new "parent" field. If this is not
9256   NULL CRL path validation is taking place. Existing applications won't
9257   see this because it requires extended CRL support which is off by
9258   default.
9259
9260   This work was sponsored by Google.
9261
9262   *Steve Henson*
9263
9264 * Support for freshest CRL extension.
9265
9266   This work was sponsored by Google.
9267
9268   *Steve Henson*
9269
9270 * Initial indirect CRL support. Currently only supported in the CRLs
9271   passed directly and not via lookup. Process certificate issuer
9272   CRL entry extension and lookup CRL entries by bother issuer name
9273   and serial number. Check and process CRL issuer entry in IDP extension.
9274
9275   This work was sponsored by Google.
9276
9277   *Steve Henson*
9278
9279 * Add support for distinct certificate and CRL paths. The CRL issuer
9280   certificate is validated separately in this case. Only enabled if
9281   an extended CRL support flag is set: this flag will enable additional
9282   CRL functionality in future.
9283
9284   This work was sponsored by Google.
9285
9286   *Steve Henson*
9287
9288 * Add support for policy mappings extension.
9289
9290   This work was sponsored by Google.
9291
9292   *Steve Henson*
9293
9294 * Fixes to pathlength constraint, self issued certificate handling,
9295   policy processing to align with RFC3280 and PKITS tests.
9296
9297   This work was sponsored by Google.
9298
9299   *Steve Henson*
9300
9301 * Support for name constraints certificate extension. DN, email, DNS
9302   and URI types are currently supported.
9303
9304   This work was sponsored by Google.
9305
9306   *Steve Henson*
9307
9308 * To cater for systems that provide a pointer-based thread ID rather
9309   than numeric, deprecate the current numeric thread ID mechanism and
9310   replace it with a structure and associated callback type. This
9311   mechanism allows a numeric "hash" to be extracted from a thread ID in
9312   either case, and on platforms where pointers are larger than 'long',
9313   mixing is done to help ensure the numeric 'hash' is usable even if it
9314   can't be guaranteed unique. The default mechanism is to use "&errno"
9315   as a pointer-based thread ID to distinguish between threads.
9316
9317   Applications that want to provide their own thread IDs should now use
9318   CRYPTO_THREADID_set_callback() to register a callback that will call
9319   either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
9320
9321   Note that ERR_remove_state() is now deprecated, because it is tied
9322   to the assumption that thread IDs are numeric.  ERR_remove_state(0)
9323   to free the current thread's error state should be replaced by
9324   ERR_remove_thread_state(NULL).
9325
9326   (This new approach replaces the functions CRYPTO_set_idptr_callback(),
9327   CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
9328   OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9329   application was previously providing a numeric thread callback that
9330   was inappropriate for distinguishing threads, then uniqueness might
9331   have been obtained with &errno that happened immediately in the
9332   intermediate development versions of OpenSSL; this is no longer the
9333   case, the numeric thread callback will now override the automatic use
9334   of &errno.)
9335
9336   *Geoff Thorpe, with help from Bodo Moeller*
9337
9338 * Initial support for different CRL issuing certificates. This covers a
9339   simple case where the self issued certificates in the chain exist and
9340   the real CRL issuer is higher in the existing chain.
9341
9342   This work was sponsored by Google.
9343
9344   *Steve Henson*
9345
9346 * Removed effectively defunct crypto/store from the build.
9347
9348   *Ben Laurie*
9349
9350 * Revamp of STACK to provide stronger type-checking. Still to come:
9351   TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
9352   ASN1_STRING, CONF_VALUE.
9353
9354   *Ben Laurie*
9355
9356 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
9357   RAM on SSL connections.  This option can save about 34k per idle SSL.
9358
9359   *Nick Mathewson*
9360
9361 * Revamp of LHASH to provide stronger type-checking. Still to come:
9362   STACK, TXT_DB, bsearch, qsort.
9363
9364   *Ben Laurie*
9365
9366 * Initial support for Cryptographic Message Syntax (aka CMS) based
9367   on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
9368   support for data, signedData, compressedData, digestedData and
9369   encryptedData, envelopedData types included. Scripts to check against
9370   RFC4134 examples draft and interop and consistency checks of many
9371   content types and variants.
9372
9373   *Steve Henson*
9374
9375 * Add options to enc utility to support use of zlib compression BIO.
9376
9377   *Steve Henson*
9378
9379 * Extend mk1mf to support importing of options and assembly language
9380   files from Configure script, currently only included in VC-WIN32.
9381   The assembly language rules can now optionally generate the source
9382   files from the associated perl scripts.
9383
9384   *Steve Henson*
9385
9386 * Implement remaining functionality needed to support GOST ciphersuites.
9387   Interop testing has been performed using CryptoPro implementations.
9388
9389   *Victor B. Wagner <vitus@cryptocom.ru>*
9390
9391 * s390x assembler pack.
9392
9393   *Andy Polyakov*
9394
9395 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
9396   "family."
9397
9398   *Andy Polyakov*
9399
9400 * Implement Opaque PRF Input TLS extension as specified in
9401   draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
9402   official specification yet and no extension type assignment by
9403   IANA exists, this extension (for now) will have to be explicitly
9404   enabled when building OpenSSL by providing the extension number
9405   to use.  For example, specify an option
9406
9407           -DTLSEXT_TYPE_opaque_prf_input=0x9527
9408
9409   to the "config" or "Configure" script to enable the extension,
9410   assuming extension number 0x9527 (which is a completely arbitrary
9411   and unofficial assignment based on the MD5 hash of the Internet
9412   Draft).  Note that by doing so, you potentially lose
9413   interoperability with other TLS implementations since these might
9414   be using the same extension number for other purposes.
9415
9416   SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
9417   opaque PRF input value to use in the handshake.  This will create
9418   an internal copy of the length-'len' string at 'src', and will
9419   return non-zero for success.
9420
9421   To get more control and flexibility, provide a callback function
9422   by using
9423
9424           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
9425           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
9426
9427   where
9428
9429           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
9430           void *arg;
9431
9432   Callback function 'cb' will be called in handshakes, and is
9433   expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
9434   Argument 'arg' is for application purposes (the value as given to
9435   SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
9436   be provided to the callback function).  The callback function
9437   has to return non-zero to report success: usually 1 to use opaque
9438   PRF input just if possible, or 2 to enforce use of the opaque PRF
9439   input.  In the latter case, the library will abort the handshake
9440   if opaque PRF input is not successfully negotiated.
9441
9442   Arguments 'peerinput' and 'len' given to the callback function
9443   will always be NULL and 0 in the case of a client.  A server will
9444   see the client's opaque PRF input through these variables if
9445   available (NULL and 0 otherwise).  Note that if the server
9446   provides an opaque PRF input, the length must be the same as the
9447   length of the client's opaque PRF input.
9448
9449   Note that the callback function will only be called when creating
9450   a new session (session resumption can resume whatever was
9451   previously negotiated), and will not be called in SSL 2.0
9452   handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
9453   SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
9454   for applications that need to enforce opaque PRF input.
9455
9456   *Bodo Moeller*
9457
9458 * Update ssl code to support digests other than SHA1+MD5 for handshake
9459   MAC.
9460
9461   *Victor B. Wagner <vitus@cryptocom.ru>*
9462
9463 * Add RFC4507 support to OpenSSL. This includes the corrections in
9464   RFC4507bis. The encrypted ticket format is an encrypted encoded
9465   SSL_SESSION structure, that way new session features are automatically
9466   supported.
9467
9468   If a client application caches session in an SSL_SESSION structure
9469   support is transparent because tickets are now stored in the encoded
9470   SSL_SESSION.
9471
9472   The SSL_CTX structure automatically generates keys for ticket
9473   protection in servers so again support should be possible
9474   with no application modification.
9475
9476   If a client or server wishes to disable RFC4507 support then the option
9477   SSL_OP_NO_TICKET can be set.
9478
9479   Add a TLS extension debugging callback to allow the contents of any client
9480   or server extensions to be examined.
9481
9482   This work was sponsored by Google.
9483
9484   *Steve Henson*
9485
9486 * Final changes to avoid use of pointer pointer casts in OpenSSL.
9487   OpenSSL should now compile cleanly on gcc 4.2
9488
9489   *Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson*
9490
9491 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
9492   support including streaming MAC support: this is required for GOST
9493   ciphersuite support.
9494
9495   *Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson*
9496
9497 * Add option -stream to use PKCS#7 streaming in smime utility. New
9498   function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
9499   to output in BER and PEM format.
9500
9501   *Steve Henson*
9502
9503 * Experimental support for use of HMAC via EVP_PKEY interface. This
9504   allows HMAC to be handled via the `EVP_DigestSign*()` interface. The
9505   EVP_PKEY "key" in this case is the HMAC key, potentially allowing
9506   ENGINE support for HMAC keys which are unextractable. New -mac and
9507   -macopt options to dgst utility.
9508
9509   *Steve Henson*
9510
9511 * New option -sigopt to dgst utility. Update dgst to use
9512   `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use
9513   alternative signing parameters such as X9.31 or PSS in the dgst
9514   utility.
9515
9516   *Steve Henson*
9517
9518 * Change ssl_cipher_apply_rule(), the internal function that does
9519   the work each time a ciphersuite string requests enabling
9520   ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9521   removing ("!foo+bar") a class of ciphersuites: Now it maintains
9522   the order of disabled ciphersuites such that those ciphersuites
9523   that most recently went from enabled to disabled not only stay
9524   in order with respect to each other, but also have higher priority
9525   than other disabled ciphersuites the next time ciphersuites are
9526   enabled again.
9527
9528   This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9529   the same ciphersuites as with "HIGH" alone, but in a specific
9530   order where the PSK ciphersuites come first (since they are the
9531   most recently disabled ciphersuites when "HIGH" is parsed).
9532
9533   Also, change ssl_create_cipher_list() (using this new
9534   functionality) such that between otherwise identical
9535   ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
9536   the default order.
9537
9538   *Bodo Moeller*
9539
9540 * Change ssl_create_cipher_list() so that it automatically
9541   arranges the ciphersuites in reasonable order before starting
9542   to process the rule string.  Thus, the definition for "DEFAULT"
9543   (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
9544   remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`.
9545   This makes it much easier to arrive at a reasonable default order
9546   in applications for which anonymous ciphers are OK (meaning
9547   that you can't actually use DEFAULT).
9548
9549   *Bodo Moeller; suggested by Victor Duchovni*
9550
9551 * Split the SSL/TLS algorithm mask (as used for ciphersuite string
9552   processing) into multiple integers instead of setting
9553   "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
9554   "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
9555   (These masks as well as the individual bit definitions are hidden
9556   away into the non-exported interface ssl/ssl_locl.h, so this
9557   change to the definition of the SSL_CIPHER structure shouldn't
9558   affect applications.)  This give us more bits for each of these
9559   categories, so there is no longer a need to coagulate AES128 and
9560   AES256 into a single algorithm bit, and to coagulate Camellia128
9561   and Camellia256 into a single algorithm bit, which has led to all
9562   kinds of kludges.
9563
9564   Thus, among other things, the kludge introduced in 0.9.7m and
9565   0.9.8e for masking out AES256 independently of AES128 or masking
9566   out Camellia256 independently of AES256 is not needed here in 0.9.9.
9567
9568   With the change, we also introduce new ciphersuite aliases that
9569   so far were missing: "AES128", "AES256", "CAMELLIA128", and
9570   "CAMELLIA256".
9571
9572   *Bodo Moeller*
9573
9574 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9575   Use the leftmost N bytes of the signature input if the input is
9576   larger than the prime q (with N being the size in bytes of q).
9577
9578   *Nils Larsch*
9579
9580 * Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
9581   it yet and it is largely untested.
9582
9583   *Steve Henson*
9584
9585 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9586
9587   *Nils Larsch*
9588
9589 * Initial incomplete changes to avoid need for function casts in OpenSSL
9590   some compilers (gcc 4.2 and later) reject their use. Safestack is
9591   reimplemented.  Update ASN1 to avoid use of legacy functions.
9592
9593   *Steve Henson*
9594
9595 * Win32/64 targets are linked with Winsock2.
9596
9597   *Andy Polyakov*
9598
9599 * Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
9600   to external functions. This can be used to increase CRL handling
9601   efficiency especially when CRLs are very large by (for example) storing
9602   the CRL revoked certificates in a database.
9603
9604   *Steve Henson*
9605
9606 * Overhaul of by_dir code. Add support for dynamic loading of CRLs so
9607   new CRLs added to a directory can be used. New command line option
9608   -verify_return_error to s_client and s_server. This causes real errors
9609   to be returned by the verify callback instead of carrying on no matter
9610   what. This reflects the way a "real world" verify callback would behave.
9611
9612   *Steve Henson*
9613
9614 * GOST engine, supporting several GOST algorithms and public key formats.
9615   Kindly donated by Cryptocom.
9616
9617   *Cryptocom*
9618
9619 * Partial support for Issuing Distribution Point CRL extension. CRLs
9620   partitioned by DP are handled but no indirect CRL or reason partitioning
9621   (yet). Complete overhaul of CRL handling: now the most suitable CRL is
9622   selected via a scoring technique which handles IDP and AKID in CRLs.
9623
9624   *Steve Henson*
9625
9626 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
9627   will ultimately be used for all verify operations: this will remove the
9628   X509_STORE dependency on certificate verification and allow alternative
9629   lookup methods.  X509_STORE based implementations of these two callbacks.
9630
9631   *Steve Henson*
9632
9633 * Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
9634   Modify get_crl() to find a valid (unexpired) CRL if possible.
9635
9636   *Steve Henson*
9637
9638 * New function X509_CRL_match() to check if two CRLs are identical. Normally
9639   this would be called X509_CRL_cmp() but that name is already used by
9640   a function that just compares CRL issuer names. Cache several CRL
9641   extensions in X509_CRL structure and cache CRLDP in X509.
9642
9643   *Steve Henson*
9644
9645 * Store a "canonical" representation of X509_NAME structure (ASN1 Name)
9646   this maps equivalent X509_NAME structures into a consistent structure.
9647   Name comparison can then be performed rapidly using memcmp().
9648
9649   *Steve Henson*
9650
9651 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9652   utility.
9653
9654   *Steve Henson*
9655
9656 * Allow digests to supply their own micalg string for S/MIME type using
9657   the ctrl EVP_MD_CTRL_MICALG.
9658
9659   *Steve Henson*
9660
9661 * During PKCS7 signing pass the PKCS7 SignerInfo structure to the
9662   EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
9663   ctrl. It can then customise the structure before and/or after signing
9664   if necessary.
9665
9666   *Steve Henson*
9667
9668 * New function OBJ_add_sigid() to allow application defined signature OIDs
9669   to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
9670   to free up any added signature OIDs.
9671
9672   *Steve Henson*
9673
9674 * New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
9675   EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
9676   digest and cipher tables. New options added to openssl utility:
9677   list-message-digest-algorithms and list-cipher-algorithms.
9678
9679   *Steve Henson*
9680
9681 * Change the array representation of binary polynomials: the list
9682   of degrees of non-zero coefficients is now terminated with -1.
9683   Previously it was terminated with 0, which was also part of the
9684   value; thus, the array representation was not applicable to
9685   polynomials where t^0 has coefficient zero.  This change makes
9686   the array representation useful in a more general context.
9687
9688   *Douglas Stebila*
9689
9690 * Various modifications and fixes to SSL/TLS cipher string
9691   handling.  For ECC, the code now distinguishes between fixed ECDH
9692   with RSA certificates on the one hand and with ECDSA certificates
9693   on the other hand, since these are separate ciphersuites.  The
9694   unused code for Fortezza ciphersuites has been removed.
9695
9696   For consistency with EDH, ephemeral ECDH is now called "EECDH"
9697   (not "ECDHE").  For consistency with the code for DH
9698   certificates, use of ECDH certificates is now considered ECDH
9699   authentication, not RSA or ECDSA authentication (the latter is
9700   merely the CA's signing algorithm and not actively used in the
9701   protocol).
9702
9703   The temporary ciphersuite alias "ECCdraft" is no longer
9704   available, and ECC ciphersuites are no longer excluded from "ALL"
9705   and "DEFAULT".  The following aliases now exist for RFC 4492
9706   ciphersuites, most of these by analogy with the DH case:
9707
9708           kECDHr   - ECDH cert, signed with RSA
9709           kECDHe   - ECDH cert, signed with ECDSA
9710           kECDH    - ECDH cert (signed with either RSA or ECDSA)
9711           kEECDH   - ephemeral ECDH
9712           ECDH     - ECDH cert or ephemeral ECDH
9713
9714           aECDH    - ECDH cert
9715           aECDSA   - ECDSA cert
9716           ECDSA    - ECDSA cert
9717
9718           AECDH    - anonymous ECDH
9719           EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9720
9721   *Bodo Moeller*
9722
9723 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
9724   Use correct micalg parameters depending on digest(s) in signed message.
9725
9726   *Steve Henson*
9727
9728 * Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
9729   an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
9730
9731   *Steve Henson*
9732
9733 * Initial engine support for EVP_PKEY_METHOD. New functions to permit
9734   an engine to register a method. Add ENGINE lookups for methods and
9735   functional reference processing.
9736
9737   *Steve Henson*
9738
9739 * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of
9740   `EVP_{Sign,Verify}*` which allow an application to customise the signature
9741   process.
9742
9743   *Steve Henson*
9744
9745 * New -resign option to smime utility. This adds one or more signers
9746   to an existing PKCS#7 signedData structure. Also -md option to use an
9747   alternative message digest algorithm for signing.
9748
9749   *Steve Henson*
9750
9751 * Tidy up PKCS#7 routines and add new functions to make it easier to
9752   create PKCS7 structures containing multiple signers. Update smime
9753   application to support multiple signers.
9754
9755   *Steve Henson*
9756
9757 * New -macalg option to pkcs12 utility to allow setting of an alternative
9758   digest MAC.
9759
9760   *Steve Henson*
9761
9762 * Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
9763   Reorganize PBE internals to lookup from a static table using NIDs,
9764   add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
9765   EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
9766   PRF which will be automatically used with PBES2.
9767
9768   *Steve Henson*
9769
9770 * Replace the algorithm specific calls to generate keys in "req" with the
9771   new API.
9772
9773   *Steve Henson*
9774
9775 * Update PKCS#7 enveloped data routines to use new API. This is now
9776   supported by any public key method supporting the encrypt operation. A
9777   ctrl is added to allow the public key algorithm to examine or modify
9778   the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
9779   a no op.
9780
9781   *Steve Henson*
9782
9783 * Add a ctrl to asn1 method to allow a public key algorithm to express
9784   a default digest type to use. In most cases this will be SHA1 but some
9785   algorithms (such as GOST) need to specify an alternative digest. The
9786   return value indicates how strong the preference is 1 means optional and
9787   2 is mandatory (that is it is the only supported type). Modify
9788   ASN1_item_sign() to accept a NULL digest argument to indicate it should
9789   use the default md. Update openssl utilities to use the default digest
9790   type for signing if it is not explicitly indicated.
9791
9792   *Steve Henson*
9793
9794 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
9795   EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
9796   signing method from the key type. This effectively removes the link
9797   between digests and public key types.
9798
9799   *Steve Henson*
9800
9801 * Add an OID cross reference table and utility functions. Its purpose is to
9802   translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
9803   rsaEncryption. This will allow some of the algorithm specific hackery
9804   needed to use the correct OID to be removed.
9805
9806   *Steve Henson*
9807
9808 * Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
9809   structures for PKCS7_sign(). They are now set up by the relevant public
9810   key ASN1 method.
9811
9812   *Steve Henson*
9813
9814 * Add provisional EC pkey method with support for ECDSA and ECDH.
9815
9816   *Steve Henson*
9817
9818 * Add support for key derivation (agreement) in the API, DH method and
9819   pkeyutl.
9820
9821   *Steve Henson*
9822
9823 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
9824   public and private key formats. As a side effect these add additional
9825   command line functionality not previously available: DSA signatures can be
9826   generated and verified using pkeyutl and DH key support and generation in
9827   pkey, genpkey.
9828
9829   *Steve Henson*
9830
9831 * BeOS support.
9832
9833   *Oliver Tappe <zooey@hirschkaefer.de>*
9834
9835 * New make target "install_html_docs" installs HTML renditions of the
9836   manual pages.
9837
9838   *Oliver Tappe <zooey@hirschkaefer.de>*
9839
9840 * New utility "genpkey" this is analogous to "genrsa" etc except it can
9841   generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
9842   support key and parameter generation and add initial key generation
9843   functionality for RSA.
9844
9845   *Steve Henson*
9846
9847 * Add functions for main EVP_PKEY_method operations. The undocumented
9848   functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to
9849   `EVP_PKEY_{encrypt,decrypt}_old`.
9850
9851   *Steve Henson*
9852
9853 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public
9854   key API, doesn't do much yet.
9855
9856   *Steve Henson*
9857
9858 * New function EVP_PKEY_asn1_get0_info() to retrieve information about
9859   public key algorithms. New option to openssl utility:
9860   "list-public-key-algorithms" to print out info.
9861
9862   *Steve Henson*
9863
9864 * Implement the Supported Elliptic Curves Extension for
9865   ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9866
9867   *Douglas Stebila*
9868
9869 * Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
9870   EVP_CIPHER structures to avoid later problems in EVP_cleanup().
9871
9872   *Steve Henson*
9873
9874 * New utilities pkey and pkeyparam. These are similar to algorithm specific
9875   utilities such as rsa, dsa, dsaparam etc except they process any key
9876   type.
9877
9878   *Steve Henson*
9879
9880 * Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
9881   functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
9882   EVP_PKEY_print_param() to print public key data from an EVP_PKEY
9883   structure.
9884
9885   *Steve Henson*
9886
9887 * Initial support for pluggable public key ASN1.
9888   De-spaghettify the public key ASN1 handling. Move public and private
9889   key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
9890   algorithm specific handling to a single module within the relevant
9891   algorithm directory. Add functions to allow (near) opaque processing
9892   of public and private key structures.
9893
9894   *Steve Henson*
9895
9896 * Implement the Supported Point Formats Extension for
9897   ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9898
9899   *Douglas Stebila*
9900
9901 * Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
9902   for the psk identity [hint] and the psk callback functions to the
9903   SSL_SESSION, SSL and SSL_CTX structure.
9904
9905   New ciphersuites:
9906           PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
9907           PSK-AES256-CBC-SHA
9908
9909   New functions:
9910           SSL_CTX_use_psk_identity_hint
9911           SSL_get_psk_identity_hint
9912           SSL_get_psk_identity
9913           SSL_use_psk_identity_hint
9914
9915   *Mika Kousa and Pasi Eronen of Nokia Corporation*
9916
9917 * Add RFC 3161 compliant time stamp request creation, response generation
9918   and response verification functionality.
9919
9920   *Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project*
9921
9922 * Add initial support for TLS extensions, specifically for the server_name
9923   extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
9924   have new members for a host name.  The SSL data structure has an
9925   additional member `SSL_CTX *initial_ctx` so that new sessions can be
9926   stored in that context to allow for session resumption, even after the
9927   SSL has been switched to a new SSL_CTX in reaction to a client's
9928   server_name extension.
9929
9930   New functions (subject to change):
9931
9932           SSL_get_servername()
9933           SSL_get_servername_type()
9934           SSL_set_SSL_CTX()
9935
9936   New CTRL codes and macros (subject to change):
9937
9938           SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
9939                               - SSL_CTX_set_tlsext_servername_callback()
9940           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
9941                                    - SSL_CTX_set_tlsext_servername_arg()
9942           SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
9943
9944   openssl s_client has a new '-servername ...' option.
9945
9946   openssl s_server has new options '-servername_host ...', '-cert2 ...',
9947   '-key2 ...', '-servername_fatal' (subject to change).  This allows
9948   testing the HostName extension for a specific single host name ('-cert'
9949   and '-key' remain fallbacks for handshakes without HostName
9950   negotiation).  If the unrecognized_name alert has to be sent, this by
9951   default is a warning; it becomes fatal with the '-servername_fatal'
9952   option.
9953
9954   *Peter Sylvester,  Remy Allais, Christophe Renou*
9955
9956 * Whirlpool hash implementation is added.
9957
9958   *Andy Polyakov*
9959
9960 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
9961   bn(64,32). Because of instruction set limitations it doesn't have
9962   any negative impact on performance. This was done mostly in order
9963   to make it possible to share assembler modules, such as bn_mul_mont
9964   implementations, between 32- and 64-bit builds without hassle.
9965
9966   *Andy Polyakov*
9967
9968 * Move code previously exiled into file crypto/ec/ec2_smpt.c
9969   to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
9970   macro.
9971
9972   *Bodo Moeller*
9973
9974 * New candidate for BIGNUM assembler implementation, bn_mul_mont,
9975   dedicated Montgomery multiplication procedure, is introduced.
9976   BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
9977   "64-bit" performance on certain 32-bit targets.
9978
9979   *Andy Polyakov*
9980
9981 * New option SSL_OP_NO_COMP to disable use of compression selectively
9982   in SSL structures. New SSL ctrl to set maximum send fragment size.
9983   Save memory by setting the I/O buffer sizes dynamically instead of
9984   using the maximum available value.
9985
9986   *Steve Henson*
9987
9988 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
9989   in addition to the text details.
9990
9991   *Bodo Moeller*
9992
9993 * Very, very preliminary EXPERIMENTAL support for printing of general
9994   ASN1 structures. This currently produces rather ugly output and doesn't
9995   handle several customised structures at all.
9996
9997   *Steve Henson*
9998
9999 * Integrated support for PVK file format and some related formats such
10000   as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
10001   these in the 'rsa' and 'dsa' utilities.
10002
10003   *Steve Henson*
10004
10005 * Support for PKCS#1 RSAPublicKey format on rsa utility command line.
10006
10007   *Steve Henson*
10008
10009 * Remove the ancient ASN1_METHOD code. This was only ever used in one
10010   place for the (very old) "NETSCAPE" format certificates which are now
10011   handled using new ASN1 code equivalents.
10012
10013   *Steve Henson*
10014
10015 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
10016   pointer and make the SSL_METHOD parameter in SSL_CTX_new,
10017   SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
10018
10019   *Nils Larsch*
10020
10021 * Modify CRL distribution points extension code to print out previously
10022   unsupported fields. Enhance extension setting code to allow setting of
10023   all fields.
10024
10025   *Steve Henson*
10026
10027 * Add print and set support for Issuing Distribution Point CRL extension.
10028
10029   *Steve Henson*
10030
10031 * Change 'Configure' script to enable Camellia by default.
10032
10033   *NTT*
10034
10035OpenSSL 0.9.x
10036-------------
10037
10038### Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
10039
10040 * When rejecting SSL/TLS records due to an incorrect version number, never
10041   update s->server with a new major version number.  As of
10042   - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10043   - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10044   the previous behavior could result in a read attempt at NULL when
10045   receiving specific incorrect SSL/TLS records once record payload
10046   protection is active.  ([CVE-2010-0740])
10047
10048   *Bodo Moeller, Adam Langley <agl@chromium.org>*
10049
10050 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10051   could be crashed if the relevant tables were not present (e.g. chrooted).
10052
10053   *Tomas Hoger <thoger@redhat.com>*
10054
10055### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
10056
10057 * Always check bn_wexpand() return values for failure.  ([CVE-2009-3245])
10058
10059   *Martin Olsson, Neel Mehta*
10060
10061 * Fix X509_STORE locking: Every 'objs' access requires a lock (to
10062   accommodate for stack sorting, always a write lock!).
10063
10064   *Bodo Moeller*
10065
10066 * On some versions of WIN32 Heap32Next is very slow. This can cause
10067   excessive delays in the RAND_poll(): over a minute. As a workaround
10068   include a time check in the inner Heap32Next loop too.
10069
10070   *Steve Henson*
10071
10072 * The code that handled flushing of data in SSL/TLS originally used the
10073   BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
10074   the problem outlined in PR#1949. The fix suggested there however can
10075   trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
10076   of Apache). So instead simplify the code to flush unconditionally.
10077   This should be fine since flushing with no data to flush is a no op.
10078
10079   *Steve Henson*
10080
10081 * Handle TLS versions 2.0 and later properly and correctly use the
10082   highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
10083   off ancient servers have a habit of sticking around for a while...
10084
10085   *Steve Henson*
10086
10087 * Modify compression code so it frees up structures without using the
10088   ex_data callbacks. This works around a problem where some applications
10089   call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
10090   restarting) then use compression (e.g. SSL with compression) later.
10091   This results in significant per-connection memory leaks and
10092   has caused some security issues including CVE-2008-1678 and
10093   CVE-2009-4355.
10094
10095   *Steve Henson*
10096
10097 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
10098   change when encrypting or decrypting.
10099
10100   *Bodo Moeller*
10101
10102 * Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
10103   connect and renegotiate with servers which do not support RI.
10104   Until RI is more widely deployed this option is enabled by default.
10105
10106   *Steve Henson*
10107
10108 * Add "missing" ssl ctrls to clear options and mode.
10109
10110   *Steve Henson*
10111
10112 * If client attempts to renegotiate and doesn't support RI respond with
10113   a no_renegotiation alert as required by RFC5746.  Some renegotiating
10114   TLS clients will continue a connection gracefully when they receive
10115   the alert. Unfortunately OpenSSL mishandled this alert and would hang
10116   waiting for a server hello which it will never receive. Now we treat a
10117   received no_renegotiation alert as a fatal error. This is because
10118   applications requesting a renegotiation might well expect it to succeed
10119   and would have no code in place to handle the server denying it so the
10120   only safe thing to do is to terminate the connection.
10121
10122   *Steve Henson*
10123
10124 * Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
10125   peer supports secure renegotiation and 0 otherwise. Print out peer
10126   renegotiation support in s_client/s_server.
10127
10128   *Steve Henson*
10129
10130 * Replace the highly broken and deprecated SPKAC certification method with
10131   the updated NID creation version. This should correctly handle UTF8.
10132
10133   *Steve Henson*
10134
10135 * Implement RFC5746. Re-enable renegotiation but require the extension
10136   as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
10137   turns out to be a bad idea. It has been replaced by
10138   SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
10139   SSL_CTX_set_options(). This is really not recommended unless you
10140   know what you are doing.
10141
10142   *Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson*
10143
10144 * Fixes to stateless session resumption handling. Use initial_ctx when
10145   issuing and attempting to decrypt tickets in case it has changed during
10146   servername handling. Use a non-zero length session ID when attempting
10147   stateless session resumption: this makes it possible to determine if
10148   a resumption has occurred immediately after receiving server hello
10149   (several places in OpenSSL subtly assume this) instead of later in
10150   the handshake.
10151
10152   *Steve Henson*
10153
10154 * The functions ENGINE_ctrl(), OPENSSL_isservice(),
10155   CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
10156   fixes for a few places where the return code is not checked
10157   correctly.
10158
10159   *Julia Lawall <julia@diku.dk>*
10160
10161 * Add --strict-warnings option to Configure script to include devteam
10162   warnings in other configurations.
10163
10164   *Steve Henson*
10165
10166 * Add support for --libdir option and LIBDIR variable in makefiles. This
10167   makes it possible to install openssl libraries in locations which
10168   have names other than "lib", for example "/usr/lib64" which some
10169   systems need.
10170
10171   *Steve Henson, based on patch from Jeremy Utley*
10172
10173 * Don't allow the use of leading 0x80 in OIDs. This is a violation of
10174   X690 8.9.12 and can produce some misleading textual output of OIDs.
10175
10176   *Steve Henson, reported by Dan Kaminsky*
10177
10178 * Delete MD2 from algorithm tables. This follows the recommendation in
10179   several standards that it is not used in new applications due to
10180   several cryptographic weaknesses. For binary compatibility reasons
10181   the MD2 API is still compiled in by default.
10182
10183   *Steve Henson*
10184
10185 * Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
10186   and restored.
10187
10188   *Steve Henson*
10189
10190 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
10191   OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
10192   clash.
10193
10194   *Guenter <lists@gknw.net>*
10195
10196 * Fix the server certificate chain building code to use X509_verify_cert(),
10197   it used to have an ad-hoc builder which was unable to cope with anything
10198   other than a simple chain.
10199
10200   *David Woodhouse <dwmw2@infradead.org>, Steve Henson*
10201
10202 * Don't check self signed certificate signatures in X509_verify_cert()
10203   by default (a flag can override this): it just wastes time without
10204   adding any security. As a useful side effect self signed root CAs
10205   with non-FIPS digests are now usable in FIPS mode.
10206
10207   *Steve Henson*
10208
10209 * In dtls1_process_out_of_seq_message() the check if the current message
10210   is already buffered was missing. For every new message was memory
10211   allocated, allowing an attacker to perform an denial of service attack
10212   with sending out of seq handshake messages until there is no memory
10213   left. Additionally every future message was buffered, even if the
10214   sequence number made no sense and would be part of another handshake.
10215   So only messages with sequence numbers less than 10 in advance will be
10216   buffered.  ([CVE-2009-1378])
10217
10218   *Robin Seggelmann, discovered by Daniel Mentz*
10219
10220 * Records are buffered if they arrive with a future epoch to be
10221   processed after finishing the corresponding handshake. There is
10222   currently no limitation to this buffer allowing an attacker to perform
10223   a DOS attack with sending records with future epochs until there is no
10224   memory left. This patch adds the pqueue_size() function to determine
10225   the size of a buffer and limits the record buffer to 100 entries.
10226   ([CVE-2009-1377])
10227
10228   *Robin Seggelmann, discovered by Daniel Mentz*
10229
10230 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10231   parent structure is freed.  ([CVE-2009-1379])
10232
10233   *Daniel Mentz*
10234
10235 * Handle non-blocking I/O properly in SSL_shutdown() call.
10236
10237   *Darryl Miles <darryl-mailinglists@netbauds.net>*
10238
10239 * Add `2.5.4.*` OIDs
10240
10241   *Ilya O. <vrghost@gmail.com>*
10242
10243### Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
10244
10245 * Disable renegotiation completely - this fixes a severe security
10246   problem ([CVE-2009-3555]) at the cost of breaking all
10247   renegotiation. Renegotiation can be re-enabled by setting
10248   SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10249   run-time. This is really not recommended unless you know what
10250   you're doing.
10251
10252   *Ben Laurie*
10253
10254### Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
10255
10256 * Don't set val to NULL when freeing up structures, it is freed up by
10257   underlying code. If `sizeof(void *) > sizeof(long)` this can result in
10258   zeroing past the valid field. ([CVE-2009-0789])
10259
10260   *Paolo Ganci <Paolo.Ganci@AdNovum.CH>*
10261
10262 * Fix bug where return value of CMS_SignerInfo_verify_content() was not
10263   checked correctly. This would allow some invalid signed attributes to
10264   appear to verify correctly. ([CVE-2009-0591])
10265
10266   *Ivan Nestlerode <inestlerode@us.ibm.com>*
10267
10268 * Reject UniversalString and BMPString types with invalid lengths. This
10269   prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
10270   a legal length. ([CVE-2009-0590])
10271
10272   *Steve Henson*
10273
10274 * Set S/MIME signing as the default purpose rather than setting it
10275   unconditionally. This allows applications to override it at the store
10276   level.
10277
10278   *Steve Henson*
10279
10280 * Permit restricted recursion of ASN1 strings. This is needed in practice
10281   to handle some structures.
10282
10283   *Steve Henson*
10284
10285 * Improve efficiency of mem_gets: don't search whole buffer each time
10286   for a '\n'
10287
10288   *Jeremy Shapiro <jnshapir@us.ibm.com>*
10289
10290 * New -hex option for openssl rand.
10291
10292   *Matthieu Herrb*
10293
10294 * Print out UTF8String and NumericString when parsing ASN1.
10295
10296   *Steve Henson*
10297
10298 * Support NumericString type for name components.
10299
10300   *Steve Henson*
10301
10302 * Allow CC in the environment to override the automatically chosen
10303   compiler. Note that nothing is done to ensure flags work with the
10304   chosen compiler.
10305
10306   *Ben Laurie*
10307
10308### Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
10309
10310 * Properly check EVP_VerifyFinal() and similar return values
10311   ([CVE-2008-5077]).
10312
10313   *Ben Laurie, Bodo Moeller, Google Security Team*
10314
10315 * Enable TLS extensions by default.
10316
10317   *Ben Laurie*
10318
10319 * Allow the CHIL engine to be loaded, whether the application is
10320   multithreaded or not. (This does not release the developer from the
10321   obligation to set up the dynamic locking callbacks.)
10322
10323   *Sander Temme <sander@temme.net>*
10324
10325 * Use correct exit code if there is an error in dgst command.
10326
10327   *Steve Henson; problem pointed out by Roland Dirlewanger*
10328
10329 * Tweak Configure so that you need to say "experimental-jpake" to enable
10330   JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10331
10332   *Bodo Moeller*
10333
10334 * Add experimental JPAKE support, including demo authentication in
10335   s_client and s_server.
10336
10337   *Ben Laurie*
10338
10339 * Set the comparison function in v3_addr_canonize().
10340
10341   *Rob Austein <sra@hactrn.net>*
10342
10343 * Add support for XMPP STARTTLS in s_client.
10344
10345   *Philip Paeps <philip@freebsd.org>*
10346
10347 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10348   to ensure that even with this option, only ciphersuites in the
10349   server's preference list will be accepted.  (Note that the option
10350   applies only when resuming a session, so the earlier behavior was
10351   just about the algorithm choice for symmetric cryptography.)
10352
10353   *Bodo Moeller*
10354
10355### Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
10356
10357 * Fix NULL pointer dereference if a DTLS server received
10358   ChangeCipherSpec as first record ([CVE-2009-1386]).
10359
10360   *PR #1679*
10361
10362 * Fix a state transition in s3_srvr.c and d1_srvr.c
10363   (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`).
10364
10365   *Nagendra Modadugu*
10366
10367 * The fix in 0.9.8c that supposedly got rid of unsafe
10368   double-checked locking was incomplete for RSA blinding,
10369   addressing just one layer of what turns out to have been
10370   doubly unsafe triple-checked locking.
10371
10372   So now fix this for real by retiring the MONT_HELPER macro
10373   in crypto/rsa/rsa_eay.c.
10374
10375   *Bodo Moeller; problem pointed out by Marius Schilder*
10376
10377 * Various precautionary measures:
10378
10379   - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10380
10381   - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10382     (NB: This would require knowledge of the secret session ticket key
10383     to exploit, in which case you'd be SOL either way.)
10384
10385   - Change bn_nist.c so that it will properly handle input BIGNUMs
10386     outside the expected range.
10387
10388   - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10389     builds.
10390
10391   *Neel Mehta, Bodo Moeller*
10392
10393 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10394   the load fails. Useful for distros.
10395
10396   *Ben Laurie and the FreeBSD team*
10397
10398 * Add support for Local Machine Keyset attribute in PKCS#12 files.
10399
10400   *Steve Henson*
10401
10402 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10403
10404   *Huang Ying*
10405
10406 * Expand ENGINE to support engine supplied SSL client certificate functions.
10407
10408   This work was sponsored by Logica.
10409
10410   *Steve Henson*
10411
10412 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
10413   keystores. Support for SSL/TLS client authentication too.
10414   Not compiled unless enable-capieng specified to Configure.
10415
10416   This work was sponsored by Logica.
10417
10418   *Steve Henson*
10419
10420 * Fix bug in X509_ATTRIBUTE creation: don't set attribute using
10421   ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
10422   attribute creation routines such as certificate requests and PKCS#12
10423   files.
10424
10425   *Steve Henson*
10426
10427### Changes between 0.9.8g and 0.9.8h  [28 May 2008]
10428
10429 * Fix flaw if 'Server Key exchange message' is omitted from a TLS
10430   handshake which could lead to a client crash as found using the
10431   Codenomicon TLS test suite ([CVE-2008-1672])
10432
10433   *Steve Henson, Mark Cox*
10434
10435 * Fix double free in TLS server name extensions which could lead to
10436   a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10437
10438   *Joe Orton*
10439
10440 * Clear error queue in SSL_CTX_use_certificate_chain_file()
10441
10442   Clear the error queue to ensure that error entries left from
10443   older function calls do not interfere with the correct operation.
10444
10445   *Lutz Jaenicke, Erik de Castro Lopo*
10446
10447 * Remove root CA certificates of commercial CAs:
10448
10449   The OpenSSL project does not recommend any specific CA and does not
10450   have any policy with respect to including or excluding any CA.
10451   Therefore it does not make any sense to ship an arbitrary selection
10452   of root CA certificates with the OpenSSL software.
10453
10454   *Lutz Jaenicke*
10455
10456 * RSA OAEP patches to fix two separate invalid memory reads.
10457   The first one involves inputs when 'lzero' is greater than
10458   'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
10459   before the beginning of from). The second one involves inputs where
10460   the 'db' section contains nothing but zeroes (there is a one-byte
10461   invalid read after the end of 'db').
10462
10463   *Ivan Nestlerode <inestlerode@us.ibm.com>*
10464
10465 * Partial backport from 0.9.9-dev:
10466
10467   Introduce bn_mul_mont (dedicated Montgomery multiplication
10468   procedure) as a candidate for BIGNUM assembler implementation.
10469   While 0.9.9-dev uses assembler for various architectures, only
10470   x86_64 is available by default here in the 0.9.8 branch, and
10471   32-bit x86 is available through a compile-time setting.
10472
10473   To try the 32-bit x86 assembler implementation, use Configure
10474   option "enable-montasm" (which exists only for this backport).
10475
10476   As "enable-montasm" for 32-bit x86 disclaims code stability
10477   anyway, in this constellation we activate additional code
10478   backported from 0.9.9-dev for further performance improvements,
10479   namely BN_from_montgomery_word.  (To enable this otherwise,
10480   e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10481
10482   *Andy Polyakov (backport partially by Bodo Moeller)*
10483
10484 * Add TLS session ticket callback. This allows an application to set
10485   TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
10486   values. This is useful for key rollover for example where several key
10487   sets may exist with different names.
10488
10489   *Steve Henson*
10490
10491 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10492   This was broken until now in 0.9.8 releases, such that the only way
10493   a registered ENGINE could be used (assuming it initialises
10494   successfully on the host) was to explicitly set it as the default
10495   for the relevant algorithms. This is in contradiction with 0.9.7
10496   behaviour and the documentation. With this fix, when an ENGINE is
10497   registered into a given algorithm's table of implementations, the
10498   'uptodate' flag is reset so that auto-discovery will be used next
10499   time a new context for that algorithm attempts to select an
10500   implementation.
10501
10502   *Ian Lister (tweaked by Geoff Thorpe)*
10503
10504 * Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
10505   implementation in the following ways:
10506
10507   Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
10508   hard coded.
10509
10510   Lack of BER streaming support means one pass streaming processing is
10511   only supported if data is detached: setting the streaming flag is
10512   ignored for embedded content.
10513
10514   CMS support is disabled by default and must be explicitly enabled
10515   with the enable-cms configuration option.
10516
10517   *Steve Henson*
10518
10519 * Update the GMP engine glue to do direct copies between BIGNUM and
10520   mpz_t when openssl and GMP use the same limb size. Otherwise the
10521   existing "conversion via a text string export" trick is still used.
10522
10523   *Paul Sheer <paulsheer@gmail.com>*
10524
10525 * Zlib compression BIO. This is a filter BIO which compressed and
10526   uncompresses any data passed through it.
10527
10528   *Steve Henson*
10529
10530 * Add AES_wrap_key() and AES_unwrap_key() functions to implement
10531   RFC3394 compatible AES key wrapping.
10532
10533   *Steve Henson*
10534
10535 * Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
10536   sets string data without copying. X509_ALGOR_set0() and
10537   X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
10538   data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
10539   from an X509_ATTRIBUTE structure optionally checking it occurs only
10540   once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
10541   data.
10542
10543   *Steve Henson*
10544
10545 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
10546   to get the expected BN_FLG_CONSTTIME behavior.
10547
10548   *Bodo Moeller (Google)*
10549
10550 * Netware support:
10551
10552   - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10553   - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10554   - added some more tests to do_tests.pl
10555   - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10556   - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10557   - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10558     netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10559   - various changes to netware.pl to enable gcc-cross builds on Win32
10560     platform
10561   - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10562   - various changes to fix missing prototype warnings
10563   - fixed x86nasm.pl to create correct asm files for NASM COFF output
10564   - added AES, WHIRLPOOL and CPUID assembler code to build files
10565   - added missing AES assembler make rules to mk1mf.pl
10566   - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10567
10568   *Guenter Knauf <eflash@gmx.net>*
10569
10570 * Implement certificate status request TLS extension defined in RFC3546.
10571   A client can set the appropriate parameters and receive the encoded
10572   OCSP response via a callback. A server can query the supplied parameters
10573   and set the encoded OCSP response in the callback. Add simplified examples
10574   to s_client and s_server.
10575
10576   *Steve Henson*
10577
10578### Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
10579
10580 * Fix various bugs:
10581   + Binary incompatibility of ssl_ctx_st structure
10582   + DTLS interoperation with non-compliant servers
10583   + Don't call get_session_cb() without proposed session
10584   + Fix ia64 assembler code
10585
10586   *Andy Polyakov, Steve Henson*
10587
10588### Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
10589
10590 * DTLS Handshake overhaul. There were longstanding issues with
10591   OpenSSL DTLS implementation, which were making it impossible for
10592   RFC 4347 compliant client to communicate with OpenSSL server.
10593   Unfortunately just fixing these incompatibilities would "cut off"
10594   pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10595   server keeps tolerating non RFC compliant syntax. The opposite is
10596   not true, 0.9.8f client can not communicate with earlier server.
10597   This update even addresses CVE-2007-4995.
10598
10599   *Andy Polyakov*
10600
10601 * Changes to avoid need for function casts in OpenSSL: some compilers
10602   (gcc 4.2 and later) reject their use.
10603   *Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
10604    Steve Henson*
10605
10606 * Add RFC4507 support to OpenSSL. This includes the corrections in
10607   RFC4507bis. The encrypted ticket format is an encrypted encoded
10608   SSL_SESSION structure, that way new session features are automatically
10609   supported.
10610
10611   If a client application caches session in an SSL_SESSION structure
10612   support is transparent because tickets are now stored in the encoded
10613   SSL_SESSION.
10614
10615   The SSL_CTX structure automatically generates keys for ticket
10616   protection in servers so again support should be possible
10617   with no application modification.
10618
10619   If a client or server wishes to disable RFC4507 support then the option
10620   SSL_OP_NO_TICKET can be set.
10621
10622   Add a TLS extension debugging callback to allow the contents of any client
10623   or server extensions to be examined.
10624
10625   This work was sponsored by Google.
10626
10627   *Steve Henson*
10628
10629 * Add initial support for TLS extensions, specifically for the server_name
10630   extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
10631   have new members for a host name.  The SSL data structure has an
10632   additional member `SSL_CTX *initial_ctx` so that new sessions can be
10633   stored in that context to allow for session resumption, even after the
10634   SSL has been switched to a new SSL_CTX in reaction to a client's
10635   server_name extension.
10636
10637   New functions (subject to change):
10638
10639           SSL_get_servername()
10640           SSL_get_servername_type()
10641           SSL_set_SSL_CTX()
10642
10643   New CTRL codes and macros (subject to change):
10644
10645           SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
10646                               - SSL_CTX_set_tlsext_servername_callback()
10647           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
10648                                    - SSL_CTX_set_tlsext_servername_arg()
10649           SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
10650
10651   openssl s_client has a new '-servername ...' option.
10652
10653   openssl s_server has new options '-servername_host ...', '-cert2 ...',
10654   '-key2 ...', '-servername_fatal' (subject to change).  This allows
10655   testing the HostName extension for a specific single host name ('-cert'
10656   and '-key' remain fallbacks for handshakes without HostName
10657   negotiation).  If the unrecognized_name alert has to be sent, this by
10658   default is a warning; it becomes fatal with the '-servername_fatal'
10659   option.
10660
10661   *Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson*
10662
10663 * Add AES and SSE2 assembly language support to VC++ build.
10664
10665   *Steve Henson*
10666
10667 * Mitigate attack on final subtraction in Montgomery reduction.
10668
10669   *Andy Polyakov*
10670
10671 * Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
10672   (which previously caused an internal error).
10673
10674   *Bodo Moeller*
10675
10676 * Squeeze another 10% out of IGE mode when in != out.
10677
10678   *Ben Laurie*
10679
10680 * AES IGE mode speedup.
10681
10682   *Dean Gaudet (Google)*
10683
10684 * Add the Korean symmetric 128-bit cipher SEED (see
10685   <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and
10686   add SEED ciphersuites from RFC 4162:
10687
10688           TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
10689           TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
10690           TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
10691           TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
10692
10693   To minimize changes between patchlevels in the OpenSSL 0.9.8
10694   series, SEED remains excluded from compilation unless OpenSSL
10695   is configured with 'enable-seed'.
10696
10697   *KISA, Bodo Moeller*
10698
10699 * Mitigate branch prediction attacks, which can be practical if a
10700   single processor is shared, allowing a spy process to extract
10701   information.  For detailed background information, see
10702   <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron,
10703   J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10704   and Necessary Software Countermeasures").  The core of the change
10705   are new versions BN_div_no_branch() and
10706   BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
10707   respectively, which are slower, but avoid the security-relevant
10708   conditional branches.  These are automatically called by BN_div()
10709   and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
10710   of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
10711   remove a conditional branch.
10712
10713   BN_FLG_CONSTTIME is the new name for the previous
10714   BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
10715   modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
10716   in the exponent causes BN_mod_exp_mont() to use the alternative
10717   implementation in BN_mod_exp_mont_consttime().)  The old name
10718   remains as a deprecated alias.
10719
10720   Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
10721   RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
10722   constant-time implementations for more than just exponentiation.
10723   Here too the old name is kept as a deprecated alias.
10724
10725   BN_BLINDING_new() will now use BN_dup() for the modulus so that
10726   the BN_BLINDING structure gets an independent copy of the
10727   modulus.  This means that the previous `BIGNUM *m` argument to
10728   BN_BLINDING_new() and to BN_BLINDING_create_param() now
10729   essentially becomes `const BIGNUM *m`, although we can't actually
10730   change this in the header file before 0.9.9.  It allows
10731   RSA_setup_blinding() to use BN_with_flags() on the modulus to
10732   enable BN_FLG_CONSTTIME.
10733
10734   *Matthew D Wood (Intel Corp)*
10735
10736 * In the SSL/TLS server implementation, be strict about session ID
10737   context matching (which matters if an application uses a single
10738   external cache for different purposes).  Previously,
10739   out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10740   set.  This did ensure strict client verification, but meant that,
10741   with applications using a single external cache for quite
10742   different requirements, clients could circumvent ciphersuite
10743   restrictions for a given session ID context by starting a session
10744   in a different context.
10745
10746   *Bodo Moeller*
10747
10748 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
10749   a ciphersuite string such as "DEFAULT:RSA" cannot enable
10750   authentication-only ciphersuites.
10751
10752   *Bodo Moeller*
10753
10754 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10755   not complete and could lead to a possible single byte overflow
10756   ([CVE-2007-5135]) [Ben Laurie]
10757
10758### Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
10759
10760 * Since AES128 and AES256 (and similarly Camellia128 and
10761   Camellia256) share a single mask bit in the logic of
10762   ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
10763   kludge to work properly if AES128 is available and AES256 isn't
10764   (or if Camellia128 is available and Camellia256 isn't).
10765
10766   *Victor Duchovni*
10767
10768 * Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
10769   (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
10770   When a point or a seed is encoded in a BIT STRING, we need to
10771   prevent the removal of trailing zero bits to get the proper DER
10772   encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
10773   of a NamedBitList, for which trailing 0 bits need to be removed.)
10774
10775   *Bodo Moeller*
10776
10777 * Have SSL/TLS server implementation tolerate "mismatched" record
10778   protocol version while receiving ClientHello even if the
10779   ClientHello is fragmented.  (The server can't insist on the
10780   particular protocol version it has chosen before the ServerHello
10781   message has informed the client about his choice.)
10782
10783   *Bodo Moeller*
10784
10785 * Add RFC 3779 support.
10786
10787   *Rob Austein for ARIN, Ben Laurie*
10788
10789 * Load error codes if they are not already present instead of using a
10790   static variable. This allows them to be cleanly unloaded and reloaded.
10791   Improve header file function name parsing.
10792
10793   *Steve Henson*
10794
10795 * extend SMTP and IMAP protocol emulation in s_client to use EHLO
10796   or CAPABILITY handshake as required by RFCs.
10797
10798   *Goetz Babin-Ebell*
10799
10800### Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
10801
10802 * Introduce limits to prevent malicious keys being able to
10803   cause a denial of service.  ([CVE-2006-2940])
10804
10805   *Steve Henson, Bodo Moeller*
10806
10807 * Fix ASN.1 parsing of certain invalid structures that can result
10808   in a denial of service.  ([CVE-2006-2937])  [Steve Henson]
10809
10810 * Fix buffer overflow in SSL_get_shared_ciphers() function.
10811   ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10812
10813 * Fix SSL client code which could crash if connecting to a
10814   malicious SSLv2 server.  ([CVE-2006-4343])
10815
10816   *Tavis Ormandy and Will Drewry, Google Security Team*
10817
10818 * Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
10819   match only those.  Before that, "AES256-SHA" would be interpreted
10820   as a pattern and match "AES128-SHA" too (since AES128-SHA got
10821   the same strength classification in 0.9.7h) as we currently only
10822   have a single AES bit in the ciphersuite description bitmap.
10823   That change, however, also applied to ciphersuite strings such as
10824   "RC4-MD5" that intentionally matched multiple ciphersuites --
10825   namely, SSL 2.0 ciphersuites in addition to the more common ones
10826   from SSL 3.0/TLS 1.0.
10827
10828   So we change the selection algorithm again: Naming an explicit
10829   ciphersuite selects this one ciphersuite, and any other similar
10830   ciphersuite (same bitmap) from *other* protocol versions.
10831   Thus, "RC4-MD5" again will properly select both the SSL 2.0
10832   ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
10833
10834   Since SSL 2.0 does not have any ciphersuites for which the
10835   128/256 bit distinction would be relevant, this works for now.
10836   The proper fix will be to use different bits for AES128 and
10837   AES256, which would have avoided the problems from the beginning;
10838   however, bits are scarce, so we can only do this in a new release
10839   (not just a patchlevel) when we can change the SSL_CIPHER
10840   definition to split the single 'unsigned long mask' bitmap into
10841   multiple values to extend the available space.
10842
10843   *Bodo Moeller*
10844
10845### Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
10846
10847 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
10848   ([CVE-2006-4339])  [Ben Laurie and Google Security Team]
10849
10850 * Add AES IGE and biIGE modes.
10851
10852   *Ben Laurie*
10853
10854 * Change the Unix randomness entropy gathering to use poll() when
10855   possible instead of select(), since the latter has some
10856   undesirable limitations.
10857
10858   *Darryl Miles via Richard Levitte and Bodo Moeller*
10859
10860 * Disable "ECCdraft" ciphersuites more thoroughly.  Now special
10861   treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
10862   cannot be implicitly activated as part of, e.g., the "AES" alias.
10863   However, please upgrade to OpenSSL 0.9.9[-dev] for
10864   non-experimental use of the ECC ciphersuites to get TLS extension
10865   support, which is required for curve and point format negotiation
10866   to avoid potential handshake problems.
10867
10868   *Bodo Moeller*
10869
10870 * Disable rogue ciphersuites:
10871
10872   - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
10873   - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
10874   - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
10875
10876   The latter two were purportedly from
10877   draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
10878   appear there.
10879
10880   Also deactivate the remaining ciphersuites from
10881   draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
10882   unofficial, and the ID has long expired.
10883
10884   *Bodo Moeller*
10885
10886 * Fix RSA blinding Heisenbug (problems sometimes occurred on
10887   dual-core machines) and other potential thread-safety issues.
10888
10889   *Bodo Moeller*
10890
10891 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
10892   versions), which is now available for royalty-free use
10893   (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>).
10894   Also, add Camellia TLS ciphersuites from RFC 4132.
10895
10896   To minimize changes between patchlevels in the OpenSSL 0.9.8
10897   series, Camellia remains excluded from compilation unless OpenSSL
10898   is configured with 'enable-camellia'.
10899
10900   *NTT*
10901
10902 * Disable the padding bug check when compression is in use. The padding
10903   bug check assumes the first packet is of even length, this is not
10904   necessarily true if compression is enabled and can result in false
10905   positives causing handshake failure. The actual bug test is ancient
10906   code so it is hoped that implementations will either have fixed it by
10907   now or any which still have the bug do not support compression.
10908
10909   *Steve Henson*
10910
10911### Changes between 0.9.8a and 0.9.8b  [04 May 2006]
10912
10913 * When applying a cipher rule check to see if string match is an explicit
10914   cipher suite and only match that one cipher suite if it is.
10915
10916   *Steve Henson*
10917
10918 * Link in manifests for VC++ if needed.
10919
10920   *Austin Ziegler <halostatue@gmail.com>*
10921
10922 * Update support for ECC-based TLS ciphersuites according to
10923   draft-ietf-tls-ecc-12.txt with proposed changes (but without
10924   TLS extensions, which are supported starting with the 0.9.9
10925   branch, not in the OpenSSL 0.9.8 branch).
10926
10927   *Douglas Stebila*
10928
10929 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
10930   opaque EVP_CIPHER_CTX handling.
10931
10932   *Steve Henson*
10933
10934 * Fixes and enhancements to zlib compression code. We now only use
10935   "zlib1.dll" and use the default `__cdecl` calling convention on Win32
10936   to conform with the standards mentioned here:
10937   <http://www.zlib.net/DLL_FAQ.txt>
10938   Static zlib linking now works on Windows and the new --with-zlib-include
10939   --with-zlib-lib options to Configure can be used to supply the location
10940   of the headers and library. Gracefully handle case where zlib library
10941   can't be loaded.
10942
10943   *Steve Henson*
10944
10945 * Several fixes and enhancements to the OID generation code. The old code
10946   sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
10947   handle numbers larger than ULONG_MAX, truncated printing and had a
10948   non standard OBJ_obj2txt() behaviour.
10949
10950   *Steve Henson*
10951
10952 * Add support for building of engines under engine/ as shared libraries
10953   under VC++ build system.
10954
10955   *Steve Henson*
10956
10957 * Corrected the numerous bugs in the Win32 path splitter in DSO.
10958   Hopefully, we will not see any false combination of paths any more.
10959
10960   *Richard Levitte*
10961
10962### Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
10963
10964 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
10965   (part of SSL_OP_ALL).  This option used to disable the
10966   countermeasure against man-in-the-middle protocol-version
10967   rollback in the SSL 2.0 server implementation, which is a bad
10968   idea.  ([CVE-2005-2969])
10969
10970   *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
10971   for Information Security, National Institute of Advanced Industrial
10972   Science and Technology [AIST], Japan)*
10973
10974 * Add two function to clear and return the verify parameter flags.
10975
10976   *Steve Henson*
10977
10978 * Keep cipherlists sorted in the source instead of sorting them at
10979   runtime, thus removing the need for a lock.
10980
10981   *Nils Larsch*
10982
10983 * Avoid some small subgroup attacks in Diffie-Hellman.
10984
10985   *Nick Mathewson and Ben Laurie*
10986
10987 * Add functions for well-known primes.
10988
10989   *Nick Mathewson*
10990
10991 * Extended Windows CE support.
10992
10993   *Satoshi Nakamura and Andy Polyakov*
10994
10995 * Initialize SSL_METHOD structures at compile time instead of during
10996   runtime, thus removing the need for a lock.
10997
10998   *Steve Henson*
10999
11000 * Make PKCS7_decrypt() work even if no certificate is supplied by
11001   attempting to decrypt each encrypted key in turn. Add support to
11002   smime utility.
11003
11004   *Steve Henson*
11005
11006### Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
11007
11008[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
11009OpenSSL 0.9.8.]
11010
11011 * Add libcrypto.pc and libssl.pc for those who feel they need them.
11012
11013   *Richard Levitte*
11014
11015 * Change CA.sh and CA.pl so they don't bundle the CSR and the private
11016   key into the same file any more.
11017
11018   *Richard Levitte*
11019
11020 * Add initial support for Win64, both IA64 and AMD64/x64 flavors.
11021
11022   *Andy Polyakov*
11023
11024 * Add -utf8 command line and config file option to 'ca'.
11025
11026   *Stefan <stf@udoma.org*
11027
11028 * Removed the macro des_crypt(), as it seems to conflict with some
11029   libraries.  Use DES_crypt().
11030
11031   *Richard Levitte*
11032
11033 * Correct naming of the 'chil' and '4758cca' ENGINEs. This
11034   involves renaming the source and generated shared-libs for
11035   both. The engines will accept the corrected or legacy ids
11036   ('ncipher' and '4758_cca' respectively) when binding. NB,
11037   this only applies when building 'shared'.
11038
11039   *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe*
11040
11041 * Add attribute functions to EVP_PKEY structure. Modify
11042   PKCS12_create() to recognize a CSP name attribute and
11043   use it. Make -CSP option work again in pkcs12 utility.
11044
11045   *Steve Henson*
11046
11047 * Add new functionality to the bn blinding code:
11048   - automatic re-creation of the BN_BLINDING parameters after
11049     a fixed number of uses (currently 32)
11050   - add new function for parameter creation
11051   - introduce flags to control the update behaviour of the
11052     BN_BLINDING parameters
11053   - hide BN_BLINDING structure
11054   Add a second BN_BLINDING slot to the RSA structure to improve
11055   performance when a single RSA object is shared among several
11056   threads.
11057
11058   *Nils Larsch*
11059
11060 * Add support for DTLS.
11061
11062   *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie*
11063
11064 * Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
11065   to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
11066
11067   *Walter Goulet*
11068
11069 * Remove buggy and incomplete DH cert support from
11070   ssl/ssl_rsa.c and ssl/s3_both.c
11071
11072   *Nils Larsch*
11073
11074 * Use SHA-1 instead of MD5 as the default digest algorithm for
11075   the `apps/openssl` commands.
11076
11077   *Nils Larsch*
11078
11079 * Compile clean with "-Wall -Wmissing-prototypes
11080   -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11081   DEBUG_SAFESTACK must also be set.
11082
11083   *Ben Laurie*
11084
11085 * Change ./Configure so that certain algorithms can be disabled by default.
11086   The new counterpiece to "no-xxx" is "enable-xxx".
11087
11088   The patented RC5 and MDC2 algorithms will now be disabled unless
11089   "enable-rc5" and "enable-mdc2", respectively, are specified.
11090
11091   (IDEA remains enabled despite being patented.  This is because IDEA
11092   is frequently required for interoperability, and there is no license
11093   fee for non-commercial use.  As before, "no-idea" can be used to
11094   avoid this algorithm.)
11095
11096   *Bodo Moeller*
11097
11098 * Add processing of proxy certificates (see RFC 3820).  This work was
11099   sponsored by KTH (The Royal Institute of Technology in Stockholm) and
11100   EGEE (Enabling Grids for E-science in Europe).
11101
11102   *Richard Levitte*
11103
11104 * RC4 performance overhaul on modern architectures/implementations, such
11105   as Intel P4, IA-64 and AMD64.
11106
11107   *Andy Polyakov*
11108
11109 * New utility extract-section.pl. This can be used specify an alternative
11110   section number in a pod file instead of having to treat each file as
11111   a separate case in Makefile. This can be done by adding two lines to the
11112   pod file:
11113
11114   =for comment openssl_section:XXX
11115
11116   The blank line is mandatory.
11117
11118   *Steve Henson*
11119
11120 * New arguments -certform, -keyform and -pass for s_client and s_server
11121   to allow alternative format key and certificate files and passphrase
11122   sources.
11123
11124   *Steve Henson*
11125
11126 * New structure X509_VERIFY_PARAM which combines current verify parameters,
11127   update associated structures and add various utility functions.
11128
11129   Add new policy related verify parameters, include policy checking in
11130   standard verify code. Enhance 'smime' application with extra parameters
11131   to support policy checking and print out.
11132
11133   *Steve Henson*
11134
11135 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3
11136   Nehemiah processors. These extensions support AES encryption in hardware
11137   as well as RNG (though RNG support is currently disabled).
11138
11139   *Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov*
11140
11141 * Deprecate `BN_[get|set]_params()` functions (they were ignored internally).
11142
11143   *Geoff Thorpe*
11144
11145 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11146
11147   *Andy Polyakov and a number of other people*
11148
11149 * Improved PowerPC platform support. Most notably BIGNUM assembler
11150   implementation contributed by IBM.
11151
11152   *Suresh Chari, Peter Waltenberg, Andy Polyakov*
11153
11154 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
11155   exponent rather than 'unsigned long'. There is a corresponding change to
11156   the new 'rsa_keygen' element of the RSA_METHOD structure.
11157
11158   *Jelte Jansen, Geoff Thorpe*
11159
11160 * Functionality for creating the initial serial number file is now
11161   moved from CA.pl to the 'ca' utility with a new option -create_serial.
11162
11163   (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
11164   number file to 1, which is bound to cause problems.  To avoid
11165   the problems while respecting compatibility between different 0.9.7
11166   patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
11167   CA.pl for serial number initialization.  With the new release 0.9.8,
11168   we can fix the problem directly in the 'ca' utility.)
11169
11170   *Steve Henson*
11171
11172 * Reduced header interdependencies by declaring more opaque objects in
11173   ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
11174   give fewer recursive includes, which could break lazy source code - so
11175   this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
11176   developers should define this symbol when building and using openssl to
11177   ensure they track the recommended behaviour, interfaces, [etc], but
11178   backwards-compatible behaviour prevails when this isn't defined.
11179
11180   *Geoff Thorpe*
11181
11182 * New function X509_POLICY_NODE_print() which prints out policy nodes.
11183
11184   *Steve Henson*
11185
11186 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
11187   This will generate a random key of the appropriate length based on the
11188   cipher context. The EVP_CIPHER can provide its own random key generation
11189   routine to support keys of a specific form. This is used in the des and
11190   3des routines to generate a key of the correct parity. Update S/MIME
11191   code to use new functions and hence generate correct parity DES keys.
11192   Add EVP_CHECK_DES_KEY #define to return an error if the key is not
11193   valid (weak or incorrect parity).
11194
11195   *Steve Henson*
11196
11197 * Add a local set of CRLs that can be used by X509_verify_cert() as well
11198   as looking them up. This is useful when the verified structure may contain
11199   CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
11200   present unless the new PKCS7_NO_CRL flag is asserted.
11201
11202   *Steve Henson*
11203
11204 * Extend ASN1 oid configuration module. It now additionally accepts the
11205   syntax:
11206
11207   shortName = some long name, 1.2.3.4
11208
11209   *Steve Henson*
11210
11211 * Reimplemented the BN_CTX implementation. There is now no more static
11212   limitation on the number of variables it can handle nor the depth of the
11213   "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
11214   information can now expand as required, and rather than having a single
11215   static array of bignums, BN_CTX now uses a linked-list of such arrays
11216   allowing it to expand on demand whilst maintaining the usefulness of
11217   BN_CTX's "bundling".
11218
11219   *Geoff Thorpe*
11220
11221 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
11222   to allow all RSA operations to function using a single BN_CTX.
11223
11224   *Geoff Thorpe*
11225
11226 * Preliminary support for certificate policy evaluation and checking. This
11227   is initially intended to pass the tests outlined in "Conformance Testing
11228   of Relying Party Client Certificate Path Processing Logic" v1.07.
11229
11230   *Steve Henson*
11231
11232 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
11233   remained unused and not that useful. A variety of other little bignum
11234   tweaks and fixes have also been made continuing on from the audit (see
11235   below).
11236
11237   *Geoff Thorpe*
11238
11239 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with
11240   associated ASN1, EVP and SSL functions and old ASN1 macros.
11241
11242   *Richard Levitte*
11243
11244 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
11245   and this should never fail. So the return value from the use of
11246   BN_set_word() (which can fail due to needless expansion) is now deprecated;
11247   if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
11248
11249   *Geoff Thorpe*
11250
11251 * BN_CTX_get() should return zero-valued bignums, providing the same
11252   initialised value as BN_new().
11253
11254   *Geoff Thorpe, suggested by Ulf Möller*
11255
11256 * Support for inhibitAnyPolicy certificate extension.
11257
11258   *Steve Henson*
11259
11260 * An audit of the BIGNUM code is underway, for which debugging code is
11261   enabled when BN_DEBUG is defined. This makes stricter enforcements on what
11262   is considered valid when processing BIGNUMs, and causes execution to
11263   assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
11264   further steps are taken to deliberately pollute unused data in BIGNUM
11265   structures to try and expose faulty code further on. For now, openssl will
11266   (in its default mode of operation) continue to tolerate the inconsistent
11267   forms that it has tolerated in the past, but authors and packagers should
11268   consider trying openssl and their own applications when compiled with
11269   these debugging symbols defined. It will help highlight potential bugs in
11270   their own code, and will improve the test coverage for OpenSSL itself. At
11271   some point, these tighter rules will become openssl's default to improve
11272   maintainability, though the assert()s and other overheads will remain only
11273   in debugging configurations. See bn.h for more details.
11274
11275   *Geoff Thorpe, Nils Larsch, Ulf Möller*
11276
11277 * BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
11278   that can only be obtained through BN_CTX_new() (which implicitly
11279   initialises it). The presence of this function only made it possible
11280   to overwrite an existing structure (and cause memory leaks).
11281
11282   *Geoff Thorpe*
11283
11284 * Because of the callback-based approach for implementing LHASH as a
11285   template type, lh_insert() adds opaque objects to hash-tables and
11286   lh_doall() or lh_doall_arg() are typically used with a destructor callback
11287   to clean up those corresponding objects before destroying the hash table
11288   (and losing the object pointers). So some over-zealous constifications in
11289   LHASH have been relaxed so that lh_insert() does not take (nor store) the
11290   objects as "const" and the `lh_doall[_arg]` callback wrappers are not
11291   prototyped to have "const" restrictions on the object pointers they are
11292   given (and so aren't required to cast them away any more).
11293
11294   *Geoff Thorpe*
11295
11296 * The tmdiff.h API was so ugly and minimal that our own timing utility
11297   (speed) prefers to use its own implementation. The two implementations
11298   haven't been consolidated as yet (volunteers?) but the tmdiff API has had
11299   its object type properly exposed (MS_TM) instead of casting to/from
11300   `char *`. This may still change yet if someone realises MS_TM and
11301   `ms_time_***`
11302   aren't necessarily the greatest nomenclatures - but this is what was used
11303   internally to the implementation so I've used that for now.
11304
11305   *Geoff Thorpe*
11306
11307 * Ensure that deprecated functions do not get compiled when
11308   OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
11309   the self-tests were still using deprecated key-generation functions so
11310   these have been updated also.
11311
11312   *Geoff Thorpe*
11313
11314 * Reorganise PKCS#7 code to separate the digest location functionality
11315   into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
11316   New function PKCS7_set_digest() to set the digest type for PKCS#7
11317   digestedData type. Add additional code to correctly generate the
11318   digestedData type and add support for this type in PKCS7 initialization
11319   functions.
11320
11321   *Steve Henson*
11322
11323 * New function PKCS7_set0_type_other() this initializes a PKCS7
11324   structure of type "other".
11325
11326   *Steve Henson*
11327
11328 * Fix prime generation loop in crypto/bn/bn_prime.pl by making
11329   sure the loop does correctly stop and breaking ("division by zero")
11330   modulus operations are not performed. The (pre-generated) prime
11331   table crypto/bn/bn_prime.h was already correct, but it could not be
11332   re-generated on some platforms because of the "division by zero"
11333   situation in the script.
11334
11335   *Ralf S. Engelschall*
11336
11337 * Update support for ECC-based TLS ciphersuites according to
11338   draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11339   SHA-1 now is only used for "small" curves (where the
11340   representation of a field element takes up to 24 bytes); for
11341   larger curves, the field element resulting from ECDH is directly
11342   used as premaster secret.
11343
11344   *Douglas Stebila (Sun Microsystems Laboratories)*
11345
11346 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
11347   curve secp160r1 to the tests.
11348
11349   *Douglas Stebila (Sun Microsystems Laboratories)*
11350
11351 * Add the possibility to load symbols globally with DSO.
11352
11353   *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11354
11355 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
11356   control of the error stack.
11357
11358   *Richard Levitte*
11359
11360 * Add support for STORE in ENGINE.
11361
11362   *Richard Levitte*
11363
11364 * Add the STORE type.  The intention is to provide a common interface
11365   to certificate and key stores, be they simple file-based stores, or
11366   HSM-type store, or LDAP stores, or...
11367   NOTE: The code is currently UNTESTED and isn't really used anywhere.
11368
11369   *Richard Levitte*
11370
11371 * Add a generic structure called OPENSSL_ITEM.  This can be used to
11372   pass a list of arguments to any function as well as provide a way
11373   for a function to pass data back to the caller.
11374
11375   *Richard Levitte*
11376
11377 * Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
11378   works like BUF_strdup() but can be used to duplicate a portion of
11379   a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
11380   a memory area.
11381
11382   *Richard Levitte*
11383
11384 * Add the function sk_find_ex() which works like sk_find(), but will
11385   return an index to an element even if an exact match couldn't be
11386   found.  The index is guaranteed to point at the element where the
11387   searched-for key would be inserted to preserve sorting order.
11388
11389   *Richard Levitte*
11390
11391 * Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
11392   takes an extra flags argument for optional functionality.  Currently,
11393   the following flags are defined:
11394
11395      OBJ_BSEARCH_VALUE_ON_NOMATCH
11396      This one gets OBJ_bsearch_ex() to return a pointer to the first
11397      element where the comparing function returns a negative or zero
11398      number.
11399
11400      OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
11401      This one gets OBJ_bsearch_ex() to return a pointer to the first
11402      element where the comparing function returns zero.  This is useful
11403      if there are more than one element where the comparing function
11404      returns zero.
11405
11406   *Richard Levitte*
11407
11408 * Make it possible to create self-signed certificates with 'openssl ca'
11409   in such a way that the self-signed certificate becomes part of the
11410   CA database and uses the same mechanisms for serial number generation
11411   as all other certificate signing.  The new flag '-selfsign' enables
11412   this functionality.  Adapt CA.sh and CA.pl.in.
11413
11414   *Richard Levitte*
11415
11416 * Add functionality to check the public key of a certificate request
11417   against a given private.  This is useful to check that a certificate
11418   request can be signed by that key (self-signing).
11419
11420   *Richard Levitte*
11421
11422 * Make it possible to have multiple active certificates with the same
11423   subject in the CA index file.  This is done only if the keyword
11424   'unique_subject' is set to 'no' in the main CA section (default
11425   if 'CA_default') of the configuration file.  The value is saved
11426   with the database itself in a separate index attribute file,
11427   named like the index file with '.attr' appended to the name.
11428
11429   *Richard Levitte*
11430
11431 * Generate multi-valued AVAs using '+' notation in config files for
11432   req and dirName.
11433
11434   *Steve Henson*
11435
11436 * Support for nameConstraints certificate extension.
11437
11438   *Steve Henson*
11439
11440 * Support for policyConstraints certificate extension.
11441
11442   *Steve Henson*
11443
11444 * Support for policyMappings certificate extension.
11445
11446   *Steve Henson*
11447
11448 * Make sure the default DSA_METHOD implementation only uses its
11449   dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11450   and change its own handlers to be NULL so as to remove unnecessary
11451   indirection. This lets alternative implementations fallback to the
11452   default implementation more easily.
11453
11454   *Geoff Thorpe*
11455
11456 * Support for directoryName in GeneralName related extensions
11457   in config files.
11458
11459   *Steve Henson*
11460
11461 * Make it possible to link applications using Makefile.shared.
11462   Make that possible even when linking against static libraries!
11463
11464   *Richard Levitte*
11465
11466 * Support for single pass processing for S/MIME signing. This now
11467   means that S/MIME signing can be done from a pipe, in addition
11468   cleartext signing (multipart/signed type) is effectively streaming
11469   and the signed data does not need to be all held in memory.
11470
11471   This is done with a new flag PKCS7_STREAM. When this flag is set
11472   PKCS7_sign() only initializes the PKCS7 structure and the actual signing
11473   is done after the data is output (and digests calculated) in
11474   SMIME_write_PKCS7().
11475
11476   *Steve Henson*
11477
11478 * Add full support for -rpath/-R, both in shared libraries and
11479   applications, at least on the platforms where it's known how
11480   to do it.
11481
11482   *Richard Levitte*
11483
11484 * In crypto/ec/ec_mult.c, implement fast point multiplication with
11485   precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
11486   will now compute a table of multiples of the generator that
11487   makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
11488   faster (notably in the case of a single point multiplication,
11489   scalar * generator).
11490
11491   *Nils Larsch, Bodo Moeller*
11492
11493 * IPv6 support for certificate extensions. The various extensions
11494   which use the IP:a.b.c.d can now take IPv6 addresses using the
11495   formats of RFC1884 2.2 . IPv6 addresses are now also displayed
11496   correctly.
11497
11498   *Steve Henson*
11499
11500 * Added an ENGINE that implements RSA by performing private key
11501   exponentiations with the GMP library. The conversions to and from
11502   GMP's mpz_t format aren't optimised nor are any montgomery forms
11503   cached, and on x86 it appears OpenSSL's own performance has caught up.
11504   However there are likely to be other architectures where GMP could
11505   provide a boost. This ENGINE is not built in by default, but it can be
11506   specified at Configure time and should be accompanied by the necessary
11507   linker additions, eg;
11508           ./config -DOPENSSL_USE_GMP -lgmp
11509
11510   *Geoff Thorpe*
11511
11512 * "openssl engine" will not display ENGINE/DSO load failure errors when
11513   testing availability of engines with "-t" - the old behaviour is
11514   produced by increasing the feature's verbosity with "-tt".
11515
11516   *Geoff Thorpe*
11517
11518 * ECDSA routines: under certain error conditions uninitialized BN objects
11519   could be freed. Solution: make sure initialization is performed early
11520   enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
11521   via PR#459)
11522
11523   *Lutz Jaenicke*
11524
11525 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11526   and DH_METHOD (eg. by ENGINE implementations) to override the normal
11527   software implementations. For DSA and DH, parameter generation can
11528   also be overridden by providing the appropriate method callbacks.
11529
11530   *Geoff Thorpe*
11531
11532 * Change the "progress" mechanism used in key-generation and
11533   primality testing to functions that take a new BN_GENCB pointer in
11534   place of callback/argument pairs. The new API functions have `_ex`
11535   postfixes and the older functions are reimplemented as wrappers for
11536   the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
11537   declarations of the old functions to help (graceful) attempts to
11538   migrate to the new functions. Also, the new key-generation API
11539   functions operate on a caller-supplied key-structure and return
11540   success/failure rather than returning a key or NULL - this is to
11541   help make "keygen" another member function of RSA_METHOD etc.
11542
11543   Example for using the new callback interface:
11544
11545           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
11546           void *my_arg = ...;
11547           BN_GENCB my_cb;
11548
11549           BN_GENCB_set(&my_cb, my_callback, my_arg);
11550
11551           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
11552           /* For the meaning of a, b in calls to my_callback(), see the
11553            * documentation of the function that calls the callback.
11554            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11555            * my_callback should return 1 if it wants BN_is_prime_ex()
11556            * to continue, or 0 to stop.
11557            */
11558
11559   *Geoff Thorpe*
11560
11561 * Change the ZLIB compression method to be stateful, and make it
11562   available to TLS with the number defined in
11563   draft-ietf-tls-compression-04.txt.
11564
11565   *Richard Levitte*
11566
11567 * Add the ASN.1 structures and functions for CertificatePair, which
11568   is defined as follows (according to X.509_4thEditionDraftV6.pdf):
11569
11570           CertificatePair ::= SEQUENCE {
11571              forward         [0]     Certificate OPTIONAL,
11572              reverse         [1]     Certificate OPTIONAL,
11573              -- at least one of the pair shall be present -- }
11574
11575   Also implement the PEM functions to read and write certificate
11576   pairs, and defined the PEM tag as "CERTIFICATE PAIR".
11577
11578   This needed to be defined, mostly for the sake of the LDAP
11579   attribute crossCertificatePair, but may prove useful elsewhere as
11580   well.
11581
11582   *Richard Levitte*
11583
11584 * Make it possible to inhibit symlinking of shared libraries in
11585   Makefile.shared, for Cygwin's sake.
11586
11587   *Richard Levitte*
11588
11589 * Extend the BIGNUM API by creating a function
11590           void BN_set_negative(BIGNUM *a, int neg);
11591   and a macro that behave like
11592           int  BN_is_negative(const BIGNUM *a);
11593
11594   to avoid the need to access 'a->neg' directly in applications.
11595
11596   *Nils Larsch*
11597
11598 * Implement fast modular reduction for pseudo-Mersenne primes
11599   used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
11600   EC_GROUP_new_curve_GFp() will now automatically use this
11601   if applicable.
11602
11603   *Nils Larsch <nla@trustcenter.de>*
11604
11605 * Add new lock type (CRYPTO_LOCK_BN).
11606
11607   *Bodo Moeller*
11608
11609 * Change the ENGINE framework to automatically load engines
11610   dynamically from specific directories unless they could be
11611   found to already be built in or loaded.  Move all the
11612   current engines except for the cryptodev one to a new
11613   directory engines/.
11614   The engines in engines/ are built as shared libraries if
11615   the "shared" options was given to ./Configure or ./config.
11616   Otherwise, they are inserted in libcrypto.a.
11617   /usr/local/ssl/engines is the default directory for dynamic
11618   engines, but that can be overridden at configure time through
11619   the usual use of --prefix and/or --openssldir, and at run
11620   time with the environment variable OPENSSL_ENGINES.
11621
11622   *Geoff Thorpe and Richard Levitte*
11623
11624 * Add Makefile.shared, a helper makefile to build shared
11625   libraries.  Adapt Makefile.org.
11626
11627   *Richard Levitte*
11628
11629 * Add version info to Win32 DLLs.
11630
11631   *Peter 'Luna' Runestig" <peter@runestig.com>*
11632
11633 * Add new 'medium level' PKCS#12 API. Certificates and keys
11634   can be added using this API to created arbitrary PKCS#12
11635   files while avoiding the low-level API.
11636
11637   New options to PKCS12_create(), key or cert can be NULL and
11638   will then be omitted from the output file. The encryption
11639   algorithm NIDs can be set to -1 for no encryption, the mac
11640   iteration count can be set to 0 to omit the mac.
11641
11642   Enhance pkcs12 utility by making the -nokeys and -nocerts
11643   options work when creating a PKCS#12 file. New option -nomac
11644   to omit the mac, NONE can be set for an encryption algorithm.
11645   New code is modified to use the enhanced PKCS12_create()
11646   instead of the low-level API.
11647
11648   *Steve Henson*
11649
11650 * Extend ASN1 encoder to support indefinite length constructed
11651   encoding. This can output sequences tags and octet strings in
11652   this form. Modify pk7_asn1.c to support indefinite length
11653   encoding. This is experimental and needs additional code to
11654   be useful, such as an ASN1 bio and some enhanced streaming
11655   PKCS#7 code.
11656
11657   Extend template encode functionality so that tagging is passed
11658   down to the template encoder.
11659
11660   *Steve Henson*
11661
11662 * Let 'openssl req' fail if an argument to '-newkey' is not
11663   recognized instead of using RSA as a default.
11664
11665   *Bodo Moeller*
11666
11667 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11668   As these are not official, they are not included in "ALL";
11669   the "ECCdraft" ciphersuite group alias can be used to select them.
11670
11671   *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)*
11672
11673 * Add ECDH engine support.
11674
11675   *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)*
11676
11677 * Add ECDH in new directory crypto/ecdh/.
11678
11679   *Douglas Stebila (Sun Microsystems Laboratories)*
11680
11681 * Let BN_rand_range() abort with an error after 100 iterations
11682   without success (which indicates a broken PRNG).
11683
11684   *Bodo Moeller*
11685
11686 * Change BN_mod_sqrt() so that it verifies that the input value
11687   is really the square of the return value.  (Previously,
11688   BN_mod_sqrt would show GIGO behaviour.)
11689
11690   *Bodo Moeller*
11691
11692 * Add named elliptic curves over binary fields from X9.62, SECG,
11693   and WAP/WTLS; add OIDs that were still missing.
11694
11695   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11696
11697 * Extend the EC library for elliptic curves over binary fields
11698   (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
11699   New EC_METHOD:
11700
11701           EC_GF2m_simple_method
11702
11703   New API functions:
11704
11705           EC_GROUP_new_curve_GF2m
11706           EC_GROUP_set_curve_GF2m
11707           EC_GROUP_get_curve_GF2m
11708           EC_POINT_set_affine_coordinates_GF2m
11709           EC_POINT_get_affine_coordinates_GF2m
11710           EC_POINT_set_compressed_coordinates_GF2m
11711
11712   Point compression for binary fields is disabled by default for
11713   patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
11714   enable it).
11715
11716   As binary polynomials are represented as BIGNUMs, various members
11717   of the EC_GROUP and EC_POINT data structures can be shared
11718   between the implementations for prime fields and binary fields;
11719   the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m)
11720   are essentially identical to their `..._GFp` counterparts.
11721   (For simplicity, the `..._GFp` prefix has been dropped from
11722   various internal method names.)
11723
11724   An internal 'field_div' method (similar to 'field_mul' and
11725   'field_sqr') has been added; this is used only for binary fields.
11726
11727   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11728
11729 * Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
11730   through methods ('mul', 'precompute_mult').
11731
11732   The generic implementations (now internally called 'ec_wNAF_mul'
11733   and 'ec_wNAF_precomputed_mult') remain the default if these
11734   methods are undefined.
11735
11736   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11737
11738 * New function EC_GROUP_get_degree, which is defined through
11739   EC_METHOD.  For curves over prime fields, this returns the bit
11740   length of the modulus.
11741
11742   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11743
11744 * New functions EC_GROUP_dup, EC_POINT_dup.
11745   (These simply call ..._new  and ..._copy).
11746
11747   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11748
11749 * Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
11750   Polynomials are represented as BIGNUMs (where the sign bit is not
11751   used) in the following functions [macros]:
11752
11753           BN_GF2m_add
11754           BN_GF2m_sub             [= BN_GF2m_add]
11755           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
11756           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
11757           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
11758           BN_GF2m_mod_inv
11759           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
11760           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
11761           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
11762           BN_GF2m_cmp             [= BN_ucmp]
11763
11764   (Note that only the 'mod' functions are actually for fields GF(2^m).
11765   BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
11766
11767   For some functions, an the irreducible polynomial defining a
11768   field can be given as an 'unsigned int[]' with strictly
11769   decreasing elements giving the indices of those bits that are set;
11770   i.e., p[] represents the polynomial
11771           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
11772   where
11773           p[0] > p[1] > ... > p[k] = 0.
11774   This applies to the following functions:
11775
11776           BN_GF2m_mod_arr
11777           BN_GF2m_mod_mul_arr
11778           BN_GF2m_mod_sqr_arr
11779           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
11780           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
11781           BN_GF2m_mod_exp_arr
11782           BN_GF2m_mod_sqrt_arr
11783           BN_GF2m_mod_solve_quad_arr
11784           BN_GF2m_poly2arr
11785           BN_GF2m_arr2poly
11786
11787   Conversion can be performed by the following functions:
11788
11789           BN_GF2m_poly2arr
11790           BN_GF2m_arr2poly
11791
11792   bntest.c has additional tests for binary polynomial arithmetic.
11793
11794   Two implementations for BN_GF2m_mod_div() are available.
11795   The default algorithm simply uses BN_GF2m_mod_inv() and
11796   BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
11797   if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
11798   copyright notice in crypto/bn/bn_gf2m.c before enabling it).
11799
11800   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11801
11802 * Add new error code 'ERR_R_DISABLED' that can be used when some
11803   functionality is disabled at compile-time.
11804
11805   *Douglas Stebila <douglas.stebila@sun.com>*
11806
11807 * Change default behaviour of 'openssl asn1parse' so that more
11808   information is visible when viewing, e.g., a certificate:
11809
11810   Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11811   mode the content of non-printable OCTET STRINGs is output in a
11812   style similar to INTEGERs, but with '[HEX DUMP]' prepended to
11813   avoid the appearance of a printable string.
11814
11815   *Nils Larsch <nla@trustcenter.de>*
11816
11817 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
11818   functions
11819           EC_GROUP_set_asn1_flag()
11820           EC_GROUP_get_asn1_flag()
11821           EC_GROUP_set_point_conversion_form()
11822           EC_GROUP_get_point_conversion_form()
11823   These control ASN1 encoding details:
11824   - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11825     has been set to OPENSSL_EC_NAMED_CURVE.
11826   - Points are encoded in uncompressed form by default; options for
11827     asn1_for are as for point2oct, namely
11828           POINT_CONVERSION_COMPRESSED
11829           POINT_CONVERSION_UNCOMPRESSED
11830           POINT_CONVERSION_HYBRID
11831
11832   Also add 'seed' and 'seed_len' members to EC_GROUP with access
11833   functions
11834           EC_GROUP_set_seed()
11835           EC_GROUP_get0_seed()
11836           EC_GROUP_get_seed_len()
11837   This is used only for ASN1 purposes (so far).
11838
11839   *Nils Larsch <nla@trustcenter.de>*
11840
11841 * Add 'field_type' member to EC_METHOD, which holds the NID
11842   of the appropriate field type OID.  The new function
11843   EC_METHOD_get_field_type() returns this value.
11844
11845   *Nils Larsch <nla@trustcenter.de>*
11846
11847 * Add functions
11848           EC_POINT_point2bn()
11849           EC_POINT_bn2point()
11850           EC_POINT_point2hex()
11851           EC_POINT_hex2point()
11852   providing useful interfaces to EC_POINT_point2oct() and
11853   EC_POINT_oct2point().
11854
11855   *Nils Larsch <nla@trustcenter.de>*
11856
11857 * Change internals of the EC library so that the functions
11858           EC_GROUP_set_generator()
11859           EC_GROUP_get_generator()
11860           EC_GROUP_get_order()
11861           EC_GROUP_get_cofactor()
11862   are implemented directly in crypto/ec/ec_lib.c and not dispatched
11863   to methods, which would lead to unnecessary code duplication when
11864   adding different types of curves.
11865
11866   *Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller*
11867
11868 * Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
11869   arithmetic, and such that modified wNAFs are generated
11870   (which avoid length expansion in many cases).
11871
11872   *Bodo Moeller*
11873
11874 * Add a function EC_GROUP_check_discriminant() (defined via
11875   EC_METHOD) that verifies that the curve discriminant is non-zero.
11876
11877   Add a function EC_GROUP_check() that makes some sanity tests
11878   on a EC_GROUP, its generator and order.  This includes
11879   EC_GROUP_check_discriminant().
11880
11881   *Nils Larsch <nla@trustcenter.de>*
11882
11883 * Add ECDSA in new directory crypto/ecdsa/.
11884
11885   Add applications 'openssl ecparam' and 'openssl ecdsa'
11886   (these are based on 'openssl dsaparam' and 'openssl dsa').
11887
11888   ECDSA support is also included in various other files across the
11889   library.  Most notably,
11890   - 'openssl req' now has a '-newkey ecdsa:file' option;
11891   - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
11892   - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
11893     d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
11894     them suitable for ECDSA where domain parameters must be
11895     extracted before the specific public key;
11896   - ECDSA engine support has been added.
11897
11898   *Nils Larsch <nla@trustcenter.de>*
11899
11900 * Include some named elliptic curves, and add OIDs from X9.62,
11901   SECG, and WAP/WTLS.  Each curve can be obtained from the new
11902   function
11903           EC_GROUP_new_by_curve_name(),
11904   and the list of available named curves can be obtained with
11905           EC_get_builtin_curves().
11906   Also add a 'curve_name' member to EC_GROUP objects, which can be
11907   accessed via
11908           EC_GROUP_set_curve_name()
11909           EC_GROUP_get_curve_name()
11910
11911   *Nils Larsch <larsch@trustcenter.de, Bodo Moeller*
11912
11913 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
11914   was actually never needed) and in BN_mul().  The removal in BN_mul()
11915   required a small change in bn_mul_part_recursive() and the addition
11916   of the functions bn_cmp_part_words(), bn_sub_part_words() and
11917   bn_add_part_words(), which do the same thing as bn_cmp_words(),
11918   bn_sub_words() and bn_add_words() except they take arrays with
11919   differing sizes.
11920
11921   *Richard Levitte*
11922
11923### Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
11924
11925 * Cleanse PEM buffers before freeing them since they may contain
11926   sensitive data.
11927
11928   *Benjamin Bennett <ben@psc.edu>*
11929
11930 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
11931   a ciphersuite string such as "DEFAULT:RSA" cannot enable
11932   authentication-only ciphersuites.
11933
11934   *Bodo Moeller*
11935
11936 * Since AES128 and AES256 share a single mask bit in the logic of
11937   ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
11938   kludge to work properly if AES128 is available and AES256 isn't.
11939
11940   *Victor Duchovni*
11941
11942 * Expand security boundary to match 1.1.1 module.
11943
11944   *Steve Henson*
11945
11946 * Remove redundant features: hash file source, editing of test vectors
11947   modify fipsld to use external fips_premain.c signature.
11948
11949   *Steve Henson*
11950
11951 * New perl script mkfipsscr.pl to create shell scripts or batch files to
11952   run algorithm test programs.
11953
11954   *Steve Henson*
11955
11956 * Make algorithm test programs more tolerant of whitespace.
11957
11958   *Steve Henson*
11959
11960 * Have SSL/TLS server implementation tolerate "mismatched" record
11961   protocol version while receiving ClientHello even if the
11962   ClientHello is fragmented.  (The server can't insist on the
11963   particular protocol version it has chosen before the ServerHello
11964   message has informed the client about his choice.)
11965
11966   *Bodo Moeller*
11967
11968 * Load error codes if they are not already present instead of using a
11969   static variable. This allows them to be cleanly unloaded and reloaded.
11970
11971   *Steve Henson*
11972
11973### Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
11974
11975 * Introduce limits to prevent malicious keys being able to
11976   cause a denial of service.  ([CVE-2006-2940])
11977
11978   *Steve Henson, Bodo Moeller*
11979
11980 * Fix ASN.1 parsing of certain invalid structures that can result
11981   in a denial of service.  ([CVE-2006-2937])  [Steve Henson]
11982
11983 * Fix buffer overflow in SSL_get_shared_ciphers() function.
11984   ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
11985
11986 * Fix SSL client code which could crash if connecting to a
11987   malicious SSLv2 server.  ([CVE-2006-4343])
11988
11989   *Tavis Ormandy and Will Drewry, Google Security Team*
11990
11991 * Change ciphersuite string processing so that an explicit
11992   ciphersuite selects this one ciphersuite (so that "AES256-SHA"
11993   will no longer include "AES128-SHA"), and any other similar
11994   ciphersuite (same bitmap) from *other* protocol versions (so that
11995   "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
11996   SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
11997   changes from 0.9.8b and 0.9.8d.
11998
11999   *Bodo Moeller*
12000
12001### Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
12002
12003 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
12004   ([CVE-2006-4339])  [Ben Laurie and Google Security Team]
12005
12006 * Change the Unix randomness entropy gathering to use poll() when
12007   possible instead of select(), since the latter has some
12008   undesirable limitations.
12009
12010   *Darryl Miles via Richard Levitte and Bodo Moeller*
12011
12012 * Disable rogue ciphersuites:
12013
12014   - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12015   - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12016   - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12017
12018   The latter two were purportedly from
12019   draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12020   appear there.
12021
12022   Also deactivate the remaining ciphersuites from
12023   draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
12024   unofficial, and the ID has long expired.
12025
12026   *Bodo Moeller*
12027
12028 * Fix RSA blinding Heisenbug (problems sometimes occurred on
12029   dual-core machines) and other potential thread-safety issues.
12030
12031   *Bodo Moeller*
12032
12033### Changes between 0.9.7i and 0.9.7j  [04 May 2006]
12034
12035 * Adapt fipsld and the build system to link against the validated FIPS
12036   module in FIPS mode.
12037
12038   *Steve Henson*
12039
12040 * Fixes for VC++ 2005 build under Windows.
12041
12042   *Steve Henson*
12043
12044 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12045   from a Windows bash shell such as MSYS. It is autodetected from the
12046   "config" script when run from a VC++ environment. Modify standard VC++
12047   build to use fipscanister.o from the GNU make build.
12048
12049   *Steve Henson*
12050
12051### Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
12052
12053 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
12054   The value now differs depending on if you build for FIPS or not.
12055   BEWARE!  A program linked with a shared FIPSed libcrypto can't be
12056   safely run with a non-FIPSed libcrypto, as it may crash because of
12057   the difference induced by this change.
12058
12059   *Andy Polyakov*
12060
12061### Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
12062
12063 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
12064   (part of SSL_OP_ALL).  This option used to disable the
12065   countermeasure against man-in-the-middle protocol-version
12066   rollback in the SSL 2.0 server implementation, which is a bad
12067   idea.  ([CVE-2005-2969])
12068
12069   *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
12070   for Information Security, National Institute of Advanced Industrial
12071   Science and Technology [AIST, Japan)]*
12072
12073 * Minimal support for X9.31 signatures and PSS padding modes. This is
12074   mainly for FIPS compliance and not fully integrated at this stage.
12075
12076   *Steve Henson*
12077
12078 * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
12079   the exponentiation using a fixed-length exponent.  (Otherwise,
12080   the information leaked through timing could expose the secret key
12081   after many signatures; cf. Bleichenbacher's attack on DSA with
12082   biased k.)
12083
12084   *Bodo Moeller*
12085
12086 * Make a new fixed-window mod_exp implementation the default for
12087   RSA, DSA, and DH private-key operations so that the sequence of
12088   squares and multiplies and the memory access pattern are
12089   independent of the particular secret key.  This will mitigate
12090   cache-timing and potential related attacks.
12091
12092   BN_mod_exp_mont_consttime() is the new exponentiation implementation,
12093   and this is automatically used by BN_mod_exp_mont() if the new flag
12094   BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
12095   will use this BN flag for private exponents unless the flag
12096   RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
12097   DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
12098
12099   *Matthew D Wood (Intel Corp), with some changes by Bodo Moeller*
12100
12101 * Change the client implementation for SSLv23_method() and
12102   SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
12103   Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
12104   (Previously, the SSL 2.0 backwards compatible Client Hello
12105   message format would be used even with SSL_OP_NO_SSLv2.)
12106
12107   *Bodo Moeller*
12108
12109 * Add support for smime-type MIME parameter in S/MIME messages which some
12110   clients need.
12111
12112   *Steve Henson*
12113
12114 * New function BN_MONT_CTX_set_locked() to set montgomery parameters in
12115   a threadsafe manner. Modify rsa code to use new function and add calls
12116   to dsa and dh code (which had race conditions before).
12117
12118   *Steve Henson*
12119
12120 * Include the fixed error library code in the C error file definitions
12121   instead of fixing them up at runtime. This keeps the error code
12122   structures constant.
12123
12124   *Steve Henson*
12125
12126### Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
12127
12128[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
12129OpenSSL 0.9.8.]
12130
12131 * Fixes for newer kerberos headers. NB: the casts are needed because
12132   the 'length' field is signed on one version and unsigned on another
12133   with no (?) obvious way to tell the difference, without these VC++
12134   complains. Also the "definition" of FAR (blank) is no longer included
12135   nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
12136   some needed definitions.
12137
12138   *Steve Henson*
12139
12140 * Undo Cygwin change.
12141
12142   *Ulf Möller*
12143
12144 * Added support for proxy certificates according to RFC 3820.
12145   Because they may be a security thread to unaware applications,
12146   they must be explicitly allowed in run-time.  See
12147   docs/HOWTO/proxy_certificates.txt for further information.
12148
12149   *Richard Levitte*
12150
12151### Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
12152
12153 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12154   server and client random values. Previously
12155   (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12156   less random data when sizeof(time_t) > 4 (some 64 bit platforms).
12157
12158   This change has negligible security impact because:
12159
12160   1. Server and client random values still have 24 bytes of pseudo random
12161      data.
12162
12163   2. Server and client random values are sent in the clear in the initial
12164      handshake.
12165
12166   3. The master secret is derived using the premaster secret (48 bytes in
12167      size for static RSA ciphersuites) as well as client server and random
12168      values.
12169
12170   The OpenSSL team would like to thank the UK NISCC for bringing this issue
12171   to our attention.
12172
12173   *Stephen Henson, reported by UK NISCC*
12174
12175 * Use Windows randomness collection on Cygwin.
12176
12177   *Ulf Möller*
12178
12179 * Fix hang in EGD/PRNGD query when communication socket is closed
12180   prematurely by EGD/PRNGD.
12181
12182   *Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014*
12183
12184 * Prompt for pass phrases when appropriate for PKCS12 input format.
12185
12186   *Steve Henson*
12187
12188 * Back-port of selected performance improvements from development
12189   branch, as well as improved support for PowerPC platforms.
12190
12191   *Andy Polyakov*
12192
12193 * Add lots of checks for memory allocation failure, error codes to indicate
12194   failure and freeing up memory if a failure occurs.
12195
12196   *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson*
12197
12198 * Add new -passin argument to dgst.
12199
12200   *Steve Henson*
12201
12202 * Perform some character comparisons of different types in X509_NAME_cmp:
12203   this is needed for some certificates that re-encode DNs into UTF8Strings
12204   (in violation of RFC3280) and can't or won't issue name rollover
12205   certificates.
12206
12207   *Steve Henson*
12208
12209 * Make an explicit check during certificate validation to see that
12210   the CA setting in each certificate on the chain is correct.  As a
12211   side effect always do the following basic checks on extensions,
12212   not just when there's an associated purpose to the check:
12213
12214   - if there is an unhandled critical extension (unless the user
12215     has chosen to ignore this fault)
12216   - if the path length has been exceeded (if one is set at all)
12217   - that certain extensions fit the associated purpose (if one has
12218     been given)
12219
12220   *Richard Levitte*
12221
12222### Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
12223
12224 * Avoid a race condition when CRLs are checked in a multi threaded
12225   environment. This would happen due to the reordering of the revoked
12226   entries during signature checking and serial number lookup. Now the
12227   encoding is cached and the serial number sort performed under a lock.
12228   Add new STACK function sk_is_sorted().
12229
12230   *Steve Henson*
12231
12232 * Add Delta CRL to the extension code.
12233
12234   *Steve Henson*
12235
12236 * Various fixes to s3_pkt.c so alerts are sent properly.
12237
12238   *David Holmes <d.holmes@f5.com>*
12239
12240 * Reduce the chances of duplicate issuer name and serial numbers (in
12241   violation of RFC3280) using the OpenSSL certificate creation utilities.
12242   This is done by creating a random 64 bit value for the initial serial
12243   number when a serial number file is created or when a self signed
12244   certificate is created using 'openssl req -x509'. The initial serial
12245   number file is created using 'openssl x509 -next_serial' in CA.pl
12246   rather than being initialized to 1.
12247
12248   *Steve Henson*
12249
12250### Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
12251
12252 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12253   by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12254
12255   *Joe Orton, Steve Henson*
12256
12257 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
12258   ([CVE-2004-0112])
12259
12260   *Joe Orton, Steve Henson*
12261
12262 * Make it possible to have multiple active certificates with the same
12263   subject in the CA index file.  This is done only if the keyword
12264   'unique_subject' is set to 'no' in the main CA section (default
12265   if 'CA_default') of the configuration file.  The value is saved
12266   with the database itself in a separate index attribute file,
12267   named like the index file with '.attr' appended to the name.
12268
12269   *Richard Levitte*
12270
12271 * X509 verify fixes. Disable broken certificate workarounds when
12272   X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
12273   keyUsage extension present. Don't accept CRLs with unhandled critical
12274   extensions: since verify currently doesn't process CRL extensions this
12275   rejects a CRL with *any* critical extensions. Add new verify error codes
12276   for these cases.
12277
12278   *Steve Henson*
12279
12280 * When creating an OCSP nonce use an OCTET STRING inside the extnValue.
12281   A clarification of RFC2560 will require the use of OCTET STRINGs and
12282   some implementations cannot handle the current raw format. Since OpenSSL
12283   copies and compares OCSP nonces as opaque blobs without any attempt at
12284   parsing them this should not create any compatibility issues.
12285
12286   *Steve Henson*
12287
12288 * New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
12289   calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
12290   this HMAC (and other) operations are several times slower than OpenSSL
12291   < 0.9.7.
12292
12293   *Steve Henson*
12294
12295 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
12296
12297   *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>*
12298
12299 * Use the correct content when signing type "other".
12300
12301   *Steve Henson*
12302
12303### Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
12304
12305 * Fix various bugs revealed by running the NISCC test suite:
12306
12307   Stop out of bounds reads in the ASN1 code when presented with
12308   invalid tags (CVE-2003-0543 and CVE-2003-0544).
12309
12310   Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12311
12312   If verify callback ignores invalid public key errors don't try to check
12313   certificate signature with the NULL public key.
12314
12315   *Steve Henson*
12316
12317 * New -ignore_err option in ocsp application to stop the server
12318   exiting on the first error in a request.
12319
12320   *Steve Henson*
12321
12322 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
12323   if the server requested one: as stated in TLS 1.0 and SSL 3.0
12324   specifications.
12325
12326   *Steve Henson*
12327
12328 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
12329   extra data after the compression methods not only for TLS 1.0
12330   but also for SSL 3.0 (as required by the specification).
12331
12332   *Bodo Moeller; problem pointed out by Matthias Loepfe*
12333
12334 * Change X509_certificate_type() to mark the key as exported/exportable
12335   when it's 512 *bits* long, not 512 bytes.
12336
12337   *Richard Levitte*
12338
12339 * Change AES_cbc_encrypt() so it outputs exact multiple of
12340   blocks during encryption.
12341
12342   *Richard Levitte*
12343
12344 * Various fixes to base64 BIO and non blocking I/O. On write
12345   flushes were not handled properly if the BIO retried. On read
12346   data was not being buffered properly and had various logic bugs.
12347   This also affects blocking I/O when the data being decoded is a
12348   certain size.
12349
12350   *Steve Henson*
12351
12352 * Various S/MIME bugfixes and compatibility changes:
12353   output correct application/pkcs7 MIME type if
12354   PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
12355   Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
12356   of files as .eml work). Correctly handle very long lines in MIME
12357   parser.
12358
12359   *Steve Henson*
12360
12361### Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
12362
12363 * Countermeasure against the Klima-Pokorny-Rosa extension of
12364   Bleichbacher's attack on PKCS #1 v1.5 padding: treat
12365   a protocol version number mismatch like a decryption error
12366   in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
12367
12368   *Bodo Moeller*
12369
12370 * Turn on RSA blinding by default in the default implementation
12371   to avoid a timing attack. Applications that don't want it can call
12372   RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
12373   They would be ill-advised to do so in most cases.
12374
12375   *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller*
12376
12377 * Change RSA blinding code so that it works when the PRNG is not
12378   seeded (in this case, the secret RSA exponent is abused as
12379   an unpredictable seed -- if it is not unpredictable, there
12380   is no point in blinding anyway).  Make RSA blinding thread-safe
12381   by remembering the creator's thread ID in rsa->blinding and
12382   having all other threads use local one-time blinding factors
12383   (this requires more computation than sharing rsa->blinding, but
12384   avoids excessive locking; and if an RSA object is not shared
12385   between threads, blinding will still be very fast).
12386
12387   *Bodo Moeller*
12388
12389 * Fixed a typo bug that would cause ENGINE_set_default() to set an
12390   ENGINE as defaults for all supported algorithms irrespective of
12391   the 'flags' parameter. 'flags' is now honoured, so applications
12392   should make sure they are passing it correctly.
12393
12394   *Geoff Thorpe*
12395
12396 * Target "mingw" now allows native Windows code to be generated in
12397   the Cygwin environment as well as with the MinGW compiler.
12398
12399   *Ulf Moeller*
12400
12401### Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
12402
12403 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
12404   via timing by performing a MAC computation even if incorrect
12405   block cipher padding has been found.  This is a countermeasure
12406   against active attacks where the attacker has to distinguish
12407   between bad padding and a MAC verification error. ([CVE-2003-0078])
12408
12409   *Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
12410   Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
12411   Martin Vuagnoux (EPFL, Ilion)*
12412
12413 * Make the no-err option work as intended.  The intention with no-err
12414   is not to have the whole error stack handling routines removed from
12415   libcrypto, it's only intended to remove all the function name and
12416   reason texts, thereby removing some of the footprint that may not
12417   be interesting if those errors aren't displayed anyway.
12418
12419   NOTE: it's still possible for any application or module to have its
12420   own set of error texts inserted.  The routines are there, just not
12421   used by default when no-err is given.
12422
12423   *Richard Levitte*
12424
12425 * Add support for FreeBSD on IA64.
12426
12427   *dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454*
12428
12429 * Adjust DES_cbc_cksum() so it returns the same value as the MIT
12430   Kerberos function mit_des_cbc_cksum().  Before this change,
12431   the value returned by DES_cbc_cksum() was like the one from
12432   mit_des_cbc_cksum(), except the bytes were swapped.
12433
12434   *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte*
12435
12436 * Allow an application to disable the automatic SSL chain building.
12437   Before this a rather primitive chain build was always performed in
12438   ssl3_output_cert_chain(): an application had no way to send the
12439   correct chain if the automatic operation produced an incorrect result.
12440
12441   Now the chain builder is disabled if either:
12442
12443   1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
12444
12445   2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
12446
12447   The reasoning behind this is that an application would not want the
12448   auto chain building to take place if extra chain certificates are
12449   present and it might also want a means of sending no additional
12450   certificates (for example the chain has two certificates and the
12451   root is omitted).
12452
12453   *Steve Henson*
12454
12455 * Add the possibility to build without the ENGINE framework.
12456
12457   *Steven Reddie <smr@essemer.com.au> via Richard Levitte*
12458
12459 * Under Win32 gmtime() can return NULL: check return value in
12460   OPENSSL_gmtime(). Add error code for case where gmtime() fails.
12461
12462   *Steve Henson*
12463
12464 * DSA routines: under certain error conditions uninitialized BN objects
12465   could be freed. Solution: make sure initialization is performed early
12466   enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
12467   Nils Larsch <nla@trustcenter.de> via PR#459)
12468
12469   *Lutz Jaenicke*
12470
12471 * Another fix for SSLv2 session ID handling: the session ID was incorrectly
12472   checked on reconnect on the client side, therefore session resumption
12473   could still fail with a "ssl session id is different" error. This
12474   behaviour is masked when SSL_OP_ALL is used due to
12475   SSL_OP_MICROSOFT_SESS_ID_BUG being set.
12476   Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
12477   followup to PR #377.
12478
12479   *Lutz Jaenicke*
12480
12481 * IA-32 assembler support enhancements: unified ELF targets, support
12482   for SCO/Caldera platforms, fix for Cygwin shared build.
12483
12484   *Andy Polyakov*
12485
12486 * Add support for FreeBSD on sparc64.  As a consequence, support for
12487   FreeBSD on non-x86 processors is separate from x86 processors on
12488   the config script, much like the NetBSD support.
12489
12490   *Richard Levitte & Kris Kennaway <kris@obsecurity.org>*
12491
12492### Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
12493
12494[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
12495OpenSSL 0.9.7.]
12496
12497 * Fix session ID handling in SSLv2 client code: the SERVER FINISHED
12498   code (06) was taken as the first octet of the session ID and the last
12499   octet was ignored consequently. As a result SSLv2 client side session
12500   caching could not have worked due to the session ID mismatch between
12501   client and server.
12502   Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
12503   PR #377.
12504
12505   *Lutz Jaenicke*
12506
12507 * Change the declaration of needed Kerberos libraries to use EX_LIBS
12508   instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
12509   removed entirely.
12510
12511   *Richard Levitte*
12512
12513 * The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
12514   seems that in spite of existing for more than a year, many application
12515   author have done nothing to provide the necessary callbacks, which
12516   means that this particular engine will not work properly anywhere.
12517   This is a very unfortunate situation which forces us, in the name
12518   of usability, to give the hw_ncipher.c a static lock, which is part
12519   of libcrypto.
12520   NOTE: This is for the 0.9.7 series ONLY.  This hack will never
12521   appear in 0.9.8 or later.  We EXPECT application authors to have
12522   dealt properly with this when 0.9.8 is released (unless we actually
12523   make such changes in the libcrypto locking code that changes will
12524   have to be made anyway).
12525
12526   *Richard Levitte*
12527
12528 * In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
12529   octets have been read, EOF or an error occurs. Without this change
12530   some truncated ASN1 structures will not produce an error.
12531
12532   *Steve Henson*
12533
12534 * Disable Heimdal support, since it hasn't been fully implemented.
12535   Still give the possibility to force the use of Heimdal, but with
12536   warnings and a request that patches get sent to openssl-dev.
12537
12538   *Richard Levitte*
12539
12540 * Add the VC-CE target, introduce the WINCE sysname, and add
12541   INSTALL.WCE and appropriate conditionals to make it build.
12542
12543   *Steven Reddie <smr@essemer.com.au> via Richard Levitte*
12544
12545 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12546   cygssl-x.y.z.dll, where x, y and z are the major, minor and
12547   edit numbers of the version.
12548
12549   *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
12550
12551 * Introduce safe string copy and catenation functions
12552   (BUF_strlcpy() and BUF_strlcat()).
12553
12554   *Ben Laurie (CHATS) and Richard Levitte*
12555
12556 * Avoid using fixed-size buffers for one-line DNs.
12557
12558   *Ben Laurie (CHATS)*
12559
12560 * Add BUF_MEM_grow_clean() to avoid information leakage when
12561   resizing buffers containing secrets, and use where appropriate.
12562
12563   *Ben Laurie (CHATS)*
12564
12565 * Avoid using fixed size buffers for configuration file location.
12566
12567   *Ben Laurie (CHATS)*
12568
12569 * Avoid filename truncation for various CA files.
12570
12571   *Ben Laurie (CHATS)*
12572
12573 * Use sizeof in preference to magic numbers.
12574
12575   *Ben Laurie (CHATS)*
12576
12577 * Avoid filename truncation in cert requests.
12578
12579   *Ben Laurie (CHATS)*
12580
12581 * Add assertions to check for (supposedly impossible) buffer
12582   overflows.
12583
12584   *Ben Laurie (CHATS)*
12585
12586 * Don't cache truncated DNS entries in the local cache (this could
12587   potentially lead to a spoofing attack).
12588
12589   *Ben Laurie (CHATS)*
12590
12591 * Fix various buffers to be large enough for hex/decimal
12592   representations in a platform independent manner.
12593
12594   *Ben Laurie (CHATS)*
12595
12596 * Add CRYPTO_realloc_clean() to avoid information leakage when
12597   resizing buffers containing secrets, and use where appropriate.
12598
12599   *Ben Laurie (CHATS)*
12600
12601 * Add BIO_indent() to avoid much slightly worrying code to do
12602   indents.
12603
12604   *Ben Laurie (CHATS)*
12605
12606 * Convert sprintf()/BIO_puts() to BIO_printf().
12607
12608   *Ben Laurie (CHATS)*
12609
12610 * buffer_gets() could terminate with the buffer only half
12611   full. Fixed.
12612
12613   *Ben Laurie (CHATS)*
12614
12615 * Add assertions to prevent user-supplied crypto functions from
12616   overflowing internal buffers by having large block sizes, etc.
12617
12618   *Ben Laurie (CHATS)*
12619
12620 * New OPENSSL_assert() macro (similar to assert(), but enabled
12621   unconditionally).
12622
12623   *Ben Laurie (CHATS)*
12624
12625 * Eliminate unused copy of key in RC4.
12626
12627   *Ben Laurie (CHATS)*
12628
12629 * Eliminate unused and incorrectly sized buffers for IV in pem.h.
12630
12631   *Ben Laurie (CHATS)*
12632
12633 * Fix off-by-one error in EGD path.
12634
12635   *Ben Laurie (CHATS)*
12636
12637 * If RANDFILE path is too long, ignore instead of truncating.
12638
12639   *Ben Laurie (CHATS)*
12640
12641 * Eliminate unused and incorrectly sized X.509 structure
12642   CBCParameter.
12643
12644   *Ben Laurie (CHATS)*
12645
12646 * Eliminate unused and dangerous function knumber().
12647
12648   *Ben Laurie (CHATS)*
12649
12650 * Eliminate unused and dangerous structure, KSSL_ERR.
12651
12652   *Ben Laurie (CHATS)*
12653
12654 * Protect against overlong session ID context length in an encoded
12655   session object. Since these are local, this does not appear to be
12656   exploitable.
12657
12658   *Ben Laurie (CHATS)*
12659
12660 * Change from security patch (see 0.9.6e below) that did not affect
12661   the 0.9.6 release series:
12662
12663   Remote buffer overflow in SSL3 protocol - an attacker could
12664   supply an oversized master key in Kerberos-enabled versions.
12665   ([CVE-2002-0657])
12666
12667   *Ben Laurie (CHATS)*
12668
12669 * Change the SSL kerb5 codes to match RFC 2712.
12670
12671   *Richard Levitte*
12672
12673 * Make -nameopt work fully for req and add -reqopt switch.
12674
12675   *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12676
12677 * The "block size" for block ciphers in CFB and OFB mode should be 1.
12678
12679   *Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>*
12680
12681 * Make sure tests can be performed even if the corresponding algorithms
12682   have been removed entirely.  This was also the last step to make
12683   OpenSSL compilable with DJGPP under all reasonable conditions.
12684
12685   *Richard Levitte, Doug Kaufman <dkaufman@rahul.net>*
12686
12687 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
12688   to allow version independent disabling of normally unselected ciphers,
12689   which may be activated as a side-effect of selecting a single cipher.
12690
12691   (E.g., cipher list string "RSA" enables ciphersuites that are left
12692   out of "ALL" because they do not provide symmetric encryption.
12693   "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
12694
12695   *Lutz Jaenicke, Bodo Moeller*
12696
12697 * Add appropriate support for separate platform-dependent build
12698   directories.  The recommended way to make a platform-dependent
12699   build directory is the following (tested on Linux), maybe with
12700   some local tweaks:
12701
12702           # Place yourself outside of the OpenSSL source tree.  In
12703           # this example, the environment variable OPENSSL_SOURCE
12704           # is assumed to contain the absolute OpenSSL source directory.
12705           mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12706           cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12707           (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12708                   mkdir -p `dirname $F`
12709                   ln -s $OPENSSL_SOURCE/$F $F
12710           done
12711
12712   To be absolutely sure not to disturb the source tree, a "make clean"
12713   is a good thing.  If it isn't successful, don't worry about it,
12714   it probably means the source directory is very clean.
12715
12716   *Richard Levitte*
12717
12718 * Make sure any ENGINE control commands make local copies of string
12719   pointers passed to them whenever necessary. Otherwise it is possible
12720   the caller may have overwritten (or deallocated) the original string
12721   data when a later ENGINE operation tries to use the stored values.
12722
12723   *Götz Babin-Ebell <babinebell@trustcenter.de>*
12724
12725 * Improve diagnostics in file reading and command-line digests.
12726
12727   *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>*
12728
12729 * Add AES modes CFB and OFB to the object database.  Correct an
12730   error in AES-CFB decryption.
12731
12732   *Richard Levitte*
12733
12734 * Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
12735   allows existing EVP_CIPHER_CTX structures to be reused after
12736   calling `EVP_*Final()`. This behaviour is used by encryption
12737   BIOs and some applications. This has the side effect that
12738   applications must explicitly clean up cipher contexts with
12739   EVP_CIPHER_CTX_cleanup() or they will leak memory.
12740
12741   *Steve Henson*
12742
12743 * Check the values of dna and dnb in bn_mul_recursive before calling
12744   bn_mul_comba (a non zero value means the a or b arrays do not contain
12745   n2 elements) and fallback to bn_mul_normal if either is not zero.
12746
12747   *Steve Henson*
12748
12749 * Fix escaping of non-ASCII characters when using the -subj option
12750   of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
12751
12752   *Lutz Jaenicke*
12753
12754 * Make object definitions compliant to LDAP (RFC2256): SN is the short
12755   form for "surname", serialNumber has no short form.
12756   Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
12757   therefore remove "mail" short name for "internet 7".
12758   The OID for unique identifiers in X509 certificates is
12759   x500UniqueIdentifier, not uniqueIdentifier.
12760   Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12761
12762   *Lutz Jaenicke*
12763
12764 * Add an "init" command to the ENGINE config module and auto initialize
12765   ENGINEs. Without any "init" command the ENGINE will be initialized
12766   after all ctrl commands have been executed on it. If init=1 the
12767   ENGINE is initialized at that point (ctrls before that point are run
12768   on the uninitialized ENGINE and after on the initialized one). If
12769   init=0 then the ENGINE will not be initialized at all.
12770
12771   *Steve Henson*
12772
12773 * Fix the 'app_verify_callback' interface so that the user-defined
12774   argument is actually passed to the callback: In the
12775   SSL_CTX_set_cert_verify_callback() prototype, the callback
12776   declaration has been changed from
12777           int (*cb)()
12778   into
12779           int (*cb)(X509_STORE_CTX *,void *);
12780   in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
12781           i=s->ctx->app_verify_callback(&ctx)
12782   has been changed into
12783           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12784
12785   To update applications using SSL_CTX_set_cert_verify_callback(),
12786   a dummy argument can be added to their callback functions.
12787
12788   *D. K. Smetters <smetters@parc.xerox.com>*
12789
12790 * Added the '4758cca' ENGINE to support IBM 4758 cards.
12791
12792   *Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe*
12793
12794 * Add and OPENSSL_LOAD_CONF define which will cause
12795   OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
12796   This allows older applications to transparently support certain
12797   OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
12798   Two new functions OPENSSL_add_all_algorithms_noconf() which will never
12799   load the config file and OPENSSL_add_all_algorithms_conf() which will
12800   always load it have also been added.
12801
12802   *Steve Henson*
12803
12804 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
12805   Adjust NIDs and EVP layer.
12806
12807   *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
12808
12809 * Config modules support in openssl utility.
12810
12811   Most commands now load modules from the config file,
12812   though in a few (such as version) this isn't done
12813   because it couldn't be used for anything.
12814
12815   In the case of ca and req the config file used is
12816   the same as the utility itself: that is the -config
12817   command line option can be used to specify an
12818   alternative file.
12819
12820   *Steve Henson*
12821
12822 * Move default behaviour from OPENSSL_config(). If appname is NULL
12823   use "openssl_conf" if filename is NULL use default openssl config file.
12824
12825   *Steve Henson*
12826
12827 * Add an argument to OPENSSL_config() to allow the use of an alternative
12828   config section name. Add a new flag to tolerate a missing config file
12829   and move code to CONF_modules_load_file().
12830
12831   *Steve Henson*
12832
12833 * Support for crypto accelerator cards from Accelerated Encryption
12834   Processing, www.aep.ie.  (Use engine 'aep')
12835   The support was copied from 0.9.6c [engine] and adapted/corrected
12836   to work with the new engine framework.
12837
12838   *AEP Inc. and Richard Levitte*
12839
12840 * Support for SureWare crypto accelerator cards from Baltimore
12841   Technologies.  (Use engine 'sureware')
12842   The support was copied from 0.9.6c [engine] and adapted
12843   to work with the new engine framework.
12844
12845   *Richard Levitte*
12846
12847 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12848   make the newer ENGINE framework commands for the CHIL engine work.
12849
12850   *Toomas Kiisk <vix@cyber.ee> and Richard Levitte*
12851
12852 * Make it possible to produce shared libraries on ReliantUNIX.
12853
12854   *Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte*
12855
12856 * Add the configuration target debug-linux-ppro.
12857   Make 'openssl rsa' use the general key loading routines
12858   implemented in `apps.c`, and make those routines able to
12859   handle the key format FORMAT_NETSCAPE and the variant
12860   FORMAT_IISSGC.
12861
12862   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
12863
12864 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
12865
12866   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
12867
12868 * Add -keyform to rsautl, and document -engine.
12869
12870   *Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>*
12871
12872 * Change BIO_new_file (crypto/bio/bss_file.c) to use new
12873   BIO_R_NO_SUCH_FILE error code rather than the generic
12874   ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
12875
12876   *Ben Laurie*
12877
12878 * Add new functions
12879           ERR_peek_last_error
12880           ERR_peek_last_error_line
12881           ERR_peek_last_error_line_data.
12882   These are similar to
12883           ERR_peek_error
12884           ERR_peek_error_line
12885           ERR_peek_error_line_data,
12886   but report on the latest error recorded rather than the first one
12887   still in the error queue.
12888
12889   *Ben Laurie, Bodo Moeller*
12890
12891 * default_algorithms option in ENGINE config module. This allows things
12892   like:
12893   default_algorithms = ALL
12894   default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
12895
12896   *Steve Henson*
12897
12898 * Preliminary ENGINE config module.
12899
12900   *Steve Henson*
12901
12902 * New experimental application configuration code.
12903
12904   *Steve Henson*
12905
12906 * Change the AES code to follow the same name structure as all other
12907   symmetric ciphers, and behave the same way.  Move everything to
12908   the directory crypto/aes, thereby obsoleting crypto/rijndael.
12909
12910   *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
12911
12912 * SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
12913
12914   *Ben Laurie and Theo de Raadt*
12915
12916 * Add option to output public keys in req command.
12917
12918   *Massimiliano Pala madwolf@openca.org*
12919
12920 * Use wNAFs in EC_POINTs_mul() for improved efficiency
12921   (up to about 10% better than before for P-192 and P-224).
12922
12923   *Bodo Moeller*
12924
12925 * New functions/macros
12926
12927           SSL_CTX_set_msg_callback(ctx, cb)
12928           SSL_CTX_set_msg_callback_arg(ctx, arg)
12929           SSL_set_msg_callback(ssl, cb)
12930           SSL_set_msg_callback_arg(ssl, arg)
12931
12932   to request calling a callback function
12933
12934           void cb(int write_p, int version, int content_type,
12935                   const void *buf, size_t len, SSL *ssl, void *arg)
12936
12937   whenever a protocol message has been completely received
12938   (write_p == 0) or sent (write_p == 1).  Here 'version' is the
12939   protocol version  according to which the SSL library interprets
12940   the current protocol message (SSL2_VERSION, SSL3_VERSION, or
12941   TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
12942   the content type as defined in the SSL 3.0/TLS 1.0 protocol
12943   specification (change_cipher_spec(20), alert(21), handshake(22)).
12944   'buf' and 'len' point to the actual message, 'ssl' to the
12945   SSL object, and 'arg' is the application-defined value set by
12946   SSL[_CTX]_set_msg_callback_arg().
12947
12948   'openssl s_client' and 'openssl s_server' have new '-msg' options
12949   to enable a callback that displays all protocol messages.
12950
12951   *Bodo Moeller*
12952
12953 * Change the shared library support so shared libraries are built as
12954   soon as the corresponding static library is finished, and thereby get
12955   openssl and the test programs linked against the shared library.
12956   This still only happens when the keyword "shard" has been given to
12957   the configuration scripts.
12958
12959   NOTE: shared library support is still an experimental thing, and
12960   backward binary compatibility is still not guaranteed.
12961
12962   *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte*
12963
12964 * Add support for Subject Information Access extension.
12965
12966   *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>*
12967
12968 * Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
12969   additional bytes when new memory had to be allocated, not just
12970   when reusing an existing buffer.
12971
12972   *Bodo Moeller*
12973
12974 * New command line and configuration option 'utf8' for the req command.
12975   This allows field values to be specified as UTF8 strings.
12976
12977   *Steve Henson*
12978
12979 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
12980   runs for the former and machine-readable output for the latter.
12981
12982   *Ben Laurie*
12983
12984 * Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
12985   of the e-mail address in the DN (i.e., it will go into a certificate
12986   extension only).  The new configuration file option 'email_in_dn = no'
12987   has the same effect.
12988
12989   *Massimiliano Pala madwolf@openca.org*
12990
12991 * Change all functions with names starting with `des_` to be starting
12992   with `DES_` instead.  Add wrappers that are compatible with libdes,
12993   but are named `_ossl_old_des_*`.  Finally, add macros that map the
12994   `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes
12995   compatibility is desired.  If OpenSSL 0.9.6c compatibility is
12996   desired, the `des_*` symbols will be mapped to `DES_*`, with one
12997   exception.
12998
12999   Since we provide two compatibility mappings, the user needs to
13000   define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
13001   compatibility is desired.  The default (i.e., when that macro
13002   isn't defined) is OpenSSL 0.9.6c compatibility.
13003
13004   There are also macros that enable and disable the support of old
13005   des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
13006   and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
13007   are defined, the default will apply: to support the old des routines.
13008
13009   In either case, one must include openssl/des.h to get the correct
13010   definitions.  Do not try to just include openssl/des_old.h, that
13011   won't work.
13012
13013   NOTE: This is a major break of an old API into a new one.  Software
13014   authors are encouraged to switch to the `DES_` style functions.  Some
13015   time in the future, des_old.h and the libdes compatibility functions
13016   will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
13017   default), and then completely removed.
13018
13019   *Richard Levitte*
13020
13021 * Test for certificates which contain unsupported critical extensions.
13022   If such a certificate is found during a verify operation it is
13023   rejected by default: this behaviour can be overridden by either
13024   handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
13025   by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
13026   X509_supported_extension() has also been added which returns 1 if a
13027   particular extension is supported.
13028
13029   *Steve Henson*
13030
13031 * Modify the behaviour of EVP cipher functions in similar way to digests
13032   to retain compatibility with existing code.
13033
13034   *Steve Henson*
13035
13036 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
13037   compatibility with existing code. In particular the 'ctx' parameter does
13038   not have to be to be initialized before the call to EVP_DigestInit() and
13039   it is tidied up after a call to EVP_DigestFinal(). New function
13040   EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
13041   EVP_MD_CTX_copy() changed to not require the destination to be
13042   initialized valid and new function EVP_MD_CTX_copy_ex() added which
13043   requires the destination to be valid.
13044
13045   Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
13046   EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
13047
13048   *Steve Henson*
13049
13050 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it
13051   so that complete 'Handshake' protocol structures are kept in memory
13052   instead of overwriting 'msg_type' and 'length' with 'body' data.
13053
13054   *Bodo Moeller*
13055
13056 * Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
13057
13058   *Massimo Santin via Richard Levitte*
13059
13060 * Major restructuring to the underlying ENGINE code. This includes
13061   reduction of linker bloat, separation of pure "ENGINE" manipulation
13062   (initialisation, etc) from functionality dealing with implementations
13063   of specific crypto interfaces. This change also introduces integrated
13064   support for symmetric ciphers and digest implementations - so ENGINEs
13065   can now accelerate these by providing EVP_CIPHER and EVP_MD
13066   implementations of their own. This is detailed in
13067   [crypto/engine/README.md](crypto/engine/README.md)
13068   as it couldn't be adequately described here. However, there are a few
13069   API changes worth noting - some RSA, DSA, DH, and RAND functions that
13070   were changed in the original introduction of ENGINE code have now
13071   reverted back - the hooking from this code to ENGINE is now a good
13072   deal more passive and at run-time, operations deal directly with
13073   RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
13074   dereferencing through an ENGINE pointer any more. Also, the ENGINE
13075   functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13076   they were not being used by the framework as there is no concept of a
13077   BIGNUM_METHOD and they could not be generalised to the new
13078   'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
13079   ENGINE_cpy() has been removed as it cannot be consistently defined in
13080   the new code.
13081
13082   *Geoff Thorpe*
13083
13084 * Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
13085
13086   *Steve Henson*
13087
13088 * Change mkdef.pl to sort symbols that get the same entry number,
13089   and make sure the automatically generated functions `ERR_load_*`
13090   become part of libeay.num as well.
13091
13092   *Richard Levitte*
13093
13094 * New function SSL_renegotiate_pending().  This returns true once
13095   renegotiation has been requested (either SSL_renegotiate() call
13096   or HelloRequest/ClientHello received from the peer) and becomes
13097   false once a handshake has been completed.
13098   (For servers, SSL_renegotiate() followed by SSL_do_handshake()
13099   sends a HelloRequest, but does not ensure that a handshake takes
13100   place.  SSL_renegotiate_pending() is useful for checking if the
13101   client has followed the request.)
13102
13103   *Bodo Moeller*
13104
13105 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
13106   By default, clients may request session resumption even during
13107   renegotiation (if session ID contexts permit); with this option,
13108   session resumption is possible only in the first handshake.
13109
13110   SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
13111   more bits available for options that should not be part of
13112   SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
13113
13114   *Bodo Moeller*
13115
13116 * Add some demos for certificate and certificate request creation.
13117
13118   *Steve Henson*
13119
13120 * Make maximum certificate chain size accepted from the peer application
13121   settable (`SSL*_get/set_max_cert_list()`), as proposed by
13122   "Douglas E. Engert" <deengert@anl.gov>.
13123
13124   *Lutz Jaenicke*
13125
13126 * Add support for shared libraries for Unixware-7
13127   (Boyd Lynn Gerber <gerberb@zenez.com>).
13128
13129   *Lutz Jaenicke*
13130
13131 * Add a "destroy" handler to ENGINEs that allows structural cleanup to
13132   be done prior to destruction. Use this to unload error strings from
13133   ENGINEs that load their own error strings. NB: This adds two new API
13134   functions to "get" and "set" this destroy handler in an ENGINE.
13135
13136   *Geoff Thorpe*
13137
13138 * Alter all existing ENGINE implementations (except "openssl" and
13139   "openbsd") to dynamically instantiate their own error strings. This
13140   makes them more flexible to be built both as statically-linked ENGINEs
13141   and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13142   Also, add stub code to each that makes building them as self-contained
13143   shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13144
13145   *Geoff Thorpe*
13146
13147 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
13148   implementations into applications that are completely implemented in
13149   self-contained shared-libraries. The "dynamic" ENGINE exposes control
13150   commands that can be used to configure what shared-library to load and
13151   to control aspects of the way it is handled. Also, made an update to
13152   the [README-Engine.md](README-Engine.md) file
13153   that brings its information up-to-date and
13154   provides some information and instructions on the "dynamic" ENGINE
13155   (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13156
13157   *Geoff Thorpe*
13158
13159 * Make it possible to unload ranges of ERR strings with a new
13160   "ERR_unload_strings" function.
13161
13162   *Geoff Thorpe*
13163
13164 * Add a copy() function to EVP_MD.
13165
13166   *Ben Laurie*
13167
13168 * Make EVP_MD routines take a context pointer instead of just the
13169   md_data void pointer.
13170
13171   *Ben Laurie*
13172
13173 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
13174   that the digest can only process a single chunk of data
13175   (typically because it is provided by a piece of
13176   hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
13177   is only going to provide a single chunk of data, and hence the
13178   framework needn't accumulate the data for oneshot drivers.
13179
13180   *Ben Laurie*
13181
13182 * As with "ERR", make it possible to replace the underlying "ex_data"
13183   functions. This change also alters the storage and management of global
13184   ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13185   RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13186   index counters. The API functions that use this state have been changed
13187   to take a "class_index" rather than pointers to the class's local STACK
13188   and counter, and there is now an API function to dynamically create new
13189   classes. This centralisation allows us to (a) plug a lot of the
13190   thread-safety problems that existed, and (b) makes it possible to clean
13191   up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
13192   such data would previously have always leaked in application code and
13193   workarounds were in place to make the memory debugging turn a blind eye
13194   to it. Application code that doesn't use this new function will still
13195   leak as before, but their memory debugging output will announce it now
13196   rather than letting it slide.
13197
13198   Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
13199   induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
13200   has a return value to indicate success or failure.
13201
13202   *Geoff Thorpe*
13203
13204 * Make it possible to replace the underlying "ERR" functions such that the
13205   global state (2 LHASH tables and 2 locks) is only used by the "default"
13206   implementation. This change also adds two functions to "get" and "set"
13207   the implementation prior to it being automatically set the first time
13208   any other ERR function takes place. Ie. an application can call "get",
13209   pass the return value to a module it has just loaded, and that module
13210   can call its own "set" function using that value. This means the
13211   module's "ERR" operations will use (and modify) the error state in the
13212   application and not in its own statically linked copy of OpenSSL code.
13213
13214   *Geoff Thorpe*
13215
13216 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
13217   reference counts. This performs normal REF_PRINT/REF_CHECK macros on
13218   the operation, and provides a more encapsulated way for external code
13219   (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
13220   to use these functions rather than manually incrementing the counts.
13221
13222   Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
13223
13224   *Geoff Thorpe*
13225
13226 * Add EVP test program.
13227
13228   *Ben Laurie*
13229
13230 * Add symmetric cipher support to ENGINE. Expect the API to change!
13231
13232   *Ben Laurie*
13233
13234 * New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
13235   X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
13236   X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
13237   These allow a CRL to be built without having to access X509_CRL fields
13238   directly. Modify 'ca' application to use new functions.
13239
13240   *Steve Henson*
13241
13242 * Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
13243   bug workarounds. Rollback attack detection is a security feature.
13244   The problem will only arise on OpenSSL servers when TLSv1 is not
13245   available (sslv3_server_method() or SSL_OP_NO_TLSv1).
13246   Software authors not wanting to support TLSv1 will have special reasons
13247   for their choice and can explicitly enable this option.
13248
13249   *Bodo Moeller, Lutz Jaenicke*
13250
13251 * Rationalise EVP so it can be extended: don't include a union of
13252   cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
13253   (similar to those existing for EVP_CIPHER_CTX).
13254   Usage example:
13255
13256           EVP_MD_CTX md;
13257
13258           EVP_MD_CTX_init(&md);             /* new function call */
13259           EVP_DigestInit(&md, EVP_sha1());
13260           EVP_DigestUpdate(&md, in, len);
13261           EVP_DigestFinal(&md, out, NULL);
13262           EVP_MD_CTX_cleanup(&md);          /* new function call */
13263
13264   *Ben Laurie*
13265
13266 * Make DES key schedule conform to the usual scheme, as well as
13267   correcting its structure. This means that calls to DES functions
13268   now have to pass a pointer to a des_key_schedule instead of a
13269   plain des_key_schedule (which was actually always a pointer
13270   anyway): E.g.,
13271
13272           des_key_schedule ks;
13273
13274           des_set_key_checked(..., &ks);
13275           des_ncbc_encrypt(..., &ks, ...);
13276
13277   (Note that a later change renames 'des_...' into 'DES_...'.)
13278
13279   *Ben Laurie*
13280
13281 * Initial reduction of linker bloat: the use of some functions, such as
13282   PEM causes large amounts of unused functions to be linked in due to
13283   poor organisation. For example pem_all.c contains every PEM function
13284   which has a knock on effect of linking in large amounts of (unused)
13285   ASN1 code. Grouping together similar functions and splitting unrelated
13286   functions prevents this.
13287
13288   *Steve Henson*
13289
13290 * Cleanup of EVP macros.
13291
13292   *Ben Laurie*
13293
13294 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the
13295   correct `_ecb suffix`.
13296
13297   *Ben Laurie*
13298
13299 * Add initial OCSP responder support to ocsp application. The
13300   revocation information is handled using the text based index
13301   use by the ca application. The responder can either handle
13302   requests generated internally, supplied in files (for example
13303   via a CGI script) or using an internal minimal server.
13304
13305   *Steve Henson*
13306
13307 * Add configuration choices to get zlib compression for TLS.
13308
13309   *Richard Levitte*
13310
13311 * Changes to Kerberos SSL for RFC 2712 compliance:
13312   1. Implemented real KerberosWrapper, instead of just using
13313      KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
13314   2. Implemented optional authenticator field of KerberosWrapper.
13315
13316   Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13317   and authenticator structs; see crypto/krb5/.
13318
13319   Generalized Kerberos calls to support multiple Kerberos libraries.
13320   *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu>
13321   via Richard Levitte*
13322
13323 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13324   already does with RSA. testdsa.h now has 'priv_key/pub_key'
13325   values for each of the key sizes rather than having just
13326   parameters (and 'speed' generating keys each time).
13327
13328   *Geoff Thorpe*
13329
13330 * Speed up EVP routines.
13331   Before:
13332crypt
13333pe              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
13334s-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
13335s-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
13336s-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
13337crypt
13338s-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
13339s-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
13340s-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
13341   After:
13342crypt
13343s-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
13344crypt
13345s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
13346
13347   *Ben Laurie*
13348
13349 * Added the OS2-EMX target.
13350
13351   *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
13352
13353 * Rewrite commands to use `NCONF` routines instead of the old `CONF`.
13354   New functions to support `NCONF` routines in extension code.
13355   New function `CONF_set_nconf()`
13356   to allow functions which take an `NCONF` to also handle the old `LHASH`
13357   structure: this means that the old `CONF` compatible routines can be
13358   retained (in particular w.rt. extensions) without having to duplicate the
13359   code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack.
13360
13361   *Steve Henson*
13362
13363 * Enhance the general user interface with mechanisms for inner control
13364   and with possibilities to have yes/no kind of prompts.
13365
13366   *Richard Levitte*
13367
13368 * Change all calls to low-level digest routines in the library and
13369   applications to use EVP. Add missing calls to HMAC_cleanup() and
13370   don't assume HMAC_CTX can be copied using memcpy().
13371
13372   *Verdon Walker <VWalker@novell.com>, Steve Henson*
13373
13374 * Add the possibility to control engines through control names but with
13375   arbitrary arguments instead of just a string.
13376   Change the key loaders to take a UI_METHOD instead of a callback
13377   function pointer.  NOTE: this breaks binary compatibility with earlier
13378   versions of OpenSSL [engine].
13379   Adapt the nCipher code for these new conditions and add a card insertion
13380   callback.
13381
13382   *Richard Levitte*
13383
13384 * Enhance the general user interface with mechanisms to better support
13385   dialog box interfaces, application-defined prompts, the possibility
13386   to use defaults (for example default passwords from somewhere else)
13387   and interrupts/cancellations.
13388
13389   *Richard Levitte*
13390
13391 * Tidy up PKCS#12 attribute handling. Add support for the CSP name
13392   attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13393
13394   *Steve Henson*
13395
13396 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
13397   tidy up some unnecessarily weird code in 'sk_new()').
13398
13399   *Geoff, reported by Diego Tartara <dtartara@novamens.com>*
13400
13401 * Change the key loading routines for ENGINEs to use the same kind
13402   callback (pem_password_cb) as all other routines that need this
13403   kind of callback.
13404
13405   *Richard Levitte*
13406
13407 * Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
13408   256 bit (=32 byte) keys. Of course seeding with more entropy bytes
13409   than this minimum value is recommended.
13410
13411   *Lutz Jaenicke*
13412
13413 * New random seeder for OpenVMS, using the system process statistics
13414   that are easily reachable.
13415
13416   *Richard Levitte*
13417
13418 * Windows apparently can't transparently handle global
13419   variables defined in DLLs. Initialisations such as:
13420
13421           const ASN1_ITEM *it = &ASN1_INTEGER_it;
13422
13423   won't compile. This is used by the any applications that need to
13424   declare their own ASN1 modules. This was fixed by adding the option
13425   EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
13426   needed for static libraries under Win32.
13427
13428   *Steve Henson*
13429
13430 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
13431   setting of purpose and trust fields. New X509_STORE trust and
13432   purpose functions and tidy up setting in other SSL functions.
13433
13434   *Steve Henson*
13435
13436 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
13437   structure. These are inherited by X509_STORE_CTX when it is
13438   initialised. This allows various defaults to be set in the
13439   X509_STORE structure (such as flags for CRL checking and custom
13440   purpose or trust settings) for functions which only use X509_STORE_CTX
13441   internally such as S/MIME.
13442
13443   Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
13444   trust settings if they are not set in X509_STORE. This allows X509_STORE
13445   purposes and trust (in S/MIME for example) to override any set by default.
13446
13447   Add command line options for CRL checking to smime, s_client and s_server
13448   applications.
13449
13450   *Steve Henson*
13451
13452 * Initial CRL based revocation checking. If the CRL checking flag(s)
13453   are set then the CRL is looked up in the X509_STORE structure and
13454   its validity and signature checked, then if the certificate is found
13455   in the CRL the verify fails with a revoked error.
13456
13457   Various new CRL related callbacks added to X509_STORE_CTX structure.
13458
13459   Command line options added to 'verify' application to support this.
13460
13461   This needs some additional work, such as being able to handle multiple
13462   CRLs with different times, extension based lookup (rather than just
13463   by subject name) and ultimately more complete V2 CRL extension
13464   handling.
13465
13466   *Steve Henson*
13467
13468 * Add a general user interface API (crypto/ui/).  This is designed
13469   to replace things like des_read_password and friends (backward
13470   compatibility functions using this new API are provided).
13471   The purpose is to remove prompting functions from the DES code
13472   section as well as provide for prompting through dialog boxes in
13473   a window system and the like.
13474
13475   *Richard Levitte*
13476
13477 * Add "ex_data" support to ENGINE so implementations can add state at a
13478   per-structure level rather than having to store it globally.
13479
13480   *Geoff*
13481
13482 * Make it possible for ENGINE structures to be copied when retrieved by
13483   ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
13484   This causes the "original" ENGINE structure to act like a template,
13485   analogous to the RSA vs. RSA_METHOD type of separation. Because of this
13486   operational state can be localised to each ENGINE structure, despite the
13487   fact they all share the same "methods". New ENGINE structures returned in
13488   this case have no functional references and the return value is the single
13489   structural reference. This matches the single structural reference returned
13490   by ENGINE_by_id() normally, when it is incremented on the pre-existing
13491   ENGINE structure.
13492
13493   *Geoff*
13494
13495 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
13496   needs to match any other type at all we need to manually clear the
13497   tag cache.
13498
13499   *Steve Henson*
13500
13501 * Changes to the "openssl engine" utility to include;
13502   - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13503     about an ENGINE's available control commands.
13504   - executing control commands from command line arguments using the
13505     '-pre' and '-post' switches. '-post' is only used if '-t' is
13506     specified and the ENGINE is successfully initialised. The syntax for
13507     the individual commands are colon-separated, for example;
13508           openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13509
13510   *Geoff*
13511
13512 * New dynamic control command support for ENGINEs. ENGINEs can now
13513   declare their own commands (numbers), names (strings), descriptions,
13514   and input types for run-time discovery by calling applications. A
13515   subset of these commands are implicitly classed as "executable"
13516   depending on their input type, and only these can be invoked through
13517   the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13518   can be based on user input, config files, etc). The distinction is
13519   that "executable" commands cannot return anything other than a boolean
13520   result and can only support numeric or string input, whereas some
13521   discoverable commands may only be for direct use through
13522   ENGINE_ctrl(), eg. supporting the exchange of binary data, function
13523   pointers, or other custom uses. The "executable" commands are to
13524   support parameterisations of ENGINE behaviour that can be
13525   unambiguously defined by ENGINEs and used consistently across any
13526   OpenSSL-based application. Commands have been added to all the
13527   existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13528   control over shared-library paths without source code alterations.
13529
13530   *Geoff*
13531
13532 * Changed all ENGINE implementations to dynamically allocate their
13533   ENGINEs rather than declaring them statically. Apart from this being
13534   necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
13535   this also allows the implementations to compile without using the
13536   internal engine_int.h header.
13537
13538   *Geoff*
13539
13540 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
13541   'const' value. Any code that should be able to modify a RAND_METHOD
13542   should already have non-const pointers to it (ie. they should only
13543   modify their own ones).
13544
13545   *Geoff*
13546
13547 * Made a variety of little tweaks to the ENGINE code.
13548   - "atalla" and "ubsec" string definitions were moved from header files
13549     to C code. "nuron" string definitions were placed in variables
13550     rather than hard-coded - allowing parameterisation of these values
13551     later on via ctrl() commands.
13552   - Removed unused "#if 0"'d code.
13553   - Fixed engine list iteration code so it uses ENGINE_free() to release
13554     structural references.
13555   - Constified the RAND_METHOD element of ENGINE structures.
13556   - Constified various get/set functions as appropriate and added
13557     missing functions (including a catch-all ENGINE_cpy that duplicates
13558     all ENGINE values onto a new ENGINE except reference counts/state).
13559   - Removed NULL parameter checks in get/set functions. Setting a method
13560     or function to NULL is a way of cancelling out a previously set
13561     value.  Passing a NULL ENGINE parameter is just plain stupid anyway
13562     and doesn't justify the extra error symbols and code.
13563   - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13564     flags from engine_int.h to engine.h.
13565   - Changed prototypes for ENGINE handler functions (init(), finish(),
13566     ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13567
13568   *Geoff*
13569
13570 * Implement binary inversion algorithm for BN_mod_inverse in addition
13571   to the algorithm using long division.  The binary algorithm can be
13572   used only if the modulus is odd.  On 32-bit systems, it is faster
13573   only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13574   roughly 5-15% for 256-bit moduli), so we use it only for moduli
13575   up to 450 bits.  In 64-bit environments, the binary algorithm
13576   appears to be advantageous for much longer moduli; here we use it
13577   for moduli up to 2048 bits.
13578
13579   *Bodo Moeller*
13580
13581 * Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
13582   could not support the combine flag in choice fields.
13583
13584   *Steve Henson*
13585
13586 * Add a 'copy_extensions' option to the 'ca' utility. This copies
13587   extensions from a certificate request to the certificate.
13588
13589   *Steve Henson*
13590
13591 * Allow multiple 'certopt' and 'nameopt' options to be separated
13592   by commas. Add 'namopt' and 'certopt' options to the 'ca' config
13593   file: this allows the display of the certificate about to be
13594   signed to be customised, to allow certain fields to be included
13595   or excluded and extension details. The old system didn't display
13596   multicharacter strings properly, omitted fields not in the policy
13597   and couldn't display additional details such as extensions.
13598
13599   *Steve Henson*
13600
13601 * Function EC_POINTs_mul for multiple scalar multiplication
13602   of an arbitrary number of elliptic curve points
13603           \sum scalars[i]*points[i],
13604   optionally including the generator defined for the EC_GROUP:
13605           scalar*generator +  \sum scalars[i]*points[i].
13606
13607   EC_POINT_mul is a simple wrapper function for the typical case
13608   that the point list has just one item (besides the optional
13609   generator).
13610
13611   *Bodo Moeller*
13612
13613 * First EC_METHODs for curves over GF(p):
13614
13615   EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
13616   operations and provides various method functions that can also
13617   operate with faster implementations of modular arithmetic.
13618
13619   EC_GFp_mont_method() reuses most functions that are part of
13620   EC_GFp_simple_method, but uses Montgomery arithmetic.
13621
13622   *Bodo Moeller; point addition and point doubling
13623   implementation directly derived from source code provided by
13624   Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13625
13626 * Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
13627   crypto/ec/ec_lib.c):
13628
13629   Curves are EC_GROUP objects (with an optional group generator)
13630   based on EC_METHODs that are built into the library.
13631
13632   Points are EC_POINT objects based on EC_GROUP objects.
13633
13634   Most of the framework would be able to handle curves over arbitrary
13635   finite fields, but as there are no obvious types for fields other
13636   than GF(p), some functions are limited to that for now.
13637
13638   *Bodo Moeller*
13639
13640 * Add the -HTTP option to s_server.  It is similar to -WWW, but requires
13641   that the file contains a complete HTTP response.
13642
13643   *Richard Levitte*
13644
13645 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
13646   change the def and num file printf format specifier from "%-40sXXX"
13647   to "%-39s XXX". The latter will always guarantee a space after the
13648   field while the former will cause them to run together if the field
13649   is 40 of more characters long.
13650
13651   *Steve Henson*
13652
13653 * Constify the cipher and digest 'method' functions and structures
13654   and modify related functions to take constant EVP_MD and EVP_CIPHER
13655   pointers.
13656
13657   *Steve Henson*
13658
13659 * Hide BN_CTX structure details in bn_lcl.h instead of publishing them
13660   in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
13661
13662   *Bodo Moeller*
13663
13664 * Modify `EVP_Digest*()` routines so they now return values. Although the
13665   internal software routines can never fail additional hardware versions
13666   might.
13667
13668   *Steve Henson*
13669
13670 * Clean up crypto/err/err.h and change some error codes to avoid conflicts:
13671
13672   Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
13673   (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
13674
13675   ASN1 error codes
13676           ERR_R_NESTED_ASN1_ERROR
13677           ...
13678           ERR_R_MISSING_ASN1_EOS
13679   were 4 .. 9, conflicting with
13680           ERR_LIB_RSA (= ERR_R_RSA_LIB)
13681           ...
13682           ERR_LIB_PEM (= ERR_R_PEM_LIB).
13683   They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
13684
13685   Add new error code 'ERR_R_INTERNAL_ERROR'.
13686
13687   *Bodo Moeller*
13688
13689 * Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
13690   suffices.
13691
13692   *Bodo Moeller*
13693
13694 * New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
13695   sets the subject name for a new request or supersedes the
13696   subject name in a given request. Formats that can be parsed are
13697           'CN=Some Name, OU=myOU, C=IT'
13698   and
13699           'CN=Some Name/OU=myOU/C=IT'.
13700
13701   Add options '-batch' and '-verbose' to 'openssl req'.
13702
13703   *Massimiliano Pala <madwolf@hackmasters.net>*
13704
13705 * Introduce the possibility to access global variables through
13706   functions on platform were that's the best way to handle exporting
13707   global variables in shared libraries.  To enable this functionality,
13708   one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
13709   "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
13710   is normally done by Configure or something similar).
13711
13712   To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
13713   in the source file (foo.c) like this:
13714
13715           OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
13716           OPENSSL_IMPLEMENT_GLOBAL(double,bar);
13717
13718   To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
13719   and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
13720
13721           OPENSSL_DECLARE_GLOBAL(int,foo);
13722           #define foo OPENSSL_GLOBAL_REF(foo)
13723           OPENSSL_DECLARE_GLOBAL(double,bar);
13724           #define bar OPENSSL_GLOBAL_REF(bar)
13725
13726   The #defines are very important, and therefore so is including the
13727   header file everywhere where the defined globals are used.
13728
13729   The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
13730   of ASN.1 items, but that structure is a bit different.
13731
13732   The largest change is in util/mkdef.pl which has been enhanced with
13733   better and easier to understand logic to choose which symbols should
13734   go into the Windows .def files as well as a number of fixes and code
13735   cleanup (among others, algorithm keywords are now sorted
13736   lexicographically to avoid constant rewrites).
13737
13738   *Richard Levitte*
13739
13740 * In BN_div() keep a copy of the sign of 'num' before writing the
13741   result to 'rm' because if rm==num the value will be overwritten
13742   and produce the wrong result if 'num' is negative: this caused
13743   problems with BN_mod() and BN_nnmod().
13744
13745   *Steve Henson*
13746
13747 * Function OCSP_request_verify(). This checks the signature on an
13748   OCSP request and verifies the signer certificate. The signer
13749   certificate is just checked for a generic purpose and OCSP request
13750   trust settings.
13751
13752   *Steve Henson*
13753
13754 * Add OCSP_check_validity() function to check the validity of OCSP
13755   responses. OCSP responses are prepared in real time and may only
13756   be a few seconds old. Simply checking that the current time lies
13757   between thisUpdate and nextUpdate max reject otherwise valid responses
13758   caused by either OCSP responder or client clock inaccuracy. Instead
13759   we allow thisUpdate and nextUpdate to fall within a certain period of
13760   the current time. The age of the response can also optionally be
13761   checked. Two new options -validity_period and -status_age added to
13762   ocsp utility.
13763
13764   *Steve Henson*
13765
13766 * If signature or public key algorithm is unrecognized print out its
13767   OID rather that just UNKNOWN.
13768
13769   *Steve Henson*
13770
13771 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
13772   OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
13773   ID to be generated from the issuer certificate alone which can then be
13774   passed to OCSP_id_issuer_cmp().
13775
13776   *Steve Henson*
13777
13778 * New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
13779   ASN1 modules to export functions returning ASN1_ITEM pointers
13780   instead of the ASN1_ITEM structures themselves. This adds several
13781   new macros which allow the underlying ASN1 function/structure to
13782   be accessed transparently. As a result code should not use ASN1_ITEM
13783   references directly (such as &X509_it) but instead use the relevant
13784   macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
13785   use of the new ASN1 code on platforms where exporting structures
13786   is problematical (for example in shared libraries) but exporting
13787   functions returning pointers to structures is not.
13788
13789   *Steve Henson*
13790
13791 * Add support for overriding the generation of SSL/TLS session IDs.
13792   These callbacks can be registered either in an SSL_CTX or per SSL.
13793   The purpose of this is to allow applications to control, if they wish,
13794   the arbitrary values chosen for use as session IDs, particularly as it
13795   can be useful for session caching in multiple-server environments. A
13796   command-line switch for testing this (and any client code that wishes
13797   to use such a feature) has been added to "s_server".
13798
13799   *Geoff Thorpe, Lutz Jaenicke*
13800
13801 * Modify mkdef.pl to recognise and parse preprocessor conditionals
13802   of the form `#if defined(...) || defined(...) || ...` and
13803   `#if !defined(...) && !defined(...) && ...`.  This also avoids
13804   the growing number of special cases it was previously handling.
13805
13806   *Richard Levitte*
13807
13808 * Make all configuration macros available for application by making
13809   sure they are available in opensslconf.h, by giving them names starting
13810   with `OPENSSL_` to avoid conflicts with other packages and by making
13811   sure e_os2.h will cover all platform-specific cases together with
13812   opensslconf.h.
13813   Additionally, it is now possible to define configuration/platform-
13814   specific names (called "system identities").  In the C code, these
13815   are prefixed with `OPENSSL_SYSNAME_`.  e_os2.h will create another
13816   macro with the name beginning with `OPENSSL_SYS_`, which is determined
13817   from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13818   what is available.
13819
13820   *Richard Levitte*
13821
13822 * New option -set_serial to 'req' and 'x509' this allows the serial
13823   number to use to be specified on the command line. Previously self
13824   signed certificates were hard coded with serial number 0 and the
13825   CA options of 'x509' had to use a serial number in a file which was
13826   auto incremented.
13827
13828   *Steve Henson*
13829
13830 * New options to 'ca' utility to support V2 CRL entry extensions.
13831   Currently CRL reason, invalidity date and hold instruction are
13832   supported. Add new CRL extensions to V3 code and some new objects.
13833
13834   *Steve Henson*
13835
13836 * New function EVP_CIPHER_CTX_set_padding() this is used to
13837   disable standard block padding (aka PKCS#5 padding) in the EVP
13838   API, which was previously mandatory. This means that the data is
13839   not padded in any way and so the total length much be a multiple
13840   of the block size, otherwise an error occurs.
13841
13842   *Steve Henson*
13843
13844 * Initial (incomplete) OCSP SSL support.
13845
13846   *Steve Henson*
13847
13848 * New function OCSP_parse_url(). This splits up a URL into its host,
13849   port and path components: primarily to parse OCSP URLs. New -url
13850   option to ocsp utility.
13851
13852   *Steve Henson*
13853
13854 * New nonce behavior. The return value of OCSP_check_nonce() now
13855   reflects the various checks performed. Applications can decide
13856   whether to tolerate certain situations such as an absent nonce
13857   in a response when one was present in a request: the ocsp application
13858   just prints out a warning. New function OCSP_add1_basic_nonce()
13859   this is to allow responders to include a nonce in a response even if
13860   the request is nonce-less.
13861
13862   *Steve Henson*
13863
13864 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are
13865   skipped when using openssl x509 multiple times on a single input file,
13866   e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
13867
13868   *Bodo Moeller*
13869
13870 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
13871   set string type: to handle setting ASN1_TIME structures. Fix ca
13872   utility to correctly initialize revocation date of CRLs.
13873
13874   *Steve Henson*
13875
13876 * New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
13877   the clients preferred ciphersuites and rather use its own preferences.
13878   Should help to work around M$ SGC (Server Gated Cryptography) bug in
13879   Internet Explorer by ensuring unchanged hash method during stepup.
13880   (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
13881
13882   *Lutz Jaenicke*
13883
13884 * Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
13885   to aes and add a new 'exist' option to print out symbols that don't
13886   appear to exist.
13887
13888   *Steve Henson*
13889
13890 * Additional options to ocsp utility to allow flags to be set and
13891   additional certificates supplied.
13892
13893   *Steve Henson*
13894
13895 * Add the option -VAfile to 'openssl ocsp', so the user can give the
13896   OCSP client a number of certificate to only verify the response
13897   signature against.
13898
13899   *Richard Levitte*
13900
13901 * Update Rijndael code to version 3.0 and change EVP AES ciphers to
13902   handle the new API. Currently only ECB, CBC modes supported. Add new
13903   AES OIDs.
13904
13905   Add TLS AES ciphersuites as described in RFC3268, "Advanced
13906   Encryption Standard (AES) Ciphersuites for Transport Layer
13907   Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
13908   not enabled by default and were not part of the "ALL" ciphersuite
13909   alias because they were not yet official; they could be
13910   explicitly requested by specifying the "AESdraft" ciphersuite
13911   group alias.  In the final release of OpenSSL 0.9.7, the group
13912   alias is called "AES" and is part of "ALL".)
13913
13914   *Ben Laurie, Steve  Henson, Bodo Moeller*
13915
13916 * New function OCSP_copy_nonce() to copy nonce value (if present) from
13917   request to response.
13918
13919   *Steve Henson*
13920
13921 * Functions for OCSP responders. OCSP_request_onereq_count(),
13922   OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
13923   extract information from a certificate request. OCSP_response_create()
13924   creates a response and optionally adds a basic response structure.
13925   OCSP_basic_add1_status() adds a complete single response to a basic
13926   response and returns the OCSP_SINGLERESP structure just added (to allow
13927   extensions to be included for example). OCSP_basic_add1_cert() adds a
13928   certificate to a basic response and OCSP_basic_sign() signs a basic
13929   response with various flags. New helper functions ASN1_TIME_check()
13930   (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
13931   (converts ASN1_TIME to GeneralizedTime).
13932
13933   *Steve Henson*
13934
13935 * Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
13936   in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
13937   structure from a certificate. X509_pubkey_digest() digests the public_key
13938   contents: this is used in various key identifiers.
13939
13940   *Steve Henson*
13941
13942 * Make sk_sort() tolerate a NULL argument.
13943
13944   *Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>*
13945
13946 * New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
13947   passed by the function are trusted implicitly. If any of them signed the
13948   response then it is assumed to be valid and is not verified.
13949
13950   *Steve Henson*
13951
13952 * In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
13953   to data. This was previously part of the PKCS7 ASN1 code. This
13954   was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
13955   *Steve Henson, reported by Kenneth R. Robinette
13956                              <support@securenetterm.com>*
13957
13958 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
13959   routines: without these tracing memory leaks is very painful.
13960   Fix leaks in PKCS12 and PKCS7 routines.
13961
13962   *Steve Henson*
13963
13964 * Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
13965   Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
13966   effectively meant GeneralizedTime would never be used. Now it
13967   is initialised to -1 but X509_time_adj() now has to check the value
13968   and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
13969   V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
13970   *Steve Henson, reported by Kenneth R. Robinette
13971                              <support@securenetterm.com>*
13972
13973 * Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
13974   result in a zero length in the ASN1_INTEGER structure which was
13975   not consistent with the structure when d2i_ASN1_INTEGER() was used
13976   and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
13977   to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
13978   where it did not print out a minus for negative ASN1_INTEGER.
13979
13980   *Steve Henson*
13981
13982 * Add summary printout to ocsp utility. The various functions which
13983   convert status values to strings have been renamed to:
13984   OCSP_response_status_str(), OCSP_cert_status_str() and
13985   OCSP_crl_reason_str() and are no longer static. New options
13986   to verify nonce values and to disable verification. OCSP response
13987   printout format cleaned up.
13988
13989   *Steve Henson*
13990
13991 * Add additional OCSP certificate checks. These are those specified
13992   in RFC2560. This consists of two separate checks: the CA of the
13993   certificate being checked must either be the OCSP signer certificate
13994   or the issuer of the OCSP signer certificate. In the latter case the
13995   OCSP signer certificate must contain the OCSP signing extended key
13996   usage. This check is performed by attempting to match the OCSP
13997   signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
13998   in the OCSP_CERTID structures of the response.
13999
14000   *Steve Henson*
14001
14002 * Initial OCSP certificate verification added to OCSP_basic_verify()
14003   and related routines. This uses the standard OpenSSL certificate
14004   verify routines to perform initial checks (just CA validity) and
14005   to obtain the certificate chain. Then additional checks will be
14006   performed on the chain. Currently the root CA is checked to see
14007   if it is explicitly trusted for OCSP signing. This is used to set
14008   a root CA as a global signing root: that is any certificate that
14009   chains to that CA is an acceptable OCSP signing certificate.
14010
14011   *Steve Henson*
14012
14013 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14014   extensions from a separate configuration file.
14015   As when reading extensions from the main configuration file,
14016   the '-extensions ...' option may be used for specifying the
14017   section to use.
14018
14019   *Massimiliano Pala <madwolf@comune.modena.it>*
14020
14021 * New OCSP utility. Allows OCSP requests to be generated or
14022   read. The request can be sent to a responder and the output
14023   parsed, outputted or printed in text form. Not complete yet:
14024   still needs to check the OCSP response validity.
14025
14026   *Steve Henson*
14027
14028 * New subcommands for 'openssl ca':
14029   `openssl ca -status <serial>` prints the status of the cert with
14030   the given serial number (according to the index file).
14031   `openssl ca -updatedb` updates the expiry status of certificates
14032   in the index file.
14033
14034   *Massimiliano Pala <madwolf@comune.modena.it>*
14035
14036 * New '-newreq-nodes' command option to CA.pl.  This is like
14037   '-newreq', but calls 'openssl req' with the '-nodes' option
14038   so that the resulting key is not encrypted.
14039
14040   *Damien Miller <djm@mindrot.org>*
14041
14042 * New configuration for the GNU Hurd.
14043
14044   *Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte*
14045
14046 * Initial code to implement OCSP basic response verify. This
14047   is currently incomplete. Currently just finds the signer's
14048   certificate and verifies the signature on the response.
14049
14050   *Steve Henson*
14051
14052 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14053   value of OPENSSLDIR.  This is available via the new '-d' option
14054   to 'openssl version', and is also included in 'openssl version -a'.
14055
14056   *Bodo Moeller*
14057
14058 * Allowing defining memory allocation callbacks that will be given
14059   file name and line number information in additional arguments
14060   (a `const char*` and an int).  The basic functionality remains, as
14061   well as the original possibility to just replace malloc(),
14062   realloc() and free() by functions that do not know about these
14063   additional arguments.  To register and find out the current
14064   settings for extended allocation functions, the following
14065   functions are provided:
14066
14067           CRYPTO_set_mem_ex_functions
14068           CRYPTO_set_locked_mem_ex_functions
14069           CRYPTO_get_mem_ex_functions
14070           CRYPTO_get_locked_mem_ex_functions
14071
14072   These work the same way as CRYPTO_set_mem_functions and friends.
14073   `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an
14074   extended allocation function is enabled.
14075   Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where
14076   a conventional allocation function is enabled.
14077
14078   *Richard Levitte, Bodo Moeller*
14079
14080 * Finish off removing the remaining LHASH function pointer casts.
14081   There should no longer be any prototype-casting required when using
14082   the LHASH abstraction, and any casts that remain are "bugs". See
14083   the callback types and macros at the head of lhash.h for details
14084   (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
14085
14086   *Geoff Thorpe*
14087
14088 * Add automatic query of EGD sockets in RAND_poll() for the unix variant.
14089   If /dev/[u]random devices are not available or do not return enough
14090   entropy, EGD style sockets (served by EGD or PRNGD) will automatically
14091   be queried.
14092   The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14093   /etc/entropy will be queried once each in this sequence, querying stops
14094   when enough entropy was collected without querying more sockets.
14095
14096   *Lutz Jaenicke*
14097
14098 * Change the Unix RAND_poll() variant to be able to poll several
14099   random devices, as specified by DEVRANDOM, until a sufficient amount
14100   of data has been collected.   We spend at most 10 ms on each file
14101   (select timeout) and read in non-blocking mode.  DEVRANDOM now
14102   defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
14103   (previously it was just the string "/dev/urandom"), so on typical
14104   platforms the 10 ms delay will never occur.
14105   Also separate out the Unix variant to its own file, rand_unix.c.
14106   For VMS, there's a currently-empty rand_vms.c.
14107
14108   *Richard Levitte*
14109
14110 * Move OCSP client related routines to ocsp_cl.c. These
14111   provide utility functions which an application needing
14112   to issue a request to an OCSP responder and analyse the
14113   response will typically need: as opposed to those which an
14114   OCSP responder itself would need which will be added later.
14115
14116   OCSP_request_sign() signs an OCSP request with an API similar
14117   to PKCS7_sign(). OCSP_response_status() returns status of OCSP
14118   response. OCSP_response_get1_basic() extracts basic response
14119   from response. OCSP_resp_find_status(): finds and extracts status
14120   information from an OCSP_CERTID structure (which will be created
14121   when the request structure is built). These are built from lower
14122   level functions which work on OCSP_SINGLERESP structures but
14123   won't normally be used unless the application wishes to examine
14124   extensions in the OCSP response for example.
14125
14126   Replace nonce routines with a pair of functions.
14127   OCSP_request_add1_nonce() adds a nonce value and optionally
14128   generates a random value. OCSP_check_nonce() checks the
14129   validity of the nonce in an OCSP response.
14130
14131   *Steve Henson*
14132
14133 * Change function OCSP_request_add() to OCSP_request_add0_id().
14134   This doesn't copy the supplied OCSP_CERTID and avoids the
14135   need to free up the newly created id. Change return type
14136   to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
14137   This can then be used to add extensions to the request.
14138   Deleted OCSP_request_new(), since most of its functionality
14139   is now in OCSP_REQUEST_new() (and the case insensitive name
14140   clash) apart from the ability to set the request name which
14141   will be added elsewhere.
14142
14143   *Steve Henson*
14144
14145 * Update OCSP API. Remove obsolete extensions argument from
14146   various functions. Extensions are now handled using the new
14147   OCSP extension code. New simple OCSP HTTP function which
14148   can be used to send requests and parse the response.
14149
14150   *Steve Henson*
14151
14152 * Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
14153   ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
14154   uses the special reorder version of SET OF to sort the attributes
14155   and reorder them to match the encoded order. This resolves a long
14156   standing problem: a verify on a PKCS7 structure just after signing
14157   it used to fail because the attribute order did not match the
14158   encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
14159   it uses the received order. This is necessary to tolerate some broken
14160   software that does not order SET OF. This is handled by encoding
14161   as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
14162   to produce the required SET OF.
14163
14164   *Steve Henson*
14165
14166 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
14167   OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
14168   files to get correct declarations of the ASN.1 item variables.
14169
14170   *Richard Levitte*
14171
14172 * Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
14173   PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
14174   asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
14175   NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
14176   New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
14177   ASN1_ITEM and no wrapper functions.
14178
14179   *Steve Henson*
14180
14181 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
14182   replace the old function pointer based I/O routines. Change most of
14183   the `*_d2i_bio()` and `*_d2i_fp()` functions to use these.
14184
14185   *Steve Henson*
14186
14187 * Enhance mkdef.pl to be more accepting about spacing in C preprocessor
14188   lines, recognize more "algorithms" that can be deselected, and make
14189   it complain about algorithm deselection that isn't recognised.
14190
14191   *Richard Levitte*
14192
14193 * New ASN1 functions to handle dup, sign, verify, digest, pack and
14194   unpack operations in terms of ASN1_ITEM. Modify existing wrappers
14195   to use new functions. Add NO_ASN1_OLD which can be set to remove
14196   some old style ASN1 functions: this can be used to determine if old
14197   code will still work when these eventually go away.
14198
14199   *Steve Henson*
14200
14201 * New extension functions for OCSP structures, these follow the
14202   same conventions as certificates and CRLs.
14203
14204   *Steve Henson*
14205
14206 * New function X509V3_add1_i2d(). This automatically encodes and
14207   adds an extension. Its behaviour can be customised with various
14208   flags to append, replace or delete. Various wrappers added for
14209   certificates and CRLs.
14210
14211   *Steve Henson*
14212
14213 * Fix to avoid calling the underlying ASN1 print routine when
14214   an extension cannot be parsed. Correct a typo in the
14215   OCSP_SERVICELOC extension. Tidy up print OCSP format.
14216
14217   *Steve Henson*
14218
14219 * Make mkdef.pl parse some of the ASN1 macros and add appropriate
14220   entries for variables.
14221
14222   *Steve Henson*
14223
14224 * Add functionality to `apps/openssl.c` for detecting locking
14225   problems: As the program is single-threaded, all we have
14226   to do is register a locking callback using an array for
14227   storing which locks are currently held by the program.
14228
14229   *Bodo Moeller*
14230
14231 * Use a lock around the call to CRYPTO_get_ex_new_index() in
14232   SSL_get_ex_data_X509_STORE_idx(), which is used in
14233   ssl_verify_cert_chain() and thus can be called at any time
14234   during TLS/SSL handshakes so that thread-safety is essential.
14235   Unfortunately, the ex_data design is not at all suited
14236   for multi-threaded use, so it probably should be abolished.
14237
14238   *Bodo Moeller*
14239
14240 * Added Broadcom "ubsec" ENGINE to OpenSSL.
14241
14242   *Broadcom, tweaked and integrated by Geoff Thorpe*
14243
14244 * Move common extension printing code to new function
14245   X509V3_print_extensions(). Reorganise OCSP print routines and
14246   implement some needed OCSP ASN1 functions. Add OCSP extensions.
14247
14248   *Steve Henson*
14249
14250 * New function X509_signature_print() to remove duplication in some
14251   print routines.
14252
14253   *Steve Henson*
14254
14255 * Add a special meaning when SET OF and SEQUENCE OF flags are both
14256   set (this was treated exactly the same as SET OF previously). This
14257   is used to reorder the STACK representing the structure to match the
14258   encoding. This will be used to get round a problem where a PKCS7
14259   structure which was signed could not be verified because the STACK
14260   order did not reflect the encoded order.
14261
14262   *Steve Henson*
14263
14264 * Reimplement the OCSP ASN1 module using the new code.
14265
14266   *Steve Henson*
14267
14268 * Update the X509V3 code to permit the use of an ASN1_ITEM structure
14269   for its ASN1 operations. The old style function pointers still exist
14270   for now but they will eventually go away.
14271
14272   *Steve Henson*
14273
14274 * Merge in replacement ASN1 code from the ASN1 branch. This almost
14275   completely replaces the old ASN1 functionality with a table driven
14276   encoder and decoder which interprets an ASN1_ITEM structure describing
14277   the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
14278   largely maintained. Almost all of the old asn1_mac.h macro based ASN1
14279   has also been converted to the new form.
14280
14281   *Steve Henson*
14282
14283 * Change BN_mod_exp_recp so that negative moduli are tolerated
14284   (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
14285   so that BN_mod_exp_mont and BN_mod_exp_mont_word work
14286   for negative moduli.
14287
14288   *Bodo Moeller*
14289
14290 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14291   of not touching the result's sign bit.
14292
14293   *Bodo Moeller*
14294
14295 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14296   set.
14297
14298   *Bodo Moeller*
14299
14300 * Changed the LHASH code to use prototypes for callbacks, and created
14301   macros to declare and implement thin (optionally static) functions
14302   that provide type-safety and avoid function pointer casting for the
14303   type-specific callbacks.
14304
14305   *Geoff Thorpe*
14306
14307 * Added Kerberos Cipher Suites to be used with TLS, as written in
14308   RFC 2712.
14309   *Veers Staats <staatsvr@asc.hpc.mil>,
14310   Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte*
14311
14312 * Reformat the FAQ so the different questions and answers can be divided
14313   in sections depending on the subject.
14314
14315   *Richard Levitte*
14316
14317 * Have the zlib compression code load ZLIB.DLL dynamically under
14318   Windows.
14319
14320   *Richard Levitte*
14321
14322 * New function BN_mod_sqrt for computing square roots modulo a prime
14323   (using the probabilistic Tonelli-Shanks algorithm unless
14324   p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
14325   be handled deterministically).
14326
14327   *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14328
14329 * Make BN_mod_inverse faster by explicitly handling small quotients
14330   in the Euclid loop. (Speed gain about 20% for small moduli [256 or
14331   512 bits], about 30% for larger ones [1024 or 2048 bits].)
14332
14333   *Bodo Moeller*
14334
14335 * New function BN_kronecker.
14336
14337   *Bodo Moeller*
14338
14339 * Fix BN_gcd so that it works on negative inputs; the result is
14340   positive unless both parameters are zero.
14341   Previously something reasonably close to an infinite loop was
14342   possible because numbers could be growing instead of shrinking
14343   in the implementation of Euclid's algorithm.
14344
14345   *Bodo Moeller*
14346
14347 * Fix BN_is_word() and BN_is_one() macros to take into account the
14348   sign of the number in question.
14349
14350   Fix BN_is_word(a,w) to work correctly for w == 0.
14351
14352   The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
14353   because its test if the absolute value of 'a' equals 'w'.
14354   Note that BN_abs_is_word does *not* handle w == 0 reliably;
14355   it exists mostly for use in the implementations of BN_is_zero(),
14356   BN_is_one(), and BN_is_word().
14357
14358   *Bodo Moeller*
14359
14360 * New function BN_swap.
14361
14362   *Bodo Moeller*
14363
14364 * Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
14365   the exponentiation functions are more likely to produce reasonable
14366   results on negative inputs.
14367
14368   *Bodo Moeller*
14369
14370 * Change BN_mod_mul so that the result is always non-negative.
14371   Previously, it could be negative if one of the factors was negative;
14372   I don't think anyone really wanted that behaviour.
14373
14374   *Bodo Moeller*
14375
14376 * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c`
14377   (except for exponentiation, which stays in `crypto/bn/bn_exp.c`,
14378   and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`)
14379   and add new functions:
14380
14381           BN_nnmod
14382           BN_mod_sqr
14383           BN_mod_add
14384           BN_mod_add_quick
14385           BN_mod_sub
14386           BN_mod_sub_quick
14387           BN_mod_lshift1
14388           BN_mod_lshift1_quick
14389           BN_mod_lshift
14390           BN_mod_lshift_quick
14391
14392   These functions always generate non-negative results.
14393
14394   `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r`
14395   such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead).
14396
14397   `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as
14398   `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and  `b`]
14399   be reduced modulo `m`.
14400
14401   *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14402
14403<!--
14404   The following entry accidentally appeared in the CHANGES file
14405   distributed with OpenSSL 0.9.7.  The modifications described in
14406   it do *not* apply to OpenSSL 0.9.7.
14407
14408 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
14409   was actually never needed) and in BN_mul().  The removal in BN_mul()
14410   required a small change in bn_mul_part_recursive() and the addition
14411   of the functions bn_cmp_part_words(), bn_sub_part_words() and
14412   bn_add_part_words(), which do the same thing as bn_cmp_words(),
14413   bn_sub_words() and bn_add_words() except they take arrays with
14414   differing sizes.
14415
14416   *Richard Levitte*
14417-->
14418
14419 * In 'openssl passwd', verify passwords read from the terminal
14420   unless the '-salt' option is used (which usually means that
14421   verification would just waste user's time since the resulting
14422   hash is going to be compared with some given password hash)
14423   or the new '-noverify' option is used.
14424
14425   This is an incompatible change, but it does not affect
14426   non-interactive use of 'openssl passwd' (passwords on the command
14427   line, '-stdin' option, '-in ...' option) and thus should not
14428   cause any problems.
14429
14430   *Bodo Moeller*
14431
14432 * Remove all references to RSAref, since there's no more need for it.
14433
14434   *Richard Levitte*
14435
14436 * Make DSO load along a path given through an environment variable
14437   (SHLIB_PATH) with shl_load().
14438
14439   *Richard Levitte*
14440
14441 * Constify the ENGINE code as a result of BIGNUM constification.
14442   Also constify the RSA code and most things related to it.  In a
14443   few places, most notable in the depth of the ASN.1 code, ugly
14444   casts back to non-const were required (to be solved at a later
14445   time)
14446
14447   *Richard Levitte*
14448
14449 * Make it so the openssl application has all engines loaded by default.
14450
14451   *Richard Levitte*
14452
14453 * Constify the BIGNUM routines a little more.
14454
14455   *Richard Levitte*
14456
14457 * Add the following functions:
14458
14459           ENGINE_load_cswift()
14460           ENGINE_load_chil()
14461           ENGINE_load_atalla()
14462           ENGINE_load_nuron()
14463           ENGINE_load_builtin_engines()
14464
14465   That way, an application can itself choose if external engines that
14466   are built-in in OpenSSL shall ever be used or not.  The benefit is
14467   that applications won't have to be linked with libdl or other dso
14468   libraries unless it's really needed.
14469
14470   Changed 'openssl engine' to load all engines on demand.
14471   Changed the engine header files to avoid the duplication of some
14472   declarations (they differed!).
14473
14474   *Richard Levitte*
14475
14476 * 'openssl engine' can now list capabilities.
14477
14478   *Richard Levitte*
14479
14480 * Better error reporting in 'openssl engine'.
14481
14482   *Richard Levitte*
14483
14484 * Never call load_dh_param(NULL) in s_server.
14485
14486   *Bodo Moeller*
14487
14488 * Add engine application.  It can currently list engines by name and
14489   identity, and test if they are actually available.
14490
14491   *Richard Levitte*
14492
14493 * Improve RPM specification file by forcing symbolic linking and making
14494   sure the installed documentation is also owned by root.root.
14495
14496   *Damien Miller <djm@mindrot.org>*
14497
14498 * Give the OpenSSL applications more possibilities to make use of
14499   keys (public as well as private) handled by engines.
14500
14501   *Richard Levitte*
14502
14503 * Add OCSP code that comes from CertCo.
14504
14505   *Richard Levitte*
14506
14507 * Add VMS support for the Rijndael code.
14508
14509   *Richard Levitte*
14510
14511 * Added untested support for Nuron crypto accelerator.
14512
14513   *Ben Laurie*
14514
14515 * Add support for external cryptographic devices.  This code was
14516   previously distributed separately as the "engine" branch.
14517
14518   *Geoff Thorpe, Richard Levitte*
14519
14520 * Rework the filename-translation in the DSO code. It is now possible to
14521   have far greater control over how a "name" is turned into a filename
14522   depending on the operating environment and any oddities about the
14523   different shared library filenames on each system.
14524
14525   *Geoff Thorpe*
14526
14527 * Support threads on FreeBSD-elf in Configure.
14528
14529   *Richard Levitte*
14530
14531 * Fix for SHA1 assembly problem with MASM: it produces
14532   warnings about corrupt line number information when assembling
14533   with debugging information. This is caused by the overlapping
14534   of two sections.
14535
14536   *Bernd Matthes <mainbug@celocom.de>, Steve Henson*
14537
14538 * NCONF changes.
14539   NCONF_get_number() has no error checking at all.  As a replacement,
14540   NCONF_get_number_e() is defined (`_e` for "error checking") and is
14541   promoted strongly.  The old NCONF_get_number is kept around for
14542   binary backward compatibility.
14543   Make it possible for methods to load from something other than a BIO,
14544   by providing a function pointer that is given a name instead of a BIO.
14545   For example, this could be used to load configuration data from an
14546   LDAP server.
14547
14548   *Richard Levitte*
14549
14550 * Fix for non blocking accept BIOs. Added new I/O special reason
14551   BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
14552   with non blocking I/O was not possible because no retry code was
14553   implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
14554   this case.
14555
14556   *Steve Henson*
14557
14558 * Added the beginnings of Rijndael support.
14559
14560   *Ben Laurie*
14561
14562 * Fix for bug in DirectoryString mask setting. Add support for
14563   X509_NAME_print_ex() in 'req' and X509_print_ex() function
14564   to allow certificate printing to more controllable, additional
14565   'certopt' option to 'x509' to allow new printing options to be
14566   set.
14567
14568   *Steve Henson*
14569
14570 * Clean old EAY MD5 hack from e_os.h.
14571
14572   *Richard Levitte*
14573
14574### Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
14575
14576 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14577   by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14578
14579   *Joe Orton, Steve Henson*
14580
14581### Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
14582
14583 * Fix additional bug revealed by the NISCC test suite:
14584
14585   Stop bug triggering large recursion when presented with
14586   certain ASN.1 tags ([CVE-2003-0851])
14587
14588   *Steve Henson*
14589
14590### Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
14591
14592 * Fix various bugs revealed by running the NISCC test suite:
14593
14594   Stop out of bounds reads in the ASN1 code when presented with
14595   invalid tags (CVE-2003-0543 and CVE-2003-0544).
14596
14597   If verify callback ignores invalid public key errors don't try to check
14598   certificate signature with the NULL public key.
14599
14600   *Steve Henson*
14601
14602 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
14603   if the server requested one: as stated in TLS 1.0 and SSL 3.0
14604   specifications.
14605
14606   *Steve Henson*
14607
14608 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
14609   extra data after the compression methods not only for TLS 1.0
14610   but also for SSL 3.0 (as required by the specification).
14611
14612   *Bodo Moeller; problem pointed out by Matthias Loepfe*
14613
14614 * Change X509_certificate_type() to mark the key as exported/exportable
14615   when it's 512 *bits* long, not 512 bytes.
14616
14617   *Richard Levitte*
14618
14619### Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
14620
14621 * Countermeasure against the Klima-Pokorny-Rosa extension of
14622   Bleichbacher's attack on PKCS #1 v1.5 padding: treat
14623   a protocol version number mismatch like a decryption error
14624   in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
14625
14626   *Bodo Moeller*
14627
14628 * Turn on RSA blinding by default in the default implementation
14629   to avoid a timing attack. Applications that don't want it can call
14630   RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
14631   They would be ill-advised to do so in most cases.
14632
14633   *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller*
14634
14635 * Change RSA blinding code so that it works when the PRNG is not
14636   seeded (in this case, the secret RSA exponent is abused as
14637   an unpredictable seed -- if it is not unpredictable, there
14638   is no point in blinding anyway).  Make RSA blinding thread-safe
14639   by remembering the creator's thread ID in rsa->blinding and
14640   having all other threads use local one-time blinding factors
14641   (this requires more computation than sharing rsa->blinding, but
14642   avoids excessive locking; and if an RSA object is not shared
14643   between threads, blinding will still be very fast).
14644
14645   *Bodo Moeller*
14646
14647### Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
14648
14649 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
14650   via timing by performing a MAC computation even if incorrect
14651   block cipher padding has been found.  This is a countermeasure
14652   against active attacks where the attacker has to distinguish
14653   between bad padding and a MAC verification error. ([CVE-2003-0078])
14654
14655   *Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
14656   Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
14657   Martin Vuagnoux (EPFL, Ilion)*
14658
14659### Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
14660
14661 * New function OPENSSL_cleanse(), which is used to cleanse a section of
14662   memory from its contents.  This is done with a counter that will
14663   place alternating values in each byte.  This can be used to solve
14664   two issues: 1) the removal of calls to memset() by highly optimizing
14665   compilers, and 2) cleansing with other values than 0, since those can
14666   be read through on certain media, for example a swap space on disk.
14667
14668   *Geoff Thorpe*
14669
14670 * Bugfix: client side session caching did not work with external caching,
14671   because the session->cipher setting was not restored when reloading
14672   from the external cache. This problem was masked, when
14673   SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
14674   (Found by Steve Haslam <steve@araqnid.ddts.net>.)
14675
14676   *Lutz Jaenicke*
14677
14678 * Fix client_certificate (ssl/s2_clnt.c): The permissible total
14679   length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14680
14681   *Zeev Lieber <zeev-l@yahoo.com>*
14682
14683 * Undo an undocumented change introduced in 0.9.6e which caused
14684   repeated calls to OpenSSL_add_all_ciphers() and
14685   OpenSSL_add_all_digests() to be ignored, even after calling
14686   EVP_cleanup().
14687
14688   *Richard Levitte*
14689
14690 * Change the default configuration reader to deal with last line not
14691   being properly terminated.
14692
14693   *Richard Levitte*
14694
14695 * Change X509_NAME_cmp() so it applies the special rules on handling
14696   DN values that are of type PrintableString, as well as RDNs of type
14697   emailAddress where the value has the type ia5String.
14698
14699   *stefank@valicert.com via Richard Levitte*
14700
14701 * Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
14702   the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
14703   doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
14704   the bitwise-OR of the two for use by the majority of applications
14705   wanting this behaviour, and update the docs. The documented
14706   behaviour and actual behaviour were inconsistent and had been
14707   changing anyway, so this is more a bug-fix than a behavioural
14708   change.
14709
14710   *Geoff Thorpe, diagnosed by Nadav Har'El*
14711
14712 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14713   (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
14714
14715   *Bodo Moeller*
14716
14717 * Fix initialization code race conditions in
14718           SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
14719           SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
14720           SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
14721           TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
14722           ssl2_get_cipher_by_char(),
14723           ssl3_get_cipher_by_char().
14724
14725   *Patrick McCormick <patrick@tellme.com>, Bodo Moeller*
14726
14727 * Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
14728   the cached sessions are flushed, as the remove_cb() might use ex_data
14729   contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14730   (see [openssl.org #212]).
14731
14732   *Geoff Thorpe, Lutz Jaenicke*
14733
14734 * Fix typo in OBJ_txt2obj which incorrectly passed the content
14735   length, instead of the encoding length to d2i_ASN1_OBJECT.
14736
14737   *Steve Henson*
14738
14739### Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
14740
14741 * [In 0.9.6g-engine release:]
14742   Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`).
14743
14744   *Lynn Gazis <lgazis@rainbow.com>*
14745
14746### Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
14747
14748 * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
14749   and get fix the header length calculation.
14750   *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14751   Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson*
14752
14753 * Use proper error handling instead of 'assertions' in buffer
14754   overflow checks added in 0.9.6e.  This prevents DoS (the
14755   assertions could call abort()).
14756
14757   *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller*
14758
14759### Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
14760
14761 * Add various sanity checks to asn1_get_length() to reject
14762   the ASN1 length bytes if they exceed sizeof(long), will appear
14763   negative or the content length exceeds the length of the
14764   supplied buffer.
14765
14766   *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
14767
14768 * Fix cipher selection routines: ciphers without encryption had no flags
14769   for the cipher strength set and where therefore not handled correctly
14770   by the selection routines (PR #130).
14771
14772   *Lutz Jaenicke*
14773
14774 * Fix EVP_dsa_sha macro.
14775
14776   *Nils Larsch*
14777
14778 * New option
14779        SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
14780   for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
14781   that was added in OpenSSL 0.9.6d.
14782
14783   As the countermeasure turned out to be incompatible with some
14784   broken SSL implementations, the new option is part of SSL_OP_ALL.
14785   SSL_OP_ALL is usually employed when compatibility with weird SSL
14786   implementations is desired (e.g. '-bugs' option to 's_client' and
14787   's_server'), so the new option is automatically set in many
14788   applications.
14789
14790   *Bodo Moeller*
14791
14792 * Changes in security patch:
14793
14794   Changes marked "(CHATS)" were sponsored by the Defense Advanced
14795   Research Projects Agency (DARPA) and Air Force Research Laboratory,
14796   Air Force Materiel Command, USAF, under agreement number
14797   F30602-01-2-0537.
14798
14799 * Add various sanity checks to asn1_get_length() to reject
14800   the ASN1 length bytes if they exceed sizeof(long), will appear
14801   negative or the content length exceeds the length of the
14802   supplied buffer. ([CVE-2002-0659])
14803
14804   *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
14805
14806 * Assertions for various potential buffer overflows, not known to
14807   happen in practice.
14808
14809   *Ben Laurie (CHATS)*
14810
14811 * Various temporary buffers to hold ASCII versions of integers were
14812   too small for 64 bit platforms. ([CVE-2002-0655])
14813   *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14814
14815 * Remote buffer overflow in SSL3 protocol - an attacker could
14816   supply an oversized session ID to a client. ([CVE-2002-0656])
14817
14818   *Ben Laurie (CHATS)*
14819
14820 * Remote buffer overflow in SSL2 protocol - an attacker could
14821   supply an oversized client master key. ([CVE-2002-0656])
14822
14823   *Ben Laurie (CHATS)*
14824
14825### Changes between 0.9.6c and 0.9.6d  [9 May 2002]
14826
14827 * Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
14828   encoded as NULL) with id-dsa-with-sha1.
14829
14830   *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller*
14831
14832 * Check various `X509_...()` return values in `apps/req.c`.
14833
14834   *Nils Larsch <nla@trustcenter.de>*
14835
14836 * Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
14837   an end-of-file condition would erroneously be flagged, when the CRLF
14838   was just at the end of a processed block. The bug was discovered when
14839   processing data through a buffering memory BIO handing the data to a
14840   BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14841   <ptsekov@syntrex.com> and Nedelcho Stanev.
14842
14843   *Lutz Jaenicke*
14844
14845 * Implement a countermeasure against a vulnerability recently found
14846   in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
14847   before application data chunks to avoid the use of known IVs
14848   with data potentially chosen by the attacker.
14849
14850   *Bodo Moeller*
14851
14852 * Fix length checks in ssl3_get_client_hello().
14853
14854   *Bodo Moeller*
14855
14856 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14857   to prevent ssl3_read_internal() from incorrectly assuming that
14858   ssl3_read_bytes() found application data while handshake
14859   processing was enabled when in fact s->s3->in_read_app_data was
14860   merely automatically cleared during the initial handshake.
14861
14862   *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>*
14863
14864 * Fix object definitions for Private and Enterprise: they were not
14865   recognized in their shortname (=lowercase) representation. Extend
14866   obj_dat.pl to issue an error when using undefined keywords instead
14867   of silently ignoring the problem (Svenning Sorensen
14868   <sss@sss.dnsalias.net>).
14869
14870   *Lutz Jaenicke*
14871
14872 * Fix DH_generate_parameters() so that it works for 'non-standard'
14873   generators, i.e. generators other than 2 and 5.  (Previously, the
14874   code did not properly initialise the 'add' and 'rem' values to
14875   BN_generate_prime().)
14876
14877   In the new general case, we do not insist that 'generator' is
14878   actually a primitive root: This requirement is rather pointless;
14879   a generator of the order-q subgroup is just as good, if not
14880   better.
14881
14882   *Bodo Moeller*
14883
14884 * Map new X509 verification errors to alerts. Discovered and submitted by
14885   Tom Wu <tom@arcot.com>.
14886
14887   *Lutz Jaenicke*
14888
14889 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
14890   returning non-zero before the data has been completely received
14891   when using non-blocking I/O.
14892
14893   *Bodo Moeller; problem pointed out by John Hughes*
14894
14895 * Some of the ciphers missed the strength entry (SSL_LOW etc).
14896
14897   *Ben Laurie, Lutz Jaenicke*
14898
14899 * Fix bug in SSL_clear(): bad sessions were not removed (found by
14900   Yoram Zahavi <YoramZ@gilian.com>).
14901
14902   *Lutz Jaenicke*
14903
14904 * Add information about CygWin 1.3 and on, and preserve proper
14905   configuration for the versions before that.
14906
14907   *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
14908
14909 * Make removal from session cache (SSL_CTX_remove_session()) more robust:
14910   check whether we deal with a copy of a session and do not delete from
14911   the cache in this case. Problem reported by "Izhar Shoshani Levi"
14912   <izhar@checkpoint.com>.
14913
14914   *Lutz Jaenicke*
14915
14916 * Do not store session data into the internal session cache, if it
14917   is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
14918   flag is set). Proposed by Aslam <aslam@funk.com>.
14919
14920   *Lutz Jaenicke*
14921
14922 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
14923   value is 0.
14924
14925   *Richard Levitte*
14926
14927 * [In 0.9.6d-engine release:]
14928   Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
14929
14930   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
14931
14932 * Add the configuration target linux-s390x.
14933
14934   *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
14935
14936 * The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
14937   ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
14938   variable as an indication that a ClientHello message has been
14939   received.  As the flag value will be lost between multiple
14940   invocations of ssl3_accept when using non-blocking I/O, the
14941   function may not be aware that a handshake has actually taken
14942   place, thus preventing a new session from being added to the
14943   session cache.
14944
14945   To avoid this problem, we now set s->new_session to 2 instead of
14946   using a local variable.
14947
14948   *Lutz Jaenicke, Bodo Moeller*
14949
14950 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
14951   if the SSL_R_LENGTH_MISMATCH error is detected.
14952
14953   *Geoff Thorpe, Bodo Moeller*
14954
14955 * New 'shared_ldflag' column in Configure platform table.
14956
14957   *Richard Levitte*
14958
14959 * Fix EVP_CIPHER_mode macro.
14960
14961   *"Dan S. Camper" <dan@bti.net>*
14962
14963 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
14964   type, we must throw them away by setting rr->length to 0.
14965
14966   *D P Chang <dpc@qualys.com>*
14967
14968### Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
14969
14970 * Fix BN_rand_range bug pointed out by Dominikus Scherkl
14971   <Dominikus.Scherkl@biodata.com>.  (The previous implementation
14972   worked incorrectly for those cases where range = `10..._2`  and
14973   `3*range`  is two bits longer than  range.)
14974
14975   *Bodo Moeller*
14976
14977 * Only add signing time to PKCS7 structures if it is not already
14978   present.
14979
14980   *Steve Henson*
14981
14982 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
14983   OBJ_ld_ce should be OBJ_id_ce.
14984   Also some ip-pda OIDs in crypto/objects/objects.txt were
14985   incorrect (cf. RFC 3039).
14986
14987   *Matt Cooper, Frederic Giudicelli, Bodo Moeller*
14988
14989 * Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
14990   returns early because it has nothing to do.
14991
14992   *Andy Schneider <andy.schneider@bjss.co.uk>*
14993
14994 * [In 0.9.6c-engine release:]
14995   Fix mutex callback return values in crypto/engine/hw_ncipher.c.
14996
14997   *Andy Schneider <andy.schneider@bjss.co.uk>*
14998
14999 * [In 0.9.6c-engine release:]
15000   Add support for Cryptographic Appliance's keyserver technology.
15001   (Use engine 'keyclient')
15002
15003   *Cryptographic Appliances and Geoff Thorpe*
15004
15005 * Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
15006   is called via tools/c89.sh because arguments have to be
15007   rearranged (all '-L' options must appear before the first object
15008   modules).
15009
15010   *Richard Shapiro <rshapiro@abinitio.com>*
15011
15012 * [In 0.9.6c-engine release:]
15013   Add support for Broadcom crypto accelerator cards, backported
15014   from 0.9.7.
15015
15016   *Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox*
15017
15018 * [In 0.9.6c-engine release:]
15019   Add support for SureWare crypto accelerator cards from
15020   Baltimore Technologies.  (Use engine 'sureware')
15021
15022   *Baltimore Technologies and Mark Cox*
15023
15024 * [In 0.9.6c-engine release:]
15025   Add support for crypto accelerator cards from Accelerated
15026   Encryption Processing, www.aep.ie.  (Use engine 'aep')
15027
15028   *AEP Inc. and Mark Cox*
15029
15030 * Add a configuration entry for gcc on UnixWare.
15031
15032   *Gary Benson <gbenson@redhat.com>*
15033
15034 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
15035   messages are stored in a single piece (fixed-length part and
15036   variable-length part combined) and fix various bugs found on the way.
15037
15038   *Bodo Moeller*
15039
15040 * Disable caching in BIO_gethostbyname(), directly use gethostbyname()
15041   instead.  BIO_gethostbyname() does not know what timeouts are
15042   appropriate, so entries would stay in cache even when they have
15043   become invalid.
15044   *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>*
15045
15046 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
15047   faced with a pathologically small ClientHello fragment that does
15048   not contain client_version: Instead of aborting with an error,
15049   simply choose the highest available protocol version (i.e.,
15050   TLS 1.0 unless it is disabled).  In practice, ClientHello
15051   messages are never sent like this, but this change gives us
15052   strictly correct behaviour at least for TLS.
15053
15054   *Bodo Moeller*
15055
15056 * Fix SSL handshake functions and SSL_clear() such that SSL_clear()
15057   never resets s->method to s->ctx->method when called from within
15058   one of the SSL handshake functions.
15059
15060   *Bodo Moeller; problem pointed out by Niko Baric*
15061
15062 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
15063   (sent using the client's version number) if client_version is
15064   smaller than the protocol version in use.  Also change
15065   ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
15066   the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
15067   the client will at least see that alert.
15068
15069   *Bodo Moeller*
15070
15071 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
15072   correctly.
15073
15074   *Bodo Moeller*
15075
15076 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
15077   client receives HelloRequest while in a handshake.
15078
15079   *Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>*
15080
15081 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
15082   should end in 'break', not 'goto end' which circumvents various
15083   cleanups done in state SSL_ST_OK.   But session related stuff
15084   must be disabled for SSL_ST_OK in the case that we just sent a
15085   HelloRequest.
15086
15087   Also avoid some overhead by not calling ssl_init_wbio_buffer()
15088   before just sending a HelloRequest.
15089
15090   *Bodo Moeller, Eric Rescorla <ekr@rtfm.com>*
15091
15092 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
15093   reveal whether illegal block cipher padding was found or a MAC
15094   verification error occurred.  (Neither SSLerr() codes nor alerts
15095   are directly visible to potential attackers, but the information
15096   may leak via logfiles.)
15097
15098   Similar changes are not required for the SSL 2.0 implementation
15099   because the number of padding bytes is sent in clear for SSL 2.0,
15100   and the extra bytes are just ignored.  However ssl/s2_pkt.c
15101   failed to verify that the purported number of padding bytes is in
15102   the legal range.
15103
15104   *Bodo Moeller*
15105
15106 * Add OpenUNIX-8 support including shared libraries
15107   (Boyd Lynn Gerber <gerberb@zenez.com>).
15108
15109   *Lutz Jaenicke*
15110
15111 * Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
15112   'wristwatch attack' using huge encoding parameters (cf.
15113   James H. Manger's CRYPTO 2001 paper).  Note that the
15114   RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
15115   encoding parameters and hence was not vulnerable.
15116
15117   *Bodo Moeller*
15118
15119 * BN_sqr() bug fix.
15120
15121   *Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>*
15122
15123 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15124   so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
15125   followed by modular reduction.
15126
15127   *Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>*
15128
15129 * Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
15130   equivalent based on BN_pseudo_rand() instead of BN_rand().
15131
15132   *Bodo Moeller*
15133
15134 * s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
15135   This function was broken, as the check for a new client hello message
15136   to handle SGC did not allow these large messages.
15137   (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
15138
15139   *Lutz Jaenicke*
15140
15141 * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`.
15142
15143   *Lutz Jaenicke*
15144
15145 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
15146   for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
15147
15148   *Lutz Jaenicke*
15149
15150 * Rework the configuration and shared library support for Tru64 Unix.
15151   The configuration part makes use of modern compiler features and
15152   still retains old compiler behavior for those that run older versions
15153   of the OS.  The shared library support part includes a variant that
15154   uses the RPATH feature, and is available through the special
15155   configuration target "alpha-cc-rpath", which will never be selected
15156   automatically.
15157
15158   *Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte*
15159
15160 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
15161   with the same message size as in ssl3_get_certificate_request().
15162   Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
15163   messages might inadvertently be reject as too long.
15164
15165   *Petr Lampa <lampa@fee.vutbr.cz>*
15166
15167 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15168
15169   *Andy Polyakov*
15170
15171 * Modified SSL library such that the verify_callback that has been set
15172   specifically for an SSL object with SSL_set_verify() is actually being
15173   used. Before the change, a verify_callback set with this function was
15174   ignored and the verify_callback() set in the SSL_CTX at the time of
15175   the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
15176   to allow the necessary settings.
15177
15178   *Lutz Jaenicke*
15179
15180 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
15181   explicitly to NULL, as at least on Solaris 8 this seems not always to be
15182   done automatically (in contradiction to the requirements of the C
15183   standard). This made problems when used from OpenSSH.
15184
15185   *Lutz Jaenicke*
15186
15187 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
15188   dh->length and always used
15189
15190           BN_rand_range(priv_key, dh->p).
15191
15192   BN_rand_range() is not necessary for Diffie-Hellman, and this
15193   specific range makes Diffie-Hellman unnecessarily inefficient if
15194   dh->length (recommended exponent length) is much smaller than the
15195   length of dh->p.  We could use BN_rand_range() if the order of
15196   the subgroup was stored in the DH structure, but we only have
15197   dh->length.
15198
15199   So switch back to
15200
15201           BN_rand(priv_key, l, ...)
15202
15203   where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15204   otherwise.
15205
15206   *Bodo Moeller*
15207
15208 * In
15209
15210           RSA_eay_public_encrypt
15211           RSA_eay_private_decrypt
15212           RSA_eay_private_encrypt (signing)
15213           RSA_eay_public_decrypt (signature verification)
15214
15215   (default implementations for RSA_public_encrypt,
15216   RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
15217   always reject numbers >= n.
15218
15219   *Bodo Moeller*
15220
15221 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15222   to synchronize access to 'locking_thread'.  This is necessary on
15223   systems where access to 'locking_thread' (an 'unsigned long'
15224   variable) is not atomic.
15225
15226   *Bodo Moeller*
15227
15228 * In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
15229   *before* setting the 'crypto_lock_rand' flag.  The previous code had
15230   a race condition if 0 is a valid thread ID.
15231
15232   *Travis Vitek <vitek@roguewave.com>*
15233
15234 * Add support for shared libraries under Irix.
15235
15236   *Albert Chin-A-Young <china@thewrittenword.com>*
15237
15238 * Add configuration option to build on Linux on both big-endian and
15239   little-endian MIPS.
15240
15241   *Ralf Baechle <ralf@uni-koblenz.de>*
15242
15243 * Add the possibility to create shared libraries on HP-UX.
15244
15245   *Richard Levitte*
15246
15247### Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
15248
15249 * Change ssleay_rand_bytes (crypto/rand/md_rand.c)
15250   to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
15251   Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15252   PRNG state recovery was possible based on the output of
15253   one PRNG request appropriately sized to gain knowledge on
15254   'md' followed by enough consecutive 1-byte PRNG requests
15255   to traverse all of 'state'.
15256
15257   1. When updating 'md_local' (the current thread's copy of 'md')
15258      during PRNG output generation, hash all of the previous
15259      'md_local' value, not just the half used for PRNG output.
15260
15261   2. Make the number of bytes from 'state' included into the hash
15262      independent from the number of PRNG bytes requested.
15263
15264   The first measure alone would be sufficient to avoid
15265   Markku-Juhani's attack.  (Actually it had never occurred
15266   to me that the half of 'md_local' used for chaining was the
15267   half from which PRNG output bytes were taken -- I had always
15268   assumed that the secret half would be used.)  The second
15269   measure makes sure that additional data from 'state' is never
15270   mixed into 'md_local' in small portions; this heuristically
15271   further strengthens the PRNG.
15272
15273   *Bodo Moeller*
15274
15275 * Fix crypto/bn/asm/mips3.s.
15276
15277   *Andy Polyakov*
15278
15279 * When only the key is given to "enc", the IV is undefined. Print out
15280   an error message in this case.
15281
15282   *Lutz Jaenicke*
15283
15284 * Handle special case when X509_NAME is empty in X509 printing routines.
15285
15286   *Steve Henson*
15287
15288 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
15289   positive and less than q.
15290
15291   *Bodo Moeller*
15292
15293 * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is
15294   used: it isn't thread safe and the add_lock_callback should handle
15295   that itself.
15296
15297   *Paul Rose <Paul.Rose@bridge.com>*
15298
15299 * Verify that incoming data obeys the block size in
15300   ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
15301
15302   *Bodo Moeller*
15303
15304 * Fix OAEP check.
15305
15306   *Ulf Möller, Bodo Möller*
15307
15308 * The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
15309   RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
15310   when fixing the server behaviour for backwards-compatible 'client
15311   hello' messages.  (Note that the attack is impractical against
15312   SSL 3.0 and TLS 1.0 anyway because length and version checking
15313   means that the probability of guessing a valid ciphertext is
15314   around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15315   paper.)
15316
15317   Before 0.9.5, the countermeasure (hide the error by generating a
15318   random 'decryption result') did not work properly because
15319   ERR_clear_error() was missing, meaning that SSL_get_error() would
15320   detect the supposedly ignored error.
15321
15322   Both problems are now fixed.
15323
15324   *Bodo Moeller*
15325
15326 * In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
15327   (previously it was 1024).
15328
15329   *Bodo Moeller*
15330
15331 * Fix for compatibility mode trust settings: ignore trust settings
15332   unless some valid trust or reject settings are present.
15333
15334   *Steve Henson*
15335
15336 * Fix for blowfish EVP: its a variable length cipher.
15337
15338   *Steve Henson*
15339
15340 * Fix various bugs related to DSA S/MIME verification. Handle missing
15341   parameters in DSA public key structures and return an error in the
15342   DSA routines if parameters are absent.
15343
15344   *Steve Henson*
15345
15346 * In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
15347   in the current directory if neither $RANDFILE nor $HOME was set.
15348   RAND_file_name() in 0.9.6a returned NULL in this case.  This has
15349   caused some confusion to Windows users who haven't defined $HOME.
15350   Thus RAND_file_name() is changed again: e_os.h can define a
15351   DEFAULT_HOME, which will be used if $HOME is not set.
15352   For Windows, we use "C:"; on other platforms, we still require
15353   environment variables.
15354
15355 * Move 'if (!initialized) RAND_poll()' into regions protected by
15356   CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
15357   having multiple threads call RAND_poll() concurrently.
15358
15359   *Bodo Moeller*
15360
15361 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
15362   combination of a flag and a thread ID variable.
15363   Otherwise while one thread is in ssleay_rand_bytes (which sets the
15364   flag), *other* threads can enter ssleay_add_bytes without obeying
15365   the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
15366   that they do not hold after the first thread unsets add_do_not_lock).
15367
15368   *Bodo Moeller*
15369
15370 * Change bctest again: '-x' expressions are not available in all
15371   versions of 'test'.
15372
15373   *Bodo Moeller*
15374
15375### Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
15376
15377 * Fix a couple of memory leaks in PKCS7_dataDecode()
15378
15379   *Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>*
15380
15381 * Change Configure and Makefiles to provide EXE_EXT, which will contain
15382   the default extension for executables, if any.  Also, make the perl
15383   scripts that use symlink() to test if it really exists and use "cp"
15384   if it doesn't.  All this made OpenSSL compilable and installable in
15385   CygWin.
15386
15387   *Richard Levitte*
15388
15389 * Fix for asn1_GetSequence() for indefinite length constructed data.
15390   If SEQUENCE is length is indefinite just set c->slen to the total
15391   amount of data available.
15392
15393   *Steve Henson, reported by shige@FreeBSD.org*
15394
15395   *This change does not apply to 0.9.7.*
15396
15397 * Change bctest to avoid here-documents inside command substitution
15398   (workaround for FreeBSD /bin/sh bug).
15399   For compatibility with Ultrix, avoid shell functions (introduced
15400   in the bctest version that searches along $PATH).
15401
15402   *Bodo Moeller*
15403
15404 * Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
15405   with des_encrypt() defined on some operating systems, like Solaris
15406   and UnixWare.
15407
15408   *Richard Levitte*
15409
15410 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15411   On the Importance of Eliminating Errors in Cryptographic
15412   Computations, J. Cryptology 14 (2001) 2, 101-119,
15413   <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>).
15414
15415   *Ulf Moeller*
15416
15417 * MIPS assembler BIGNUM division bug fix.
15418
15419   *Andy Polyakov*
15420
15421 * Disabled incorrect Alpha assembler code.
15422
15423   *Richard Levitte*
15424
15425 * Fix PKCS#7 decode routines so they correctly update the length
15426   after reading an EOC for the EXPLICIT tag.
15427
15428   *Steve Henson*
15429
15430   *This change does not apply to 0.9.7.*
15431
15432 * Fix bug in PKCS#12 key generation routines. This was triggered
15433   if a 3DES key was generated with a 0 initial byte. Include
15434   PKCS12_BROKEN_KEYGEN compilation option to retain the old
15435   (but broken) behaviour.
15436
15437   *Steve Henson*
15438
15439 * Enhance bctest to search for a working bc along $PATH and print
15440   it when found.
15441
15442   *Tim Rice <tim@multitalents.net> via Richard Levitte*
15443
15444 * Fix memory leaks in err.c: free err_data string if necessary;
15445   don't write to the wrong index in ERR_set_error_data.
15446
15447   *Bodo Moeller*
15448
15449 * Implement ssl23_peek (analogous to ssl23_read), which previously
15450   did not exist.
15451
15452   *Bodo Moeller*
15453
15454 * Replace rdtsc with `_emit` statements for VC++ version 5.
15455
15456   *Jeremy Cooper <jeremy@baymoo.org>*
15457
15458 * Make it possible to reuse SSLv2 sessions.
15459
15460   *Richard Levitte*
15461
15462 * In copy_email() check for >= 0 as a return value for
15463   X509_NAME_get_index_by_NID() since 0 is a valid index.
15464
15465   *Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>*
15466
15467 * Avoid coredump with unsupported or invalid public keys by checking if
15468   X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
15469   PKCS7_verify() fails with non detached data.
15470
15471   *Steve Henson*
15472
15473 * Don't use getenv in library functions when run as setuid/setgid.
15474   New function OPENSSL_issetugid().
15475
15476   *Ulf Moeller*
15477
15478 * Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
15479   due to incorrect handling of multi-threading:
15480
15481   1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
15482
15483   2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
15484
15485   3. Count how many times MemCheck_off() has been called so that
15486      nested use can be treated correctly.  This also avoids
15487      inband-signalling in the previous code (which relied on the
15488      assumption that thread ID 0 is impossible).
15489
15490   *Bodo Moeller*
15491
15492 * Add "-rand" option also to s_client and s_server.
15493
15494   *Lutz Jaenicke*
15495
15496 * Fix CPU detection on Irix 6.x.
15497   *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15498   "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
15499
15500 * Fix X509_NAME bug which produced incorrect encoding if X509_NAME
15501   was empty.
15502
15503   *Steve Henson*
15504
15505   *This change does not apply to 0.9.7.*
15506
15507 * Use the cached encoding of an X509_NAME structure rather than
15508   copying it. This is apparently the reason for the libsafe "errors"
15509   but the code is actually correct.
15510
15511   *Steve Henson*
15512
15513 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
15514   Bleichenbacher's DSA attack.
15515   Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
15516   to be set and top=0 forces the highest bit to be set; top=-1 is new
15517   and leaves the highest bit random.
15518
15519   *Ulf Moeller, Bodo Moeller*
15520
15521 * In the `NCONF_...`-based implementations for `CONF_...` queries
15522   (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
15523   a temporary CONF structure with the data component set to NULL
15524   (which gives segmentation faults in lh_retrieve).
15525   Instead, use NULL for the CONF pointer in CONF_get_string and
15526   CONF_get_number (which may use environment variables) and directly
15527   return NULL from CONF_get_section.
15528
15529   *Bodo Moeller*
15530
15531 * Fix potential buffer overrun for EBCDIC.
15532
15533   *Ulf Moeller*
15534
15535 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign
15536   keyUsage if basicConstraints absent for a CA.
15537
15538   *Steve Henson*
15539
15540 * Make SMIME_write_PKCS7() write mail header values with a format that
15541   is more generally accepted (no spaces before the semicolon), since
15542   some programs can't parse those values properly otherwise.  Also make
15543   sure BIO's that break lines after each write do not create invalid
15544   headers.
15545
15546   *Richard Levitte*
15547
15548 * Make the CRL encoding routines work with empty SEQUENCE OF. The
15549   macros previously used would not encode an empty SEQUENCE OF
15550   and break the signature.
15551
15552   *Steve Henson*
15553
15554   *This change does not apply to 0.9.7.*
15555
15556 * Zero the premaster secret after deriving the master secret in
15557   DH ciphersuites.
15558
15559   *Steve Henson*
15560
15561 * Add some EVP_add_digest_alias registrations (as found in
15562   OpenSSL_add_all_digests()) to SSL_library_init()
15563   aka OpenSSL_add_ssl_algorithms().  This provides improved
15564   compatibility with peers using X.509 certificates
15565   with unconventional AlgorithmIdentifier OIDs.
15566
15567   *Bodo Moeller*
15568
15569 * Fix for Irix with NO_ASM.
15570
15571   *"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
15572
15573 * ./config script fixes.
15574
15575   *Ulf Moeller, Richard Levitte*
15576
15577 * Fix 'openssl passwd -1'.
15578
15579   *Bodo Moeller*
15580
15581 * Change PKCS12_key_gen_asc() so it can cope with non null
15582   terminated strings whose length is passed in the passlen
15583   parameter, for example from PEM callbacks. This was done
15584   by adding an extra length parameter to asc2uni().
15585
15586   *Steve Henson, reported by <oddissey@samsung.co.kr>*
15587
15588 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15589   call failed, free the DSA structure.
15590
15591   *Bodo Moeller*
15592
15593 * Fix to uni2asc() to cope with zero length Unicode strings.
15594   These are present in some PKCS#12 files.
15595
15596   *Steve Henson*
15597
15598 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15599   Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
15600   when writing a 32767 byte record.
15601
15602   *Bodo Moeller; problem reported by Eric Day <eday@concentric.net>*
15603
15604 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c),
15605   obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15606
15607   (RSA objects have a reference count access to which is protected
15608   by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
15609   so they are meant to be shared between threads.)
15610   *Bodo Moeller, Geoff Thorpe; original patch submitted by
15611   "Reddie, Steven" <Steven.Reddie@ca.com>*
15612
15613 * Fix a deadlock in CRYPTO_mem_leaks().
15614
15615   *Bodo Moeller*
15616
15617 * Use better test patterns in bntest.
15618
15619   *Ulf Möller*
15620
15621 * rand_win.c fix for Borland C.
15622
15623   *Ulf Möller*
15624
15625 * BN_rshift bugfix for n == 0.
15626
15627   *Bodo Moeller*
15628
15629 * Add a 'bctest' script that checks for some known 'bc' bugs
15630   so that 'make test' does not abort just because 'bc' is broken.
15631
15632   *Bodo Moeller*
15633
15634 * Store verify_result within SSL_SESSION also for client side to
15635   avoid potential security hole. (Re-used sessions on the client side
15636   always resulted in verify_result==X509_V_OK, not using the original
15637   result of the server certificate verification.)
15638
15639   *Lutz Jaenicke*
15640
15641 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15642   SSL3_RT_APPLICATION_DATA, return 0.
15643   Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
15644
15645   *Bodo Moeller*
15646
15647 * Fix SSL_peek:
15648   Both ssl2_peek and ssl3_peek, which were totally broken in earlier
15649   releases, have been re-implemented by renaming the previous
15650   implementations of ssl2_read and ssl3_read to ssl2_read_internal
15651   and ssl3_read_internal, respectively, and adding 'peek' parameters
15652   to them.  The new ssl[23]_{read,peek} functions are calls to
15653   ssl[23]_read_internal with the 'peek' flag set appropriately.
15654   A 'peek' parameter has also been added to ssl3_read_bytes, which
15655   does the actual work for ssl3_read_internal.
15656
15657   *Bodo Moeller*
15658
15659 * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
15660   the method-specific "init()" handler. Also clean up ex_data after
15661   calling the method-specific "finish()" handler. Previously, this was
15662   happening the other way round.
15663
15664   *Geoff Thorpe*
15665
15666 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
15667   The previous value, 12, was not always sufficient for BN_mod_exp().
15668
15669   *Bodo Moeller*
15670
15671 * Make sure that shared libraries get the internal name engine with
15672   the full version number and not just 0.  This should mark the
15673   shared libraries as not backward compatible.  Of course, this should
15674   be changed again when we can guarantee backward binary compatibility.
15675
15676   *Richard Levitte*
15677
15678 * Fix typo in get_cert_by_subject() in by_dir.c
15679
15680   *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15681
15682 * Rework the system to generate shared libraries:
15683
15684   - Make note of the expected extension for the shared libraries and
15685     if there is a need for symbolic links from for example libcrypto.so.0
15686     to libcrypto.so.0.9.7.  There is extended info in Configure for
15687     that.
15688
15689   - Make as few rebuilds of the shared libraries as possible.
15690
15691   - Still avoid linking the OpenSSL programs with the shared libraries.
15692
15693   - When installing, install the shared libraries separately from the
15694     static ones.
15695
15696   *Richard Levitte*
15697
15698 * Fix SSL_CTX_set_read_ahead macro to actually use its argument.
15699
15700   Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
15701   and not in SSL_clear because the latter is also used by the
15702   accept/connect functions; previously, the settings made by
15703   SSL_set_read_ahead would be lost during the handshake.
15704
15705   *Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>*
15706
15707 * Correct util/mkdef.pl to be selective about disabled algorithms.
15708   Previously, it would create entries for disabled algorithms no
15709   matter what.
15710
15711   *Richard Levitte*
15712
15713 * Added several new manual pages for SSL_* function.
15714
15715   *Lutz Jaenicke*
15716
15717### Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
15718
15719 * In ssl23_get_client_hello, generate an error message when faced
15720   with an initial SSL 3.0/TLS record that is too small to contain the
15721   first two bytes of the ClientHello message, i.e. client_version.
15722   (Note that this is a pathologic case that probably has never happened
15723   in real life.)  The previous approach was to use the version number
15724   from the record header as a substitute; but our protocol choice
15725   should not depend on that one because it is not authenticated
15726   by the Finished messages.
15727
15728   *Bodo Moeller*
15729
15730 * More robust randomness gathering functions for Windows.
15731
15732   *Jeffrey Altman <jaltman@columbia.edu>*
15733
15734 * For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
15735   not set then we don't setup the error code for issuer check errors
15736   to avoid possibly overwriting other errors which the callback does
15737   handle. If an application does set the flag then we assume it knows
15738   what it is doing and can handle the new informational codes
15739   appropriately.
15740
15741   *Steve Henson*
15742
15743 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
15744   a general "ANY" type, as such it should be able to decode anything
15745   including tagged types. However it didn't check the class so it would
15746   wrongly interpret tagged types in the same way as their universal
15747   counterpart and unknown types were just rejected. Changed so that the
15748   tagged and unknown types are handled in the same way as a SEQUENCE:
15749   that is the encoding is stored intact. There is also a new type
15750   "V_ASN1_OTHER" which is used when the class is not universal, in this
15751   case we have no idea what the actual type is so we just lump them all
15752   together.
15753
15754   *Steve Henson*
15755
15756 * On VMS, stdout may very well lead to a file that is written to
15757   in a record-oriented fashion.  That means that every write() will
15758   write a separate record, which will be read separately by the
15759   programs trying to read from it.  This can be very confusing.
15760
15761   The solution is to put a BIO filter in the way that will buffer
15762   text until a linefeed is reached, and then write everything a
15763   line at a time, so every record written will be an actual line,
15764   not chunks of lines and not (usually doesn't happen, but I've
15765   seen it once) several lines in one record.  BIO_f_linebuffer() is
15766   the answer.
15767
15768   Currently, it's a VMS-only method, because that's where it has
15769   been tested well enough.
15770
15771   *Richard Levitte*
15772
15773 * Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
15774   it can return incorrect results.
15775   (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
15776   but it was in 0.9.6-beta[12].)
15777
15778   *Bodo Moeller*
15779
15780 * Disable the check for content being present when verifying detached
15781   signatures in pk7_smime.c. Some versions of Netscape (wrongly)
15782   include zero length content when signing messages.
15783
15784   *Steve Henson*
15785
15786 * New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
15787   BIO_ctrl (for BIO pairs).
15788
15789   *Bodo Möller*
15790
15791 * Add DSO method for VMS.
15792
15793   *Richard Levitte*
15794
15795 * Bug fix: Montgomery multiplication could produce results with the
15796   wrong sign.
15797
15798   *Ulf Möller*
15799
15800 * Add RPM specification openssl.spec and modify it to build three
15801   packages.  The default package contains applications, application
15802   documentation and run-time libraries.  The devel package contains
15803   include files, static libraries and function documentation.  The
15804   doc package contains the contents of the doc directory.  The original
15805   openssl.spec was provided by Damien Miller <djm@mindrot.org>.
15806
15807   *Richard Levitte*
15808
15809 * Add a large number of documentation files for many SSL routines.
15810
15811   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
15812
15813 * Add a configuration entry for Sony News 4.
15814
15815   *NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>*
15816
15817 * Don't set the two most significant bits to one when generating a
15818   random number < q in the DSA library.
15819
15820   *Ulf Möller*
15821
15822 * New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
15823   behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
15824   the underlying transport is blocking) if a handshake took place.
15825   (The default behaviour is needed by applications such as s_client
15826   and s_server that use select() to determine when to use SSL_read;
15827   but for applications that know in advance when to expect data, it
15828   just makes things more complicated.)
15829
15830   *Bodo Moeller*
15831
15832 * Add RAND_egd_bytes(), which gives control over the number of bytes read
15833   from EGD.
15834
15835   *Ben Laurie*
15836
15837 * Add a few more EBCDIC conditionals that make `req` and `x509`
15838   work better on such systems.
15839
15840   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
15841
15842 * Add two demo programs for PKCS12_parse() and PKCS12_create().
15843   Update PKCS12_parse() so it copies the friendlyName and the
15844   keyid to the certificates aux info.
15845
15846   *Steve Henson*
15847
15848 * Fix bug in PKCS7_verify() which caused an infinite loop
15849   if there was more than one signature.
15850
15851   *Sven Uszpelkat <su@celocom.de>*
15852
15853 * Major change in util/mkdef.pl to include extra information
15854   about each symbol, as well as presenting variables as well
15855   as functions.  This change means that there's n more need
15856   to rebuild the .num files when some algorithms are excluded.
15857
15858   *Richard Levitte*
15859
15860 * Allow the verify time to be set by an application,
15861   rather than always using the current time.
15862
15863   *Steve Henson*
15864
15865 * Phase 2 verify code reorganisation. The certificate
15866   verify code now looks up an issuer certificate by a
15867   number of criteria: subject name, authority key id
15868   and key usage. It also verifies self signed certificates
15869   by the same criteria. The main comparison function is
15870   X509_check_issued() which performs these checks.
15871
15872   Lot of changes were necessary in order to support this
15873   without completely rewriting the lookup code.
15874
15875   Authority and subject key identifier are now cached.
15876
15877   The LHASH 'certs' is X509_STORE has now been replaced
15878   by a STACK_OF(X509_OBJECT). This is mainly because an
15879   LHASH can't store or retrieve multiple objects with
15880   the same hash value.
15881
15882   As a result various functions (which were all internal
15883   use only) have changed to handle the new X509_STORE
15884   structure. This will break anything that messed round
15885   with X509_STORE internally.
15886
15887   The functions X509_STORE_add_cert() now checks for an
15888   exact match, rather than just subject name.
15889
15890   The X509_STORE API doesn't directly support the retrieval
15891   of multiple certificates matching a given criteria, however
15892   this can be worked round by performing a lookup first
15893   (which will fill the cache with candidate certificates)
15894   and then examining the cache for matches. This is probably
15895   the best we can do without throwing out X509_LOOKUP
15896   entirely (maybe later...).
15897
15898   The X509_VERIFY_CTX structure has been enhanced considerably.
15899
15900   All certificate lookup operations now go via a get_issuer()
15901   callback. Although this currently uses an X509_STORE it
15902   can be replaced by custom lookups. This is a simple way
15903   to bypass the X509_STORE hackery necessary to make this
15904   work and makes it possible to use more efficient techniques
15905   in future. A very simple version which uses a simple
15906   STACK for its trusted certificate store is also provided
15907   using X509_STORE_CTX_trusted_stack().
15908
15909   The verify_cb() and verify() callbacks now have equivalents
15910   in the X509_STORE_CTX structure.
15911
15912   X509_STORE_CTX also has a 'flags' field which can be used
15913   to customise the verify behaviour.
15914
15915   *Steve Henson*
15916
15917 * Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
15918   excludes S/MIME capabilities.
15919
15920   *Steve Henson*
15921
15922 * When a certificate request is read in keep a copy of the
15923   original encoding of the signed data and use it when outputting
15924   again. Signatures then use the original encoding rather than
15925   a decoded, encoded version which may cause problems if the
15926   request is improperly encoded.
15927
15928   *Steve Henson*
15929
15930 * For consistency with other BIO_puts implementations, call
15931   buffer_write(b, ...) directly in buffer_puts instead of calling
15932   BIO_write(b, ...).
15933
15934   In BIO_puts, increment b->num_write as in BIO_write.
15935
15936   *Peter.Sylvester@EdelWeb.fr*
15937
15938 * Fix BN_mul_word for the case where the word is 0. (We have to use
15939   BN_zero, we may not return a BIGNUM with an array consisting of
15940   words set to zero.)
15941
15942   *Bodo Moeller*
15943
15944 * Avoid calling abort() from within the library when problems are
15945   detected, except if preprocessor symbols have been defined
15946   (such as REF_CHECK, BN_DEBUG etc.).
15947
15948   *Bodo Moeller*
15949
15950 * New openssl application 'rsautl'. This utility can be
15951   used for low-level RSA operations. DER public key
15952   BIO/fp routines also added.
15953
15954   *Steve Henson*
15955
15956 * New Configure entry and patches for compiling on QNX 4.
15957
15958   *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
15959
15960 * A demo state-machine implementation was sponsored by
15961   Nuron (<http://www.nuron.com/>) and is now available in
15962   demos/state_machine.
15963
15964   *Ben Laurie*
15965
15966 * New options added to the 'dgst' utility for signature
15967   generation and verification.
15968
15969   *Steve Henson*
15970
15971 * Unrecognized PKCS#7 content types are now handled via a
15972   catch all ASN1_TYPE structure. This allows unsupported
15973   types to be stored as a "blob" and an application can
15974   encode and decode it manually.
15975
15976   *Steve Henson*
15977
15978 * Fix various signed/unsigned issues to make a_strex.c
15979   compile under VC++.
15980
15981   *Oscar Jacobsson <oscar.jacobsson@celocom.com>*
15982
15983 * ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
15984   length if passed a buffer. ASN1_INTEGER_to_BN failed
15985   if passed a NULL BN and its argument was negative.
15986
15987   *Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>*
15988
15989 * Modification to PKCS#7 encoding routines to output definite
15990   length encoding. Since currently the whole structures are in
15991   memory there's not real point in using indefinite length
15992   constructed encoding. However if OpenSSL is compiled with
15993   the flag PKCS7_INDEFINITE_ENCODING the old form is used.
15994
15995   *Steve Henson*
15996
15997 * Added BIO_vprintf() and BIO_vsnprintf().
15998
15999   *Richard Levitte*
16000
16001 * Added more prefixes to parse for in the strings written
16002   through a logging bio, to cover all the levels that are available
16003   through syslog.  The prefixes are now:
16004
16005           PANIC, EMERG, EMR       =>      LOG_EMERG
16006           ALERT, ALR              =>      LOG_ALERT
16007           CRIT, CRI               =>      LOG_CRIT
16008           ERROR, ERR              =>      LOG_ERR
16009           WARNING, WARN, WAR      =>      LOG_WARNING
16010           NOTICE, NOTE, NOT       =>      LOG_NOTICE
16011           INFO, INF               =>      LOG_INFO
16012           DEBUG, DBG              =>      LOG_DEBUG
16013
16014   and as before, if none of those prefixes are present at the
16015   beginning of the string, LOG_ERR is chosen.
16016
16017   On Win32, the `LOG_*` levels are mapped according to this:
16018
16019           LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
16020           LOG_WARNING                             => EVENTLOG_WARNING_TYPE
16021           LOG_NOTICE, LOG_INFO, LOG_DEBUG         => EVENTLOG_INFORMATION_TYPE
16022
16023   *Richard Levitte*
16024
16025 * Made it possible to reconfigure with just the configuration
16026   argument "reconf" or "reconfigure".  The command line arguments
16027   are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
16028   and are retrieved from there when reconfiguring.
16029
16030   *Richard Levitte*
16031
16032 * MD4 implemented.
16033
16034   *Assar Westerlund <assar@sics.se>, Richard Levitte*
16035
16036 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16037
16038   *Richard Levitte*
16039
16040 * The obj_dat.pl script was messing up the sorting of object
16041   names. The reason was that it compared the quoted version
16042   of strings as a result "OCSP" > "OCSP Signing" because
16043   " > SPACE. Changed script to store unquoted versions of
16044   names and add quotes on output. It was also omitting some
16045   names from the lookup table if they were given a default
16046   value (that is if SN is missing it is given the same
16047   value as LN and vice versa), these are now added on the
16048   grounds that if an object has a name we should be able to
16049   look it up. Finally added warning output when duplicate
16050   short or long names are found.
16051
16052   *Steve Henson*
16053
16054 * Changes needed for Tandem NSK.
16055
16056   *Scott Uroff <scott@xypro.com>*
16057
16058 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16059   RSA_padding_check_SSLv23(), special padding was never detected
16060   and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
16061   version rollback attacks was not effective.
16062
16063   In s23_clnt.c, don't use special rollback-attack detection padding
16064   (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
16065   client; similarly, in s23_srvr.c, don't do the rollback check if
16066   SSL 2.0 is the only protocol enabled in the server.
16067
16068   *Bodo Moeller*
16069
16070 * Make it possible to get hexdumps of unprintable data with 'openssl
16071   asn1parse'.  By implication, the functions ASN1_parse_dump() and
16072   BIO_dump_indent() are added.
16073
16074   *Richard Levitte*
16075
16076 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
16077   these print out strings and name structures based on various
16078   flags including RFC2253 support and proper handling of
16079   multibyte characters. Added options to the 'x509' utility
16080   to allow the various flags to be set.
16081
16082   *Steve Henson*
16083
16084 * Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
16085   Also change the functions X509_cmp_current_time() and
16086   X509_gmtime_adj() work with an ASN1_TIME structure,
16087   this will enable certificates using GeneralizedTime in validity
16088   dates to be checked.
16089
16090   *Steve Henson*
16091
16092 * Make the NEG_PUBKEY_BUG code (which tolerates invalid
16093   negative public key encodings) on by default,
16094   NO_NEG_PUBKEY_BUG can be set to disable it.
16095
16096   *Steve Henson*
16097
16098 * New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
16099   content octets. An i2c_ASN1_OBJECT is unnecessary because
16100   the encoding can be trivially obtained from the structure.
16101
16102   *Steve Henson*
16103
16104 * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`),
16105   not read locks (`CRYPTO_r_[un]lock`).
16106
16107   *Bodo Moeller*
16108
16109 * A first attempt at creating official support for shared
16110   libraries through configuration.  I've kept it so the
16111   default is static libraries only, and the OpenSSL programs
16112   are always statically linked for now, but there are
16113   preparations for dynamic linking in place.
16114   This has been tested on Linux and Tru64.
16115
16116   *Richard Levitte*
16117
16118 * Randomness polling function for Win9x, as described in:
16119   Peter Gutmann, Software Generation of Practically Strong
16120   Random Numbers.
16121
16122   *Ulf Möller*
16123
16124 * Fix so PRNG is seeded in req if using an already existing
16125   DSA key.
16126
16127   *Steve Henson*
16128
16129 * New options to smime application. -inform and -outform
16130   allow alternative formats for the S/MIME message including
16131   PEM and DER. The -content option allows the content to be
16132   specified separately. This should allow things like Netscape
16133   form signing output easier to verify.
16134
16135   *Steve Henson*
16136
16137 * Fix the ASN1 encoding of tags using the 'long form'.
16138
16139   *Steve Henson*
16140
16141 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT
16142   STRING types. These convert content octets to and from the
16143   underlying type. The actual tag and length octets are
16144   already assumed to have been read in and checked. These
16145   are needed because all other string types have virtually
16146   identical handling apart from the tag. By having versions
16147   of the ASN1 functions that just operate on content octets
16148   IMPLICIT tagging can be handled properly. It also allows
16149   the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
16150   and ASN1_INTEGER are identical apart from the tag.
16151
16152   *Steve Henson*
16153
16154 * Change the handling of OID objects as follows:
16155
16156   - New object identifiers are inserted in objects.txt, following
16157     the syntax given in [crypto/objects/README.md](crypto/objects/README.md).
16158   - objects.pl is used to process obj_mac.num and create a new
16159     obj_mac.h.
16160   - obj_dat.pl is used to create a new obj_dat.h, using the data in
16161     obj_mac.h.
16162
16163   This is currently kind of a hack, and the perl code in objects.pl
16164   isn't very elegant, but it works as I intended.  The simplest way
16165   to check that it worked correctly is to look in obj_dat.h and
16166   check the array nid_objs and make sure the objects haven't moved
16167   around (this is important!).  Additions are OK, as well as
16168   consistent name changes.
16169
16170   *Richard Levitte*
16171
16172 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16173
16174   *Bodo Moeller*
16175
16176 * Addition of the command line parameter '-rand file' to 'openssl req'.
16177   The given file adds to whatever has already been seeded into the
16178   random pool through the RANDFILE configuration file option or
16179   environment variable, or the default random state file.
16180
16181   *Richard Levitte*
16182
16183 * mkstack.pl now sorts each macro group into lexical order.
16184   Previously the output order depended on the order the files
16185   appeared in the directory, resulting in needless rewriting
16186   of safestack.h .
16187
16188   *Steve Henson*
16189
16190 * Patches to make OpenSSL compile under Win32 again. Mostly
16191   work arounds for the VC++ problem that it treats func() as
16192   func(void). Also stripped out the parts of mkdef.pl that
16193   added extra typesafe functions: these no longer exist.
16194
16195   *Steve Henson*
16196
16197 * Reorganisation of the stack code. The macros are now all
16198   collected in safestack.h . Each macro is defined in terms of
16199   a "stack macro" of the form `SKM_<name>(type, a, b)`. The
16200   DEBUG_SAFESTACK is now handled in terms of function casts,
16201   this has the advantage of retaining type safety without the
16202   use of additional functions. If DEBUG_SAFESTACK is not defined
16203   then the non typesafe macros are used instead. Also modified the
16204   mkstack.pl script to handle the new form. Needs testing to see
16205   if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
16206   the default if no major problems. Similar behaviour for ASN1_SET_OF
16207   and PKCS12_STACK_OF.
16208
16209   *Steve Henson*
16210
16211 * When some versions of IIS use the 'NET' form of private key the
16212   key derivation algorithm is different. Normally MD5(password) is
16213   used as a 128 bit RC4 key. In the modified case
16214   MD5(MD5(password) + "SGCKEYSALT")  is used instead. Added some
16215   new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
16216   as the old Netscape_RSA functions except they have an additional
16217   'sgckey' parameter which uses the modified algorithm. Also added
16218   an -sgckey command line option to the rsa utility. Thanks to
16219   Adrian Peck <bertie@ncipher.com> for posting details of the modified
16220   algorithm to openssl-dev.
16221
16222   *Steve Henson*
16223
16224 * The evp_local.h macros were using 'c.##kname' which resulted in
16225   invalid expansion on some systems (SCO 5.0.5 for example).
16226   Corrected to 'c.kname'.
16227
16228   *Phillip Porch <root@theporch.com>*
16229
16230 * New X509_get1_email() and X509_REQ_get1_email() functions that return
16231   a STACK of email addresses from a certificate or request, these look
16232   in the subject name and the subject alternative name extensions and
16233   omit any duplicate addresses.
16234
16235   *Steve Henson*
16236
16237 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16238   This makes DSA verification about 2 % faster.
16239
16240   *Bodo Moeller*
16241
16242 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5
16243   (meaning that now 2^5 values will be precomputed, which is only 4 KB
16244   plus overhead for 1024 bit moduli).
16245   This makes exponentiations about 0.5 % faster for 1024 bit
16246   exponents (as measured by "openssl speed rsa2048").
16247
16248   *Bodo Moeller*
16249
16250 * Rename memory handling macros to avoid conflicts with other
16251   software:
16252           Malloc         =>  OPENSSL_malloc
16253           Malloc_locked  =>  OPENSSL_malloc_locked
16254           Realloc        =>  OPENSSL_realloc
16255           Free           =>  OPENSSL_free
16256
16257   *Richard Levitte*
16258
16259 * New function BN_mod_exp_mont_word for small bases (roughly 15%
16260   faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
16261
16262   *Bodo Moeller*
16263
16264 * CygWin32 support.
16265
16266   *John Jarvie <jjarvie@newsguy.com>*
16267
16268 * The type-safe stack code has been rejigged. It is now only compiled
16269   in when OpenSSL is configured with the DEBUG_SAFESTACK option and
16270   by default all type-specific stack functions are "#define"d back to
16271   standard stack functions. This results in more streamlined output
16272   but retains the type-safety checking possibilities of the original
16273   approach.
16274
16275   *Geoff Thorpe*
16276
16277 * The STACK code has been cleaned up, and certain type declarations
16278   that didn't make a lot of sense have been brought in line. This has
16279   also involved a cleanup of sorts in safestack.h to more correctly
16280   map type-safe stack functions onto their plain stack counterparts.
16281   This work has also resulted in a variety of "const"ifications of
16282   lots of the code, especially `_cmp` operations which should normally
16283   be prototyped with "const" parameters anyway.
16284
16285   *Geoff Thorpe*
16286
16287 * When generating bytes for the first time in md_rand.c, 'stir the pool'
16288   by seeding with STATE_SIZE dummy bytes (with zero entropy count).
16289   (The PRNG state consists of two parts, the large pool 'state' and 'md',
16290   where all of 'md' is used each time the PRNG is used, but 'state'
16291   is used only indexed by a cyclic counter. As entropy may not be
16292   well distributed from the beginning, 'md' is important as a
16293   chaining variable. However, the output function chains only half
16294   of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
16295   all of 'md', and seeding with STATE_SIZE dummy bytes will result
16296   in all of 'state' being rewritten, with the new values depending
16297   on virtually all of 'md'.  This overcomes the 80 bit limitation.)
16298
16299   *Bodo Moeller*
16300
16301 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
16302   the handshake is continued after ssl_verify_cert_chain();
16303   otherwise, if SSL_VERIFY_NONE is set, remaining error codes
16304   can lead to 'unexplainable' connection aborts later.
16305
16306   *Bodo Moeller; problem tracked down by Lutz Jaenicke*
16307
16308 * Major EVP API cipher revision.
16309   Add hooks for extra EVP features. This allows various cipher
16310   parameters to be set in the EVP interface. Support added for variable
16311   key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
16312   setting of RC2 and RC5 parameters.
16313
16314   Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
16315   ciphers.
16316
16317   Remove lots of duplicated code from the EVP library. For example *every*
16318   cipher init() function handles the 'iv' in the same way according to the
16319   cipher mode. They also all do nothing if the 'key' parameter is NULL and
16320   for CFB and OFB modes they zero ctx->num.
16321
16322   New functionality allows removal of S/MIME code RC2 hack.
16323
16324   Most of the routines have the same form and so can be declared in terms
16325   of macros.
16326
16327   By shifting this to the top level EVP_CipherInit() it can be removed from
16328   all individual ciphers. If the cipher wants to handle IVs or keys
16329   differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
16330   flags.
16331
16332   Change lots of functions like EVP_EncryptUpdate() to now return a
16333   value: although software versions of the algorithms cannot fail
16334   any installed hardware versions can.
16335
16336   *Steve Henson*
16337
16338 * Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
16339   this option is set, tolerate broken clients that send the negotiated
16340   protocol version number instead of the requested protocol version
16341   number.
16342
16343   *Bodo Moeller*
16344
16345 * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag;
16346   i.e. non-zero for export ciphersuites, zero otherwise.
16347   Previous versions had this flag inverted, inconsistent with
16348   rsa_tmp_cb (..._TMP_RSA_CB).
16349
16350   *Bodo Moeller; problem reported by Amit Chopra*
16351
16352 * Add missing DSA library text string. Work around for some IIS
16353   key files with invalid SEQUENCE encoding.
16354
16355   *Steve Henson*
16356
16357 * Add a document (doc/standards.txt) that list all kinds of standards
16358   and so on that are implemented in OpenSSL.
16359
16360   *Richard Levitte*
16361
16362 * Enhance c_rehash script. Old version would mishandle certificates
16363   with the same subject name hash and wouldn't handle CRLs at all.
16364   Added -fingerprint option to crl utility, to support new c_rehash
16365   features.
16366
16367   *Steve Henson*
16368
16369 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16370
16371   *Ulf Möller*
16372
16373 * Fix for SSL server purpose checking. Server checking was
16374   rejecting certificates which had extended key usage present
16375   but no ssl client purpose.
16376
16377   *Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>*
16378
16379 * Make PKCS#12 code work with no password. The PKCS#12 spec
16380   is a little unclear about how a blank password is handled.
16381   Since the password in encoded as a BMPString with terminating
16382   double NULL a zero length password would end up as just the
16383   double NULL. However no password at all is different and is
16384   handled differently in the PKCS#12 key generation code. NS
16385   treats a blank password as zero length. MSIE treats it as no
16386   password on export: but it will try both on import. We now do
16387   the same: PKCS12_parse() tries zero length and no password if
16388   the password is set to "" or NULL (NULL is now a valid password:
16389   it wasn't before) as does the pkcs12 application.
16390
16391   *Steve Henson*
16392
16393 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
16394   perror when PEM_read_bio_X509_REQ fails, the error message must
16395   be obtained from the error queue.
16396
16397   *Bodo Moeller*
16398
16399 * Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
16400   it in ERR_remove_state if appropriate, and change ERR_get_state
16401   accordingly to avoid race conditions (this is necessary because
16402   thread_hash is no longer constant once set).
16403
16404   *Bodo Moeller*
16405
16406 * Bugfix for linux-elf makefile.one.
16407
16408   *Ulf Möller*
16409
16410 * RSA_get_default_method() will now cause a default
16411   RSA_METHOD to be chosen if one doesn't exist already.
16412   Previously this was only set during a call to RSA_new()
16413   or RSA_new_method(NULL) meaning it was possible for
16414   RSA_get_default_method() to return NULL.
16415
16416   *Geoff Thorpe*
16417
16418 * Added native name translation to the existing DSO code
16419   that will convert (if the flag to do so is set) filenames
16420   that are sufficiently small and have no path information
16421   into a canonical native form. Eg. "blah" converted to
16422   "libblah.so" or "blah.dll" etc.
16423
16424   *Geoff Thorpe*
16425
16426 * New function ERR_error_string_n(e, buf, len) which is like
16427   ERR_error_string(e, buf), but writes at most 'len' bytes
16428   including the 0 terminator.  For ERR_error_string_n, 'buf'
16429   may not be NULL.
16430
16431   *Damien Miller <djm@mindrot.org>, Bodo Moeller*
16432
16433 * CONF library reworked to become more general.  A new CONF
16434   configuration file reader "class" is implemented as well as a
16435   new functions (`NCONF_*`, for "New CONF") to handle it.  The now
16436   old `CONF_*` functions are still there, but are reimplemented to
16437   work in terms of the new functions.  Also, a set of functions
16438   to handle the internal storage of the configuration data is
16439   provided to make it easier to write new configuration file
16440   reader "classes" (I can definitely see something reading a
16441   configuration file in XML format, for example), called `_CONF_*`,
16442   or "the configuration storage API"...
16443
16444   The new configuration file reading functions are:
16445
16446           NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
16447           NCONF_get_section, NCONF_get_string, NCONF_get_numbre
16448
16449           NCONF_default, NCONF_WIN32
16450
16451           NCONF_dump_fp, NCONF_dump_bio
16452
16453   NCONF_default and NCONF_WIN32 are method (or "class") choosers,
16454   NCONF_new creates a new CONF object.  This works in the same way
16455   as other interfaces in OpenSSL, like the BIO interface.
16456   `NCONF_dump_*` dump the internal storage of the configuration file,
16457   which is useful for debugging.  All other functions take the same
16458   arguments as the old `CONF_*` functions with the exception of the
16459   first that must be a `CONF *` instead of a `LHASH *`.
16460
16461   To make it easier to use the new classes with the old `CONF_*` functions,
16462   the function CONF_set_default_method is provided.
16463
16464   *Richard Levitte*
16465
16466 * Add '-tls1' option to 'openssl ciphers', which was already
16467   mentioned in the documentation but had not been implemented.
16468   (This option is not yet really useful because even the additional
16469   experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
16470
16471   *Bodo Moeller*
16472
16473 * Initial DSO code added into libcrypto for letting OpenSSL (and
16474   OpenSSL-based applications) load shared libraries and bind to
16475   them in a portable way.
16476
16477   *Geoff Thorpe, with contributions from Richard Levitte*
16478
16479### Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
16480
16481 * Make sure _lrotl and _lrotr are only used with MSVC.
16482
16483 * Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
16484   (the default implementation of RAND_status).
16485
16486 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16487   to '-clrext' (= clear extensions), as intended and documented.
16488   *Bodo Moeller; inconsistency pointed out by Michael Attili
16489   <attili@amaxo.com>*
16490
16491 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length
16492   was larger than the MD block size.
16493
16494   *Steve Henson, pointed out by Yost William <YostW@tce.com>*
16495
16496 * Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
16497   fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
16498   using the passed key: if the passed key was a private key the result
16499   of X509_print(), for example, would be to print out all the private key
16500   components.
16501
16502   *Steve Henson*
16503
16504 * des_quad_cksum() byte order bug fix.
16505   *Ulf Möller, using the problem description in krb4-0.9.7, where
16506   the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>*
16507
16508 * Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
16509   discouraged.
16510
16511   *Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>*
16512
16513 * For easily testing in shell scripts whether some command
16514   'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16515   returns with exit code 0 iff no command of the given name is available.
16516   'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
16517   the output goes to stdout and nothing is printed to stderr.
16518   Additional arguments are always ignored.
16519
16520   Since for each cipher there is a command of the same name,
16521   the 'no-cipher' compilation switches can be tested this way.
16522
16523   ('openssl no-XXX' is not able to detect pseudo-commands such
16524   as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16525
16526   *Bodo Moeller*
16527
16528 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16529
16530   *Bodo Moeller*
16531
16532 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
16533   is set; it will be thrown away anyway because each handshake creates
16534   its own key.
16535   ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
16536   to parameters -- in previous versions (since OpenSSL 0.9.3) the
16537   'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
16538   you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
16539
16540   *Bodo Moeller*
16541
16542 * New s_client option -ign_eof: EOF at stdin is ignored, and
16543   'Q' and 'R' lose their special meanings (quit/renegotiate).
16544   This is part of what -quiet does; unlike -quiet, -ign_eof
16545   does not suppress any output.
16546
16547   *Richard Levitte*
16548
16549 * Add compatibility options to the purpose and trust code. The
16550   purpose X509_PURPOSE_ANY is "any purpose" which automatically
16551   accepts a certificate or CA, this was the previous behaviour,
16552   with all the associated security issues.
16553
16554   X509_TRUST_COMPAT is the old trust behaviour: only and
16555   automatically trust self signed roots in certificate store. A
16556   new trust setting X509_TRUST_DEFAULT is used to specify that
16557   a purpose has no associated trust setting and it should instead
16558   use the value in the default purpose.
16559
16560   *Steve Henson*
16561
16562 * Fix the PKCS#8 DSA private key code so it decodes keys again
16563   and fix a memory leak.
16564
16565   *Steve Henson*
16566
16567 * In util/mkerr.pl (which implements 'make errors'), preserve
16568   reason strings from the previous version of the .c file, as
16569   the default to have only downcase letters (and digits) in
16570   automatically generated reasons codes is not always appropriate.
16571
16572   *Bodo Moeller*
16573
16574 * In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
16575   using strerror.  Previously, ERR_reason_error_string() returned
16576   library names as reason strings for SYSerr; but SYSerr is a special
16577   case where small numbers are errno values, not library numbers.
16578
16579   *Bodo Moeller*
16580
16581 * Add '-dsaparam' option to 'openssl dhparam' application.  This
16582   converts DSA parameters into DH parameters. (When creating parameters,
16583   DSA_generate_parameters is used.)
16584
16585   *Bodo Moeller*
16586
16587 * Include 'length' (recommended exponent length) in C code generated
16588   by 'openssl dhparam -C'.
16589
16590   *Bodo Moeller*
16591
16592 * The second argument to set_label in perlasm was already being used
16593   so couldn't be used as a "file scope" flag. Moved to third argument
16594   which was free.
16595
16596   *Steve Henson*
16597
16598 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
16599   instead of RAND_bytes for encryption IVs and salts.
16600
16601   *Bodo Moeller*
16602
16603 * Include RAND_status() into RAND_METHOD instead of implementing
16604   it only for md_rand.c  Otherwise replacing the PRNG by calling
16605   RAND_set_rand_method would be impossible.
16606
16607   *Bodo Moeller*
16608
16609 * Don't let DSA_generate_key() enter an infinite loop if the random
16610   number generation fails.
16611
16612   *Bodo Moeller*
16613
16614 * New 'rand' application for creating pseudo-random output.
16615
16616   *Bodo Moeller*
16617
16618 * Added configuration support for Linux/IA64
16619
16620   *Rolf Haberrecker <rolf@suse.de>*
16621
16622 * Assembler module support for Mingw32.
16623
16624   *Ulf Möller*
16625
16626 * Shared library support for HPUX (in shlib/).
16627
16628   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16629
16630 * Shared library support for Solaris gcc.
16631
16632   *Lutz Behnke <behnke@trustcenter.de>*
16633
16634### Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
16635
16636 * PKCS7_encrypt() was adding text MIME headers twice because they
16637   were added manually and by SMIME_crlf_copy().
16638
16639   *Steve Henson*
16640
16641 * In bntest.c don't call BN_rand with zero bits argument.
16642
16643   *Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>*
16644
16645 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
16646   case was implemented. This caused BN_div_recp() to fail occasionally.
16647
16648   *Ulf Möller*
16649
16650 * Add an optional second argument to the set_label() in the perl
16651   assembly language builder. If this argument exists and is set
16652   to 1 it signals that the assembler should use a symbol whose
16653   scope is the entire file, not just the current function. This
16654   is needed with MASM which uses the format label:: for this scope.
16655
16656   *Steve Henson, pointed out by Peter Runestig <peter@runestig.com>*
16657
16658 * Change the ASN1 types so they are typedefs by default. Before
16659   almost all types were #define'd to ASN1_STRING which was causing
16660   STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
16661   for example.
16662
16663   *Steve Henson*
16664
16665 * Change names of new functions to the new get1/get0 naming
16666   convention: After 'get1', the caller owns a reference count
16667   and has to call `..._free`; 'get0' returns a pointer to some
16668   data structure without incrementing reference counters.
16669   (Some of the existing 'get' functions increment a reference
16670   counter, some don't.)
16671   Similarly, 'set1' and 'add1' functions increase reference
16672   counters or duplicate objects.
16673
16674   *Steve Henson*
16675
16676 * Allow for the possibility of temp RSA key generation failure:
16677   the code used to assume it always worked and crashed on failure.
16678
16679   *Steve Henson*
16680
16681 * Fix potential buffer overrun problem in BIO_printf().
16682   *Ulf Möller, using public domain code by Patrick Powell; problem
16683   pointed out by David Sacerdote <das33@cornell.edu>*
16684
16685 * Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
16686   RAND_egd() and RAND_status().  In the command line application,
16687   the EGD socket can be specified like a seed file using RANDFILE
16688   or -rand.
16689
16690   *Ulf Möller*
16691
16692 * Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
16693   Some CAs (e.g. Verisign) distribute certificates in this form.
16694
16695   *Steve Henson*
16696
16697 * Remove the SSL_ALLOW_ADH compile option and set the default cipher
16698   list to exclude them. This means that no special compilation option
16699   is needed to use anonymous DH: it just needs to be included in the
16700   cipher list.
16701
16702   *Steve Henson*
16703
16704 * Change the EVP_MD_CTX_type macro so its meaning consistent with
16705   EVP_MD_type. The old functionality is available in a new macro called
16706   EVP_MD_md(). Change code that uses it and update docs.
16707
16708   *Steve Henson*
16709
16710 * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions
16711   where the `void *` argument is replaced by a function pointer argument.
16712   Previously `void *` was abused to point to functions, which works on
16713   many platforms, but is not correct.  As these functions are usually
16714   called by macros defined in OpenSSL header files, most source code
16715   should work without changes.
16716
16717   *Richard Levitte*
16718
16719 * `<openssl/opensslconf.h>` (which is created by Configure) now contains
16720   sections with information on -D... compiler switches used for
16721   compiling the library so that applications can see them.  To enable
16722   one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16723   must be defined.  E.g.,
16724           #define OPENSSL_ALGORITHM_DEFINES
16725           #include <openssl/opensslconf.h>
16726   defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc.
16727
16728   *Richard Levitte, Ulf and Bodo Möller*
16729
16730 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
16731   record layer.
16732
16733   *Bodo Moeller*
16734
16735 * Change the 'other' type in certificate aux info to a STACK_OF
16736   X509_ALGOR. Although not an AlgorithmIdentifier as such it has
16737   the required ASN1 format: arbitrary types determined by an OID.
16738
16739   *Steve Henson*
16740
16741 * Add some PEM_write_X509_REQ_NEW() functions and a command line
16742   argument to 'req'. This is not because the function is newer or
16743   better than others it just uses the work 'NEW' in the certificate
16744   request header lines. Some software needs this.
16745
16746   *Steve Henson*
16747
16748 * Reorganise password command line arguments: now passwords can be
16749   obtained from various sources. Delete the PEM_cb function and make
16750   it the default behaviour: i.e. if the callback is NULL and the
16751   usrdata argument is not NULL interpret it as a null terminated pass
16752   phrase. If usrdata and the callback are NULL then the pass phrase
16753   is prompted for as usual.
16754
16755   *Steve Henson*
16756
16757 * Add support for the Compaq Atalla crypto accelerator. If it is installed,
16758   the support is automatically enabled. The resulting binaries will
16759   autodetect the card and use it if present.
16760
16761   *Ben Laurie and Compaq Inc.*
16762
16763 * Work around for Netscape hang bug. This sends certificate request
16764   and server done in one record. Since this is perfectly legal in the
16765   SSL/TLS protocol it isn't a "bug" option and is on by default. See
16766   the bugs/SSLv3 entry for more info.
16767
16768   *Steve Henson*
16769
16770 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16771
16772   *Andy Polyakov*
16773
16774 * Add -rand argument to smime and pkcs12 applications and read/write
16775   of seed file.
16776
16777   *Steve Henson*
16778
16779 * New 'passwd' tool for crypt(3) and apr1 password hashes.
16780
16781   *Bodo Moeller*
16782
16783 * Add command line password options to the remaining applications.
16784
16785   *Steve Henson*
16786
16787 * Bug fix for BN_div_recp() for numerators with an even number of
16788   bits.
16789
16790   *Ulf Möller*
16791
16792 * More tests in bntest.c, and changed test_bn output.
16793
16794   *Ulf Möller*
16795
16796 * ./config recognizes MacOS X now.
16797
16798   *Andy Polyakov*
16799
16800 * Bug fix for BN_div() when the first words of num and divisor are
16801   equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16802
16803   *Ulf Möller*
16804
16805 * Add support for various broken PKCS#8 formats, and command line
16806   options to produce them.
16807
16808   *Steve Henson*
16809
16810 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
16811   get temporary BIGNUMs from a BN_CTX.
16812
16813   *Ulf Möller*
16814
16815 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
16816   for p == 0.
16817
16818   *Ulf Möller*
16819
16820 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and
16821   include a #define from the old name to the new. The original intent
16822   was that statically linked binaries could for example just call
16823   SSLeay_add_all_ciphers() to just add ciphers to the table and not
16824   link with digests. This never worked because SSLeay_add_all_digests()
16825   and SSLeay_add_all_ciphers() were in the same source file so calling
16826   one would link with the other. They are now in separate source files.
16827
16828   *Steve Henson*
16829
16830 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16831
16832   *Steve Henson*
16833
16834 * Use a less unusual form of the Miller-Rabin primality test (it used
16835   a binary algorithm for exponentiation integrated into the Miller-Rabin
16836   loop, our standard modexp algorithms are faster).
16837
16838   *Bodo Moeller*
16839
16840 * Support for the EBCDIC character set completed.
16841
16842   *Martin Kraemer <Martin.Kraemer@Mch.SNI.De>*
16843
16844 * Source code cleanups: use const where appropriate, eliminate casts,
16845   use `void *` instead of `char *` in lhash.
16846
16847   *Ulf Möller*
16848
16849 * Bugfix: ssl3_send_server_key_exchange was not restartable
16850   (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
16851   this the server could overwrite ephemeral keys that the client
16852   has already seen).
16853
16854   *Bodo Moeller*
16855
16856 * Turn DSA_is_prime into a macro that calls BN_is_prime,
16857   using 50 iterations of the Rabin-Miller test.
16858
16859   DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
16860   iterations of the Rabin-Miller test as required by the appendix
16861   to FIPS PUB 186[-1]) instead of DSA_is_prime.
16862   As BN_is_prime_fasttest includes trial division, DSA parameter
16863   generation becomes much faster.
16864
16865   This implies a change for the callback functions in DSA_is_prime
16866   and DSA_generate_parameters: The callback function is called once
16867   for each positive witness in the Rabin-Miller test, not just
16868   occasionally in the inner loop; and the parameters to the
16869   callback function now provide an iteration count for the outer
16870   loop rather than for the current invocation of the inner loop.
16871   DSA_generate_parameters additionally can call the callback
16872   function with an 'iteration count' of -1, meaning that a
16873   candidate has passed the trial division test (when q is generated
16874   from an application-provided seed, trial division is skipped).
16875
16876   *Bodo Moeller*
16877
16878 * New function BN_is_prime_fasttest that optionally does trial
16879   division before starting the Rabin-Miller test and has
16880   an additional BN_CTX * argument (whereas BN_is_prime always
16881   has to allocate at least one BN_CTX).
16882   'callback(1, -1, cb_arg)' is called when a number has passed the
16883   trial division stage.
16884
16885   *Bodo Moeller*
16886
16887 * Fix for bug in CRL encoding. The validity dates weren't being handled
16888   as ASN1_TIME.
16889
16890   *Steve Henson*
16891
16892 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
16893
16894   *Steve Henson*
16895
16896 * New function BN_pseudo_rand().
16897
16898   *Ulf Möller*
16899
16900 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
16901   bignum version of BN_from_montgomery() with the working code from
16902   SSLeay 0.9.0 (the word based version is faster anyway), and clean up
16903   the comments.
16904
16905   *Ulf Möller*
16906
16907 * Avoid a race condition in s2_clnt.c (function get_server_hello) that
16908   made it impossible to use the same SSL_SESSION data structure in
16909   SSL2 clients in multiple threads.
16910
16911   *Bodo Moeller*
16912
16913 * The return value of RAND_load_file() no longer counts bytes obtained
16914   by stat().  RAND_load_file(..., -1) is new and uses the complete file
16915   to seed the PRNG (previously an explicit byte count was required).
16916
16917   *Ulf Möller, Bodo Möller*
16918
16919 * Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
16920   used `char *` instead of `void *` and had casts all over the place.
16921
16922   *Steve Henson*
16923
16924 * Make BN_generate_prime() return NULL on error if ret!=NULL.
16925
16926   *Ulf Möller*
16927
16928 * Retain source code compatibility for BN_prime_checks macro:
16929   BN_is_prime(..., BN_prime_checks, ...) now uses
16930   BN_prime_checks_for_size to determine the appropriate number of
16931   Rabin-Miller iterations.
16932
16933   *Ulf Möller*
16934
16935 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
16936   DH_CHECK_P_NOT_SAFE_PRIME.
16937   (Check if this is true? OpenPGP calls them "strong".)
16938
16939   *Ulf Möller*
16940
16941 * Merge the functionality of "dh" and "gendh" programs into a new program
16942   "dhparam". The old programs are retained for now but will handle DH keys
16943   (instead of parameters) in future.
16944
16945   *Steve Henson*
16946
16947 * Make the ciphers, s_server and s_client programs check the return values
16948   when a new cipher list is set.
16949
16950   *Steve Henson*
16951
16952 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
16953   ciphers. Before when the 56bit ciphers were enabled the sorting was
16954   wrong.
16955
16956   The syntax for the cipher sorting has been extended to support sorting by
16957   cipher-strength (using the strength_bits hard coded in the tables).
16958   The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`).
16959
16960   Fix a bug in the cipher-command parser: when supplying a cipher command
16961   string with an "undefined" symbol (neither command nor alphanumeric
16962   *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
16963   an error is flagged.
16964
16965   Due to the strength-sorting extension, the code of the
16966   ssl_create_cipher_list() function was completely rearranged. I hope that
16967   the readability was also increased :-)
16968
16969   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16970
16971 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
16972   for the first serial number and places 2 in the serial number file. This
16973   avoids problems when the root CA is created with serial number zero and
16974   the first user certificate has the same issuer name and serial number
16975   as the root CA.
16976
16977   *Steve Henson*
16978
16979 * Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
16980   the new code. Add documentation for this stuff.
16981
16982   *Steve Henson*
16983
16984 * Changes to X509_ATTRIBUTE utilities. These have been renamed from
16985   `X509_*()` to `X509at_*()` on the grounds that they don't handle X509
16986   structures and behave in an analogous way to the X509v3 functions:
16987   they shouldn't be called directly but wrapper functions should be used
16988   instead.
16989
16990   So we also now have some wrapper functions that call the X509at functions
16991   when passed certificate requests. (TO DO: similar things can be done with
16992   PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
16993   things. Some of these need some d2i or i2d and print functionality
16994   because they handle more complex structures.)
16995
16996   *Steve Henson*
16997
16998 * Add missing #ifndefs that caused missing symbols when building libssl
16999   as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
17000   NO_RSA in `ssl/s2*.c`.
17001
17002   *Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller*
17003
17004 * Precautions against using the PRNG uninitialized: RAND_bytes() now
17005   has a return value which indicates the quality of the random data
17006   (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
17007   error queue. New function RAND_pseudo_bytes() generates output that is
17008   guaranteed to be unique but not unpredictable. RAND_add is like
17009   RAND_seed, but takes an extra argument for an entropy estimate
17010   (RAND_seed always assumes full entropy).
17011
17012   *Ulf Möller*
17013
17014 * Do more iterations of Rabin-Miller probable prime test (specifically,
17015   3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17016   instead of only 2 for all lengths; see BN_prime_checks_for_size definition
17017   in crypto/bn/bn_prime.c for the complete table).  This guarantees a
17018   false-positive rate of at most 2^-80 for random input.
17019
17020   *Bodo Moeller*
17021
17022 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
17023
17024   *Bodo Moeller*
17025
17026 * New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
17027   in the 0.9.5 release), this returns the chain
17028   from an X509_CTX structure with a dup of the stack and all
17029   the X509 reference counts upped: so the stack will exist
17030   after X509_CTX_cleanup() has been called. Modify pkcs12.c
17031   to use this.
17032
17033   Also make SSL_SESSION_print() print out the verify return
17034   code.
17035
17036   *Steve Henson*
17037
17038 * Add manpage for the pkcs12 command. Also change the default
17039   behaviour so MAC iteration counts are used unless the new
17040   -nomaciter option is used. This improves file security and
17041   only older versions of MSIE (4.0 for example) need it.
17042
17043   *Steve Henson*
17044
17045 * Honor the no-xxx Configure options when creating .DEF files.
17046
17047   *Ulf Möller*
17048
17049 * Add PKCS#10 attributes to field table: challengePassword,
17050   unstructuredName and unstructuredAddress. These are taken from
17051   draft PKCS#9 v2.0 but are compatible with v1.2 provided no
17052   international characters are used.
17053
17054   More changes to X509_ATTRIBUTE code: allow the setting of types
17055   based on strings. Remove the 'loc' parameter when adding
17056   attributes because these will be a SET OF encoding which is sorted
17057   in ASN1 order.
17058
17059   *Steve Henson*
17060
17061 * Initial changes to the 'req' utility to allow request generation
17062   automation. This will allow an application to just generate a template
17063   file containing all the field values and have req construct the
17064   request.
17065
17066   Initial support for X509_ATTRIBUTE handling. Stacks of these are
17067   used all over the place including certificate requests and PKCS#7
17068   structures. They are currently handled manually where necessary with
17069   some primitive wrappers for PKCS#7. The new functions behave in a
17070   manner analogous to the X509 extension functions: they allow
17071   attributes to be looked up by NID and added.
17072
17073   Later something similar to the X509V3 code would be desirable to
17074   automatically handle the encoding, decoding and printing of the
17075   more complex types. The string types like challengePassword can
17076   be handled by the string table functions.
17077
17078   Also modified the multi byte string table handling. Now there is
17079   a 'global mask' which masks out certain types. The table itself
17080   can use the flag STABLE_NO_MASK to ignore the mask setting: this
17081   is useful when for example there is only one permissible type
17082   (as in countryName) and using the mask might result in no valid
17083   types at all.
17084
17085   *Steve Henson*
17086
17087 * Clean up 'Finished' handling, and add functions SSL_get_finished and
17088   SSL_get_peer_finished to allow applications to obtain the latest
17089   Finished messages sent to the peer or expected from the peer,
17090   respectively.  (SSL_get_peer_finished is usually the Finished message
17091   actually received from the peer, otherwise the protocol will be aborted.)
17092
17093   As the Finished message are message digests of the complete handshake
17094   (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
17095   be used for external authentication procedures when the authentication
17096   provided by SSL/TLS is not desired or is not enough.
17097
17098   *Bodo Moeller*
17099
17100 * Enhanced support for Alpha Linux is added. Now ./config checks if
17101   the host supports BWX extension and if Compaq C is present on the
17102   $PATH. Just exploiting of the BWX extension results in 20-30%
17103   performance kick for some algorithms, e.g. DES and RC4 to mention
17104   a couple. Compaq C in turn generates ~20% faster code for MD5 and
17105   SHA1.
17106
17107   *Andy Polyakov*
17108
17109 * Add support for MS "fast SGC". This is arguably a violation of the
17110   SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
17111   weak crypto and after checking the certificate is SGC a second one
17112   with strong crypto. MS SGC stops the first handshake after receiving
17113   the server certificate message and sends a second client hello. Since
17114   a server will typically do all the time consuming operations before
17115   expecting any further messages from the client (server key exchange
17116   is the most expensive) there is little difference between the two.
17117
17118   To get OpenSSL to support MS SGC we have to permit a second client
17119   hello message after we have sent server done. In addition we have to
17120   reset the MAC if we do get this second client hello.
17121
17122   *Steve Henson*
17123
17124 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide
17125   if a DER encoded private key is RSA or DSA traditional format. Changed
17126   d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
17127   format DER encoded private key. Newer code should use PKCS#8 format which
17128   has the key type encoded in the ASN1 structure. Added DER private key
17129   support to pkcs8 application.
17130
17131   *Steve Henson*
17132
17133 * SSL 3/TLS 1 servers now don't request certificates when an anonymous
17134   ciphersuites has been selected (as required by the SSL 3/TLS 1
17135   specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
17136   is set, we interpret this as a request to violate the specification
17137   (the worst that can happen is a handshake failure, and 'correct'
17138   behaviour would result in a handshake failure anyway).
17139
17140   *Bodo Moeller*
17141
17142 * In SSL_CTX_add_session, take into account that there might be multiple
17143   SSL_SESSION structures with the same session ID (e.g. when two threads
17144   concurrently obtain them from an external cache).
17145   The internal cache can handle only one SSL_SESSION with a given ID,
17146   so if there's a conflict, we now throw out the old one to achieve
17147   consistency.
17148
17149   *Bodo Moeller*
17150
17151 * Add OIDs for idea and blowfish in CBC mode. This will allow both
17152   to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
17153   some routines that use cipher OIDs: some ciphers do not have OIDs
17154   defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
17155   example.
17156
17157   *Steve Henson*
17158
17159 * Simplify the trust setting structure and code. Now we just have
17160   two sequences of OIDs for trusted and rejected settings. These will
17161   typically have values the same as the extended key usage extension
17162   and any application specific purposes.
17163
17164   The trust checking code now has a default behaviour: it will just
17165   check for an object with the same NID as the passed id. Functions can
17166   be provided to override either the default behaviour or the behaviour
17167   for a given id. SSL client, server and email already have functions
17168   in place for compatibility: they check the NID and also return "trusted"
17169   if the certificate is self signed.
17170
17171   *Steve Henson*
17172
17173 * Add d2i,i2d bio/fp functions for PrivateKey: these convert the
17174   traditional format into an EVP_PKEY structure.
17175
17176   *Steve Henson*
17177
17178 * Add a password callback function PEM_cb() which either prompts for
17179   a password if usr_data is NULL or otherwise assumes it is a null
17180   terminated password. Allow passwords to be passed on command line
17181   environment or config files in a few more utilities.
17182
17183   *Steve Henson*
17184
17185 * Add a bunch of DER and PEM functions to handle PKCS#8 format private
17186   keys. Add some short names for PKCS#8 PBE algorithms and allow them
17187   to be specified on the command line for the pkcs8 and pkcs12 utilities.
17188   Update documentation.
17189
17190   *Steve Henson*
17191
17192 * Support for ASN1 "NULL" type. This could be handled before by using
17193   ASN1_TYPE but there wasn't any function that would try to read a NULL
17194   and produce an error if it couldn't. For compatibility we also have
17195   ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
17196   don't allocate anything because they don't need to.
17197
17198   *Steve Henson*
17199
17200 * Initial support for MacOS is now provided. Examine INSTALL.MacOS
17201   for details.
17202
17203   *Andy Polyakov, Roy Woods <roy@centicsystems.ca>*
17204
17205 * Rebuild of the memory allocation routines used by OpenSSL code and
17206   possibly others as well.  The purpose is to make an interface that
17207   provide hooks so anyone can build a separate set of allocation and
17208   deallocation routines to be used by OpenSSL, for example memory
17209   pool implementations, or something else, which was previously hard
17210   since Malloc(), Realloc() and Free() were defined as macros having
17211   the values malloc, realloc and free, respectively (except for Win32
17212   compilations).  The same is provided for memory debugging code.
17213   OpenSSL already comes with functionality to find memory leaks, but
17214   this gives people a chance to debug other memory problems.
17215
17216   With these changes, a new set of functions and macros have appeared:
17217
17218     CRYPTO_set_mem_debug_functions()         [F]
17219     CRYPTO_get_mem_debug_functions()         [F]
17220     CRYPTO_dbg_set_options()                 [F]
17221     CRYPTO_dbg_get_options()                 [F]
17222     CRYPTO_malloc_debug_init()               [M]
17223
17224   The memory debug functions are NULL by default, unless the library
17225   is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
17226   wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
17227   gives the standard debugging functions that come with OpenSSL) or
17228   CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
17229   provided by the library user) must be used.  When the standard
17230   debugging functions are used, CRYPTO_dbg_set_options can be used to
17231   request additional information:
17232   CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
17233   the CRYPTO_MDEBUG_xxx macro when compiling the library.
17234
17235   Also, things like CRYPTO_set_mem_functions will always give the
17236   expected result (the new set of functions is used for allocation
17237   and deallocation) at all times, regardless of platform and compiler
17238   options.
17239
17240   To finish it up, some functions that were never use in any other
17241   way than through macros have a new API and new semantic:
17242
17243     CRYPTO_dbg_malloc()
17244     CRYPTO_dbg_realloc()
17245     CRYPTO_dbg_free()
17246
17247   All macros of value have retained their old syntax.
17248
17249   *Richard Levitte and Bodo Moeller*
17250
17251 * Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
17252   ordering of SMIMECapabilities wasn't in "strength order" and there
17253   was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
17254   algorithm.
17255
17256   *Steve Henson*
17257
17258 * Some ASN1 types with illegal zero length encoding (INTEGER,
17259   ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
17260
17261   *Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson*
17262
17263 * Merge in my S/MIME library for OpenSSL. This provides a simple
17264   S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
17265   functionality to handle multipart/signed properly) and a utility
17266   called 'smime' to call all this stuff. This is based on code I
17267   originally wrote for Celo who have kindly allowed it to be
17268   included in OpenSSL.
17269
17270   *Steve Henson*
17271
17272 * Add variants des_set_key_checked and des_set_key_unchecked of
17273   des_set_key (aka des_key_sched).  Global variable des_check_key
17274   decides which of these is called by des_set_key; this way
17275   des_check_key behaves as it always did, but applications and
17276   the library itself, which was buggy for des_check_key == 1,
17277   have a cleaner way to pick the version they need.
17278
17279   *Bodo Moeller*
17280
17281 * New function PKCS12_newpass() which changes the password of a
17282   PKCS12 structure.
17283
17284   *Steve Henson*
17285
17286 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and
17287   dynamic mix. In both cases the ids can be used as an index into the
17288   table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
17289   functions so they accept a list of the field values and the
17290   application doesn't need to directly manipulate the X509_TRUST
17291   structure.
17292
17293   *Steve Henson*
17294
17295 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
17296   need initialising.
17297
17298   *Steve Henson*
17299
17300 * Modify the way the V3 extension code looks up extensions. This now
17301   works in a similar way to the object code: we have some "standard"
17302   extensions in a static table which is searched with OBJ_bsearch()
17303   and the application can add dynamic ones if needed. The file
17304   crypto/x509v3/ext_dat.h now has the info: this file needs to be
17305   updated whenever a new extension is added to the core code and kept
17306   in ext_nid order. There is a simple program 'tabtest.c' which checks
17307   this. New extensions are not added too often so this file can readily
17308   be maintained manually.
17309
17310   There are two big advantages in doing things this way. The extensions
17311   can be looked up immediately and no longer need to be "added" using
17312   X509V3_add_standard_extensions(): this function now does nothing.
17313   Side note: I get *lots* of email saying the extension code doesn't
17314   work because people forget to call this function.
17315   Also no dynamic allocation is done unless new extensions are added:
17316   so if we don't add custom extensions there is no need to call
17317   X509V3_EXT_cleanup().
17318
17319   *Steve Henson*
17320
17321 * Modify enc utility's salting as follows: make salting the default. Add a
17322   magic header, so unsalted files fail gracefully instead of just decrypting
17323   to garbage. This is because not salting is a big security hole, so people
17324   should be discouraged from doing it.
17325
17326   *Ben Laurie*
17327
17328 * Fixes and enhancements to the 'x509' utility. It allowed a message
17329   digest to be passed on the command line but it only used this
17330   parameter when signing a certificate. Modified so all relevant
17331   operations are affected by the digest parameter including the
17332   -fingerprint and -x509toreq options. Also -x509toreq choked if a
17333   DSA key was used because it didn't fix the digest.
17334
17335   *Steve Henson*
17336
17337 * Initial certificate chain verify code. Currently tests the untrusted
17338   certificates for consistency with the verify purpose (which is set
17339   when the X509_STORE_CTX structure is set up) and checks the pathlength.
17340
17341   There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
17342   this is because it will reject chains with invalid extensions whereas
17343   every previous version of OpenSSL and SSLeay made no checks at all.
17344
17345   Trust code: checks the root CA for the relevant trust settings. Trust
17346   settings have an initial value consistent with the verify purpose: e.g.
17347   if the verify purpose is for SSL client use it expects the CA to be
17348   trusted for SSL client use. However the default value can be changed to
17349   permit custom trust settings: one example of this would be to only trust
17350   certificates from a specific "secure" set of CAs.
17351
17352   Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
17353   which should be used for version portability: especially since the
17354   verify structure is likely to change more often now.
17355
17356   SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
17357   to set them. If not set then assume SSL clients will verify SSL servers
17358   and vice versa.
17359
17360   Two new options to the verify program: -untrusted allows a set of
17361   untrusted certificates to be passed in and -purpose which sets the
17362   intended purpose of the certificate. If a purpose is set then the
17363   new chain verify code is used to check extension consistency.
17364
17365   *Steve Henson*
17366
17367 * Support for the authority information access extension.
17368
17369   *Steve Henson*
17370
17371 * Modify RSA and DSA PEM read routines to transparently handle
17372   PKCS#8 format private keys. New *_PUBKEY_* functions that handle
17373   public keys in a format compatible with certificate
17374   SubjectPublicKeyInfo structures. Unfortunately there were already
17375   functions called *_PublicKey_* which used various odd formats so
17376   these are retained for compatibility: however the DSA variants were
17377   never in a public release so they have been deleted. Changed dsa/rsa
17378   utilities to handle the new format: note no releases ever handled public
17379   keys so we should be OK.
17380
17381   The primary motivation for this change is to avoid the same fiasco
17382   that dogs private keys: there are several incompatible private key
17383   formats some of which are standard and some OpenSSL specific and
17384   require various evil hacks to allow partial transparent handling and
17385   even then it doesn't work with DER formats. Given the option anything
17386   other than PKCS#8 should be dumped: but the other formats have to
17387   stay in the name of compatibility.
17388
17389   With public keys and the benefit of hindsight one standard format
17390   is used which works with EVP_PKEY, RSA or DSA structures: though
17391   it clearly returns an error if you try to read the wrong kind of key.
17392
17393   Added a -pubkey option to the 'x509' utility to output the public key.
17394   Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()`
17395   (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add
17396   `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`)
17397   that do the same as the `EVP_PKEY_assign_*()` except they up the
17398   reference count of the added key (they don't "swallow" the
17399   supplied key).
17400
17401   *Steve Henson*
17402
17403 * Fixes to crypto/x509/by_file.c the code to read in certificates and
17404   CRLs would fail if the file contained no certificates or no CRLs:
17405   added a new function to read in both types and return the number
17406   read: this means that if none are read it will be an error. The
17407   DER versions of the certificate and CRL reader would always fail
17408   because it isn't possible to mix certificates and CRLs in DER format
17409   without choking one or the other routine. Changed this to just read
17410   a certificate: this is the best we can do. Also modified the code
17411   in `apps/verify.c` to take notice of return codes: it was previously
17412   attempting to read in certificates from NULL pointers and ignoring
17413   any errors: this is one reason why the cert and CRL reader seemed
17414   to work. It doesn't check return codes from the default certificate
17415   routines: these may well fail if the certificates aren't installed.
17416
17417   *Steve Henson*
17418
17419 * Code to support otherName option in GeneralName.
17420
17421   *Steve Henson*
17422
17423 * First update to verify code. Change the verify utility
17424   so it warns if it is passed a self signed certificate:
17425   for consistency with the normal behaviour. X509_verify
17426   has been modified to it will now verify a self signed
17427   certificate if *exactly* the same certificate appears
17428   in the store: it was previously impossible to trust a
17429   single self signed certificate. This means that:
17430   openssl verify ss.pem
17431   now gives a warning about a self signed certificate but
17432   openssl verify -CAfile ss.pem ss.pem
17433   is OK.
17434
17435   *Steve Henson*
17436
17437 * For servers, store verify_result in SSL_SESSION data structure
17438   (and add it to external session representation).
17439   This is needed when client certificate verifications fails,
17440   but an application-provided verification callback (set by
17441   SSL_CTX_set_cert_verify_callback) allows accepting the session
17442   anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17443   but returns 1): When the session is reused, we have to set
17444   ssl->verify_result to the appropriate error code to avoid
17445   security holes.
17446
17447   *Bodo Moeller, problem pointed out by Lutz Jaenicke*
17448
17449 * Fix a bug in the new PKCS#7 code: it didn't consider the
17450   case in PKCS7_dataInit() where the signed PKCS7 structure
17451   didn't contain any existing data because it was being created.
17452
17453   *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17454
17455 * Add a salt to the key derivation routines in enc.c. This
17456   forms the first 8 bytes of the encrypted file. Also add a
17457   -S option to allow a salt to be input on the command line.
17458
17459   *Steve Henson*
17460
17461 * New function X509_cmp(). Oddly enough there wasn't a function
17462   to compare two certificates. We do this by working out the SHA1
17463   hash and comparing that. X509_cmp() will be needed by the trust
17464   code.
17465
17466   *Steve Henson*
17467
17468 * SSL_get1_session() is like SSL_get_session(), but increments
17469   the reference count in the SSL_SESSION returned.
17470
17471   *Geoff Thorpe <geoff@eu.c2.net>*
17472
17473 * Fix for 'req': it was adding a null to request attributes.
17474   Also change the X509_LOOKUP and X509_INFO code to handle
17475   certificate auxiliary information.
17476
17477   *Steve Henson*
17478
17479 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document
17480   the 'enc' command.
17481
17482   *Steve Henson*
17483
17484 * Add the possibility to add extra information to the memory leak
17485   detecting output, to form tracebacks, showing from where each
17486   allocation was originated: CRYPTO_push_info("constant string") adds
17487   the string plus current file name and line number to a per-thread
17488   stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
17489   is like calling CYRPTO_pop_info() until the stack is empty.
17490   Also updated memory leak detection code to be multi-thread-safe.
17491
17492   *Richard Levitte*
17493
17494 * Add options -text and -noout to pkcs7 utility and delete the
17495   encryption options which never did anything. Update docs.
17496
17497   *Steve Henson*
17498
17499 * Add options to some of the utilities to allow the pass phrase
17500   to be included on either the command line (not recommended on
17501   OSes like Unix) or read from the environment. Update the
17502   manpages and fix a few bugs.
17503
17504   *Steve Henson*
17505
17506 * Add a few manpages for some of the openssl commands.
17507
17508   *Steve Henson*
17509
17510 * Fix the -revoke option in ca. It was freeing up memory twice,
17511   leaking and not finding already revoked certificates.
17512
17513   *Steve Henson*
17514
17515 * Extensive changes to support certificate auxiliary information.
17516   This involves the use of X509_CERT_AUX structure and X509_AUX
17517   functions. An X509_AUX function such as PEM_read_X509_AUX()
17518   can still read in a certificate file in the usual way but it
17519   will also read in any additional "auxiliary information". By
17520   doing things this way a fair degree of compatibility can be
17521   retained: existing certificates can have this information added
17522   using the new 'x509' options.
17523
17524   Current auxiliary information includes an "alias" and some trust
17525   settings. The trust settings will ultimately be used in enhanced
17526   certificate chain verification routines: currently a certificate
17527   can only be trusted if it is self signed and then it is trusted
17528   for all purposes.
17529
17530   *Steve Henson*
17531
17532 * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`).
17533   The problem was that one of the replacement routines had not been working
17534   since SSLeay releases.  For now the offending routine has been replaced
17535   with non-optimised assembler.  Even so, this now gives around 95%
17536   performance improvement for 1024 bit RSA signs.
17537
17538   *Mark Cox*
17539
17540 * Hack to fix PKCS#7 decryption when used with some unorthodox RC2
17541   handling. Most clients have the effective key size in bits equal to
17542   the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
17543   A few however don't do this and instead use the size of the decrypted key
17544   to determine the RC2 key length and the AlgorithmIdentifier to determine
17545   the effective key length. In this case the effective key length can still
17546   be 40 bits but the key length can be 168 bits for example. This is fixed
17547   by manually forcing an RC2 key into the EVP_PKEY structure because the
17548   EVP code can't currently handle unusual RC2 key sizes: it always assumes
17549   the key length and effective key length are equal.
17550
17551   *Steve Henson*
17552
17553 * Add a bunch of functions that should simplify the creation of
17554   X509_NAME structures. Now you should be able to do:
17555   X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17556   and have it automatically work out the correct field type and fill in
17557   the structures. The more adventurous can try:
17558   X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17559   and it will (hopefully) work out the correct multibyte encoding.
17560
17561   *Steve Henson*
17562
17563 * Change the 'req' utility to use the new field handling and multibyte
17564   copy routines. Before the DN field creation was handled in an ad hoc
17565   way in req, ca, and x509 which was rather broken and didn't support
17566   BMPStrings or UTF8Strings. Since some software doesn't implement
17567   BMPStrings or UTF8Strings yet, they can be enabled using the config file
17568   using the dirstring_type option. See the new comment in the default
17569   openssl.cnf for more info.
17570
17571   *Steve Henson*
17572
17573 * Make crypto/rand/md_rand.c more robust:
17574   - Assure unique random numbers after fork().
17575   - Make sure that concurrent threads access the global counter and
17576     md serializably so that we never lose entropy in them
17577     or use exactly the same state in multiple threads.
17578     Access to the large state is not always serializable because
17579     the additional locking could be a performance killer, and
17580     md should be large enough anyway.
17581
17582   *Bodo Moeller*
17583
17584 * New file `apps/app_rand.c` with commonly needed functionality
17585   for handling the random seed file.
17586
17587   Use the random seed file in some applications that previously did not:
17588           ca,
17589           dsaparam -genkey (which also ignored its '-rand' option),
17590           s_client,
17591           s_server,
17592           x509 (when signing).
17593   Except on systems with /dev/urandom, it is crucial to have a random
17594   seed file at least for key creation, DSA signing, and for DH exchanges;
17595   for RSA signatures we could do without one.
17596
17597   gendh and gendsa (unlike genrsa) used to read only the first byte
17598   of each file listed in the '-rand' option.  The function as previously
17599   found in genrsa is now in app_rand.c and is used by all programs
17600   that support '-rand'.
17601
17602   *Bodo Moeller*
17603
17604 * In RAND_write_file, use mode 0600 for creating files;
17605   don't just chmod when it may be too late.
17606
17607   *Bodo Moeller*
17608
17609 * Report an error from X509_STORE_load_locations
17610   when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
17611
17612   *Bill Perry*
17613
17614 * New function ASN1_mbstring_copy() this copies a string in either
17615   ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
17616   into an ASN1_STRING type. A mask of permissible types is passed
17617   and it chooses the "minimal" type to use or an error if not type
17618   is suitable.
17619
17620   *Steve Henson*
17621
17622 * Add function equivalents to the various macros in asn1.h. The old
17623   macros are retained with an `M_` prefix. Code inside the library can
17624   use the `M_` macros. External code (including the openssl utility)
17625   should *NOT* in order to be "shared library friendly".
17626
17627   *Steve Henson*
17628
17629 * Add various functions that can check a certificate's extensions
17630   to see if it usable for various purposes such as SSL client,
17631   server or S/MIME and CAs of these types. This is currently
17632   VERY EXPERIMENTAL but will ultimately be used for certificate chain
17633   verification. Also added a -purpose flag to x509 utility to
17634   print out all the purposes.
17635
17636   *Steve Henson*
17637
17638 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated
17639   functions.
17640
17641   *Steve Henson*
17642
17643 * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search
17644   for, obtain and decode and extension and obtain its critical flag.
17645   This allows all the necessary extension code to be handled in a
17646   single function call.
17647
17648   *Steve Henson*
17649
17650 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17651   platforms. See crypto/rc4/rc4_enc.c for further details.
17652
17653   *Andy Polyakov*
17654
17655 * New -noout option to asn1parse. This causes no output to be produced
17656   its main use is when combined with -strparse and -out to extract data
17657   from a file (which may not be in ASN.1 format).
17658
17659   *Steve Henson*
17660
17661 * Fix for pkcs12 program. It was hashing an invalid certificate pointer
17662   when producing the local key id.
17663
17664   *Richard Levitte <levitte@stacken.kth.se>*
17665
17666 * New option -dhparam in s_server. This allows a DH parameter file to be
17667   stated explicitly. If it is not stated then it tries the first server
17668   certificate file. The previous behaviour hard coded the filename
17669   "server.pem".
17670
17671   *Steve Henson*
17672
17673 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17674   a public key to be input or output. For example:
17675   openssl rsa -in key.pem -pubout -out pubkey.pem
17676   Also added necessary DSA public key functions to handle this.
17677
17678   *Steve Henson*
17679
17680 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
17681   in the message. This was handled by allowing
17682   X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
17683
17684   *Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>*
17685
17686 * Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
17687   to the end of the strings whereas this didn't. This would cause problems
17688   if strings read with d2i_ASN1_bytes() were later modified.
17689
17690   *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>*
17691
17692 * Fix for base64 decode bug. When a base64 bio reads only one line of
17693   data and it contains EOF it will end up returning an error. This is
17694   caused by input 46 bytes long. The cause is due to the way base64
17695   BIOs find the start of base64 encoded data. They do this by trying a
17696   trial decode on each line until they find one that works. When they
17697   do a flag is set and it starts again knowing it can pass all the
17698   data directly through the decoder. Unfortunately it doesn't reset
17699   the context it uses. This means that if EOF is reached an attempt
17700   is made to pass two EOFs through the context and this causes the
17701   resulting error. This can also cause other problems as well. As is
17702   usual with these problems it takes *ages* to find and the fix is
17703   trivial: move one line.
17704
17705   *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)*
17706
17707 * Ugly workaround to get s_client and s_server working under Windows. The
17708   old code wouldn't work because it needed to select() on sockets and the
17709   tty (for keypresses and to see if data could be written). Win32 only
17710   supports select() on sockets so we select() with a 1s timeout on the
17711   sockets and then see if any characters are waiting to be read, if none
17712   are present then we retry, we also assume we can always write data to
17713   the tty. This isn't nice because the code then blocks until we've
17714   received a complete line of data and it is effectively polling the
17715   keyboard at 1s intervals: however it's quite a bit better than not
17716   working at all :-) A dedicated Windows application might handle this
17717   with an event loop for example.
17718
17719   *Steve Henson*
17720
17721 * Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
17722   and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
17723   will be called when RSA_sign() and RSA_verify() are used. This is useful
17724   if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
17725   For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
17726   should *not* be used: RSA_sign() and RSA_verify() must be used instead.
17727   This necessitated the support of an extra signature type NID_md5_sha1
17728   for SSL signatures and modifications to the SSL library to use it instead
17729   of calling RSA_public_decrypt() and RSA_private_encrypt().
17730
17731   *Steve Henson*
17732
17733 * Add new -verify -CAfile and -CApath options to the crl program, these
17734   will lookup a CRL issuers certificate and verify the signature in a
17735   similar way to the verify program. Tidy up the crl program so it
17736   no longer accesses structures directly. Make the ASN1 CRL parsing a bit
17737   less strict. It will now permit CRL extensions even if it is not
17738   a V2 CRL: this will allow it to tolerate some broken CRLs.
17739
17740   *Steve Henson*
17741
17742 * Initialize all non-automatic variables each time one of the openssl
17743   sub-programs is started (this is necessary as they may be started
17744   multiple times from the "OpenSSL>" prompt).
17745
17746   *Lennart Bang, Bodo Moeller*
17747
17748 * Preliminary compilation option RSA_NULL which disables RSA crypto without
17749   removing all other RSA functionality (this is what NO_RSA does). This
17750   is so (for example) those in the US can disable those operations covered
17751   by the RSA patent while allowing storage and parsing of RSA keys and RSA
17752   key generation.
17753
17754   *Steve Henson*
17755
17756 * Non-copying interface to BIO pairs.
17757   (still largely untested)
17758
17759   *Bodo Moeller*
17760
17761 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive
17762   ASCII string. This was handled independently in various places before.
17763
17764   *Steve Henson*
17765
17766 * New functions UTF8_getc() and UTF8_putc() that parse and generate
17767   UTF8 strings a character at a time.
17768
17769   *Steve Henson*
17770
17771 * Use client_version from client hello to select the protocol
17772   (s23_srvr.c) and for RSA client key exchange verification
17773   (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
17774
17775   *Bodo Moeller*
17776
17777 * Add various utility functions to handle SPKACs, these were previously
17778   handled by poking round in the structure internals. Added new function
17779   NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
17780   print, verify and generate SPKACs. Based on an original idea from
17781   Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
17782
17783   *Steve Henson*
17784
17785 * RIPEMD160 is operational on all platforms and is back in 'make test'.
17786
17787   *Andy Polyakov*
17788
17789 * Allow the config file extension section to be overwritten on the
17790   command line. Based on an original idea from Massimiliano Pala
17791   <madwolf@comune.modena.it>. The new option is called -extensions
17792   and can be applied to ca, req and x509. Also -reqexts to override
17793   the request extensions in req and -crlexts to override the crl extensions
17794   in ca.
17795
17796   *Steve Henson*
17797
17798 * Add new feature to the SPKAC handling in ca.  Now you can include
17799   the same field multiple times by preceding it by "XXXX." for example:
17800   1.OU="Unit name 1"
17801   2.OU="Unit name 2"
17802   this is the same syntax as used in the req config file.
17803
17804   *Steve Henson*
17805
17806 * Allow certificate extensions to be added to certificate requests. These
17807   are specified in a 'req_extensions' option of the req section of the
17808   config file. They can be printed out with the -text option to req but
17809   are otherwise ignored at present.
17810
17811   *Steve Henson*
17812
17813 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
17814   data read consists of only the final block it would not decrypted because
17815   EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
17816   A misplaced 'break' also meant the decrypted final block might not be
17817   copied until the next read.
17818
17819   *Steve Henson*
17820
17821 * Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
17822   a few extra parameters to the DH structure: these will be useful if
17823   for example we want the value of 'q' or implement X9.42 DH.
17824
17825   *Steve Henson*
17826
17827 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and
17828   provides hooks that allow the default DSA functions or functions on a
17829   "per key" basis to be replaced. This allows hardware acceleration and
17830   hardware key storage to be handled without major modification to the
17831   library. Also added low-level modexp hooks and CRYPTO_EX structure and
17832   associated functions.
17833
17834   *Steve Henson*
17835
17836 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
17837   as "read only": it can't be written to and the buffer it points to will
17838   not be freed. Reading from a read only BIO is much more efficient than
17839   a normal memory BIO. This was added because there are several times when
17840   an area of memory needs to be read from a BIO. The previous method was
17841   to create a memory BIO and write the data to it, this results in two
17842   copies of the data and an O(n^2) reading algorithm. There is a new
17843   function BIO_new_mem_buf() which creates a read only memory BIO from
17844   an area of memory. Also modified the PKCS#7 routines to use read only
17845   memory BIOs.
17846
17847   *Steve Henson*
17848
17849 * Bugfix: ssl23_get_client_hello did not work properly when called in
17850   state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
17851   a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17852   but a retry condition occurred while trying to read the rest.
17853
17854   *Bodo Moeller*
17855
17856 * The PKCS7_ENC_CONTENT_new() function was setting the content type as
17857   NID_pkcs7_encrypted by default: this was wrong since this should almost
17858   always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
17859   the encrypted data type: this is a more sensible place to put it and it
17860   allows the PKCS#12 code to be tidied up that duplicated this
17861   functionality.
17862
17863   *Steve Henson*
17864
17865 * Changed obj_dat.pl script so it takes its input and output files on
17866   the command line. This should avoid shell escape redirection problems
17867   under Win32.
17868
17869   *Steve Henson*
17870
17871 * Initial support for certificate extension requests, these are included
17872   in things like Xenroll certificate requests. Included functions to allow
17873   extensions to be obtained and added.
17874
17875   *Steve Henson*
17876
17877 * -crlf option to s_client and s_server for sending newlines as
17878   CRLF (as required by many protocols).
17879
17880   *Bodo Moeller*
17881
17882### Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
17883
17884 * Install libRSAglue.a when OpenSSL is built with RSAref.
17885
17886   *Ralf S. Engelschall*
17887
17888 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency.
17889
17890   *Andrija Antonijevic <TheAntony2@bigfoot.com>*
17891
17892 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
17893   program.
17894
17895   *Steve Henson*
17896
17897 * New function DSA_dup_DH, which duplicates DSA parameters/keys as
17898   DH parameters/keys (q is lost during that conversion, but the resulting
17899   DH parameters contain its length).
17900
17901   For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
17902   much faster than DH_generate_parameters (which creates parameters
17903   where `p = 2*q + 1`), and also the smaller q makes DH computations
17904   much more efficient (160-bit exponentiation instead of 1024-bit
17905   exponentiation); so this provides a convenient way to support DHE
17906   ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
17907   utter importance to use
17908           SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
17909   or
17910           SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
17911   when such DH parameters are used, because otherwise small subgroup
17912   attacks may become possible!
17913
17914   *Bodo Moeller*
17915
17916 * Avoid memory leak in i2d_DHparams.
17917
17918   *Bodo Moeller*
17919
17920 * Allow the -k option to be used more than once in the enc program:
17921   this allows the same encrypted message to be read by multiple recipients.
17922
17923   *Steve Henson*
17924
17925 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
17926   an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
17927   it will always use the numerical form of the OID, even if it has a short
17928   or long name.
17929
17930   *Steve Henson*
17931
17932 * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
17933   method only got called if p,q,dmp1,dmq1,iqmp components were present,
17934   otherwise bn_mod_exp was called. In the case of hardware keys for example
17935   no private key components need be present and it might store extra data
17936   in the RSA structure, which cannot be accessed from bn_mod_exp.
17937   By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
17938   private key operations.
17939
17940   *Steve Henson*
17941
17942 * Added support for SPARC Linux.
17943
17944   *Andy Polyakov*
17945
17946 * pem_password_cb function type incompatibly changed from
17947           typedef int pem_password_cb(char *buf, int size, int rwflag);
17948   to
17949           ....(char *buf, int size, int rwflag, void *userdata);
17950   so that applications can pass data to their callbacks:
17951   The `PEM[_ASN1]_{read,write}...` functions and macros now take an
17952   additional void * argument, which is just handed through whenever
17953   the password callback is called.
17954
17955   *Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller*
17956
17957   New function SSL_CTX_set_default_passwd_cb_userdata.
17958
17959   Compatibility note: As many C implementations push function arguments
17960   onto the stack in reverse order, the new library version is likely to
17961   interoperate with programs that have been compiled with the old
17962   pem_password_cb definition (PEM_whatever takes some data that
17963   happens to be on the stack as its last argument, and the callback
17964   just ignores this garbage); but there is no guarantee whatsoever that
17965   this will work.
17966
17967 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
17968   (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
17969   problems not only on Windows, but also on some Unix platforms.
17970   To avoid problematic command lines, these definitions are now in an
17971   auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
17972   for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
17973
17974   *Bodo Moeller*
17975
17976 * MIPS III/IV assembler module is reimplemented.
17977
17978   *Andy Polyakov*
17979
17980 * More DES library cleanups: remove references to srand/rand and
17981   delete an unused file.
17982
17983   *Ulf Möller*
17984
17985 * Add support for the free Netwide assembler (NASM) under Win32,
17986   since not many people have MASM (ml) and it can be hard to obtain.
17987   This is currently experimental but it seems to work OK and pass all
17988   the tests. Check out INSTALL.W32 for info.
17989
17990   *Steve Henson*
17991
17992 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
17993   without temporary keys kept an extra copy of the server key,
17994   and connections with temporary keys did not free everything in case
17995   of an error.
17996
17997   *Bodo Moeller*
17998
17999 * New function RSA_check_key and new openssl rsa option -check
18000   for verifying the consistency of RSA keys.
18001
18002   *Ulf Moeller, Bodo Moeller*
18003
18004 * Various changes to make Win32 compile work:
18005   1. Casts to avoid "loss of data" warnings in p5_crpt2.c
18006   2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
18007      comparison" warnings.
18008   3. Add `sk_<TYPE>_sort` to DEF file generator and do make update.
18009
18010   *Steve Henson*
18011
18012 * Add a debugging option to PKCS#5 v2 key generation function: when
18013   you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
18014   derived keys are printed to stderr.
18015
18016   *Steve Henson*
18017
18018 * Copy the flags in ASN1_STRING_dup().
18019
18020   *Roman E. Pavlov <pre@mo.msk.ru>*
18021
18022 * The x509 application mishandled signing requests containing DSA
18023   keys when the signing key was also DSA and the parameters didn't match.
18024
18025   It was supposed to omit the parameters when they matched the signing key:
18026   the verifying software was then supposed to automatically use the CA's
18027   parameters if they were absent from the end user certificate.
18028
18029   Omitting parameters is no longer recommended. The test was also
18030   the wrong way round! This was probably due to unusual behaviour in
18031   EVP_cmp_parameters() which returns 1 if the parameters match.
18032   This meant that parameters were omitted when they *didn't* match and
18033   the certificate was useless. Certificates signed with 'ca' didn't have
18034   this bug.
18035
18036   *Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>*
18037
18038 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18039   The interface is as follows:
18040   Applications can use
18041           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
18042           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
18043   "off" is now the default.
18044   The library internally uses
18045           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
18046           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
18047   to disable memory-checking temporarily.
18048
18049   Some inconsistent states that previously were possible (and were
18050   even the default) are now avoided.
18051
18052   -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18053   with each memory chunk allocated; this is occasionally more helpful
18054   than just having a counter.
18055
18056   -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18057
18058   -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18059   extensions.
18060
18061   *Bodo Moeller*
18062
18063 * Introduce "mode" for SSL structures (with defaults in SSL_CTX),
18064   which largely parallels "options", but is for changing API behaviour,
18065   whereas "options" are about protocol behaviour.
18066   Initial "mode" flags are:
18067
18068   SSL_MODE_ENABLE_PARTIAL_WRITE   Allow SSL_write to report success when
18069                                   a single record has been written.
18070   SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER  Don't insist that SSL_write
18071                                   retries use the same buffer location.
18072                                   (But all of the contents must be
18073                                   copied!)
18074
18075   *Bodo Moeller*
18076
18077 * Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options
18078   worked.
18079
18080 * Fix problems with no-hmac etc.
18081
18082   *Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>*
18083
18084 * New functions RSA_get_default_method(), RSA_set_method() and
18085   RSA_get_method(). These allows replacement of RSA_METHODs without having
18086   to mess around with the internals of an RSA structure.
18087
18088   *Steve Henson*
18089
18090 * Fix memory leaks in DSA_do_sign and DSA_is_prime.
18091   Also really enable memory leak checks in openssl.c and in some
18092   test programs.
18093
18094   *Chad C. Mulligan, Bodo Moeller*
18095
18096 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
18097   up the length of negative integers. This has now been simplified to just
18098   store the length when it is first determined and use it later, rather
18099   than trying to keep track of where data is copied and updating it to
18100   point to the end.
18101   *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18102
18103 * Add a new function PKCS7_signatureVerify. This allows the verification
18104   of a PKCS#7 signature but with the signing certificate passed to the
18105   function itself. This contrasts with PKCS7_dataVerify which assumes the
18106   certificate is present in the PKCS#7 structure. This isn't always the
18107   case: certificates can be omitted from a PKCS#7 structure and be
18108   distributed by "out of band" means (such as a certificate database).
18109
18110   *Steve Henson*
18111
18112 * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the
18113   function prototypes in pem.h, also change util/mkdef.pl to add the
18114   necessary function names.
18115
18116   *Steve Henson*
18117
18118 * mk1mf.pl (used by Windows builds) did not properly read the
18119   options set by Configure in the top level Makefile, and Configure
18120   was not even able to write more than one option correctly.
18121   Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18122
18123   *Bodo Moeller*
18124
18125 * New functions CONF_load_bio() and CONF_load_fp() to allow a config
18126   file to be loaded from a BIO or FILE pointer. The BIO version will
18127   for example allow memory BIOs to contain config info.
18128
18129   *Steve Henson*
18130
18131 * New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
18132   Whoever hopes to achieve shared-library compatibility across versions
18133   must use this, not the compile-time macro.
18134   (Exercise 0.9.4: Which is the minimum library version required by
18135   such programs?)
18136   Note: All this applies only to multi-threaded programs, others don't
18137   need locks.
18138
18139   *Bodo Moeller*
18140
18141 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18142   through a BIO pair triggered the default case, i.e.
18143   SSLerr(...,SSL_R_UNKNOWN_STATE).
18144
18145   *Bodo Moeller*
18146
18147 * New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
18148   can use the SSL library even if none of the specific BIOs is
18149   appropriate.
18150
18151   *Bodo Moeller*
18152
18153 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
18154   for the encoded length.
18155
18156   *Jeon KyoungHo <khjeon@sds.samsung.co.kr>*
18157
18158 * Add initial documentation of the X509V3 functions.
18159
18160   *Steve Henson*
18161
18162 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and
18163   PEM_write_bio_PKCS8PrivateKey() that are equivalent to
18164   PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
18165   secure PKCS#8 private key format with a high iteration count.
18166
18167   *Steve Henson*
18168
18169 * Fix determination of Perl interpreter: A perl or perl5
18170   *directory* in $PATH was also accepted as the interpreter.
18171
18172   *Ralf S. Engelschall*
18173
18174 * Fix demos/sign/sign.c: well there wasn't anything strictly speaking
18175   wrong with it but it was very old and did things like calling
18176   PEM_ASN1_read() directly and used MD5 for the hash not to mention some
18177   unusual formatting.
18178
18179   *Steve Henson*
18180
18181 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed
18182   to use the new extension code.
18183
18184   *Steve Henson*
18185
18186 * Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
18187   with macros. This should make it easier to change their form, add extra
18188   arguments etc. Fix a few PEM prototypes which didn't have cipher as a
18189   constant.
18190
18191   *Steve Henson*
18192
18193 * Add to configuration table a new entry that can specify an alternative
18194   name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18195   according to Mark Crispin <MRC@Panda.COM>.
18196
18197   *Bodo Moeller*
18198
18199 * DES CBC did not update the IV. Weird.
18200
18201   *Ben Laurie*
18202lse
18203   des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
18204   Changing the behaviour of the former might break existing programs --
18205   where IV updating is needed, des_ncbc_encrypt can be used.
18206ndif
18207
18208 * When bntest is run from "make test" it drives bc to check its
18209   calculations, as well as internally checking them. If an internal check
18210   fails, it needs to cause bc to give a non-zero result or make test carries
18211   on without noticing the failure. Fixed.
18212
18213   *Ben Laurie*
18214
18215 * DES library cleanups.
18216
18217   *Ulf Möller*
18218
18219 * Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
18220   used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
18221   ciphers. NOTE: although the key derivation function has been verified
18222   against some published test vectors it has not been extensively tested
18223   yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18224   of v2.0.
18225
18226   *Steve Henson*
18227
18228 * Instead of "mkdir -p", which is not fully portable, use new
18229   Perl script "util/mkdir-p.pl".
18230
18231   *Bodo Moeller*
18232
18233 * Rewrite the way password based encryption (PBE) is handled. It used to
18234   assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
18235   structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
18236   but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
18237   the 'parameter' field of the AlgorithmIdentifier is passed to the
18238   underlying key generation function so it must do its own ASN1 parsing.
18239   This has also changed the EVP_PBE_CipherInit() function which now has a
18240   'parameter' argument instead of literal salt and iteration count values
18241   and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
18242
18243   *Steve Henson*
18244
18245 * Support for PKCS#5 v1.5 compatible password based encryption algorithms
18246   and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
18247   Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
18248   KEY" because this clashed with PKCS#8 unencrypted string. Since this
18249   value was just used as a "magic string" and not used directly its
18250   value doesn't matter.
18251
18252   *Steve Henson*
18253
18254 * Introduce some semblance of const correctness to BN. Shame C doesn't
18255   support mutable.
18256
18257   *Ben Laurie*
18258
18259 * "linux-sparc64" configuration (ultrapenguin).
18260
18261   *Ray Miller <ray.miller@oucs.ox.ac.uk>*
18262   "linux-sparc" configuration.
18263
18264   *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18265
18266 * config now generates no-xxx options for missing ciphers.
18267
18268   *Ulf Möller*
18269
18270 * Support the EBCDIC character set (work in progress).
18271   File ebcdic.c not yet included because it has a different license.
18272
18273   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
18274
18275 * Support BS2000/OSD-POSIX.
18276
18277   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
18278
18279 * Make callbacks for key generation use `void *` instead of `char *`.
18280
18281   *Ben Laurie*
18282
18283 * Make S/MIME samples compile (not yet tested).
18284
18285   *Ben Laurie*
18286
18287 * Additional typesafe stacks.
18288
18289   *Ben Laurie*
18290
18291 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18292
18293   *Bodo Moeller*
18294
18295### Changes between 0.9.3 and 0.9.3a  [29 May 1999]
18296
18297 * New configuration variant "sco5-gcc".
18298
18299 * Updated some demos.
18300
18301   *Sean O Riordain, Wade Scholine*
18302
18303 * Add missing BIO_free at exit of pkcs12 application.
18304
18305   *Wu Zhigang*
18306
18307 * Fix memory leak in conf.c.
18308
18309   *Steve Henson*
18310
18311 * Updates for Win32 to assembler version of MD5.
18312
18313   *Steve Henson*
18314
18315 * Set #! path to perl in `apps/der_chop` to where we found it
18316   instead of using a fixed path.
18317
18318   *Bodo Moeller*
18319
18320 * SHA library changes for irix64-mips4-cc.
18321
18322   *Andy Polyakov*
18323
18324 * Improvements for VMS support.
18325
18326   *Richard Levitte*
18327
18328### Changes between 0.9.2b and 0.9.3  [24 May 1999]
18329
18330 * Bignum library bug fix. IRIX 6 passes "make test" now!
18331   This also avoids the problems with SC4.2 and unpatched SC5.
18332
18333   *Andy Polyakov <appro@fy.chalmers.se>*
18334
18335 * New functions sk_num, sk_value and sk_set to replace the previous macros.
18336   These are required because of the typesafe stack would otherwise break
18337   existing code. If old code used a structure member which used to be STACK
18338   and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
18339   sk_num or sk_value it would produce an error because the num, data members
18340   are not present in STACK_OF. Now it just produces a warning. sk_set
18341   replaces the old method of assigning a value to sk_value
18342   (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
18343   that does this will no longer work (and should use sk_set instead) but
18344   this could be regarded as a "questionable" behaviour anyway.
18345
18346   *Steve Henson*
18347
18348 * Fix most of the other PKCS#7 bugs. The "experimental" code can now
18349   correctly handle encrypted S/MIME data.
18350
18351   *Steve Henson*
18352
18353 * Change type of various DES function arguments from des_cblock
18354   (which means, in function argument declarations, pointer to char)
18355   to des_cblock * (meaning pointer to array with 8 char elements),
18356   which allows the compiler to do more typechecking; it was like
18357   that back in SSLeay, but with lots of ugly casts.
18358
18359   Introduce new type const_des_cblock.
18360
18361   *Bodo Moeller*
18362
18363 * Reorganise the PKCS#7 library and get rid of some of the more obvious
18364   problems: find RecipientInfo structure that matches recipient certificate
18365   and initialise the ASN1 structures properly based on passed cipher.
18366
18367   *Steve Henson*
18368
18369 * Belatedly make the BN tests actually check the results.
18370
18371   *Ben Laurie*
18372
18373 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
18374   to and from BNs: it was completely broken. New compilation option
18375   NEG_PUBKEY_BUG to allow for some broken certificates that encode public
18376   key elements as negative integers.
18377
18378   *Steve Henson*
18379
18380 * Reorganize and speed up MD5.
18381
18382   *Andy Polyakov <appro@fy.chalmers.se>*
18383
18384 * VMS support.
18385
18386   *Richard Levitte <richard@levitte.org>*
18387
18388 * New option -out to asn1parse to allow the parsed structure to be
18389   output to a file. This is most useful when combined with the -strparse
18390   option to examine the output of things like OCTET STRINGS.
18391
18392   *Steve Henson*
18393
18394 * Make SSL library a little more fool-proof by not requiring any longer
18395   that `SSL_set_{accept,connect}_state` be called before
18396   `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted
18397   in many applications because usually everything *appeared* to work as
18398   intended anyway -- now it really works as intended).
18399
18400   *Bodo Moeller*
18401
18402 * Move openssl.cnf out of lib/.
18403
18404   *Ulf Möller*
18405
18406 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18407   -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18408   -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18409
18410   *Ralf S. Engelschall*
18411
18412 * Various fixes to the EVP and PKCS#7 code. It may now be able to
18413   handle PKCS#7 enveloped data properly.
18414
18415   *Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve*
18416
18417 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
18418   copying pointers.  The cert_st handling is changed by this in
18419   various ways (and thus what used to be known as ctx->default_cert
18420   is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18421   any longer when s->cert does not give us what we need).
18422   ssl_cert_instantiate becomes obsolete by this change.
18423   As soon as we've got the new code right (possibly it already is?),
18424   we have solved a couple of bugs of the earlier code where s->cert
18425   was used as if it could not have been shared with other SSL structures.
18426
18427   Note that using the SSL API in certain dirty ways now will result
18428   in different behaviour than observed with earlier library versions:
18429   Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx)
18430   does not influence s as it used to.
18431
18432   In order to clean up things more thoroughly, inside SSL_SESSION
18433   we don't use CERT any longer, but a new structure SESS_CERT
18434   that holds per-session data (if available); currently, this is
18435   the peer's certificate chain and, for clients, the server's certificate
18436   and temporary key.  CERT holds only those values that can have
18437   meaningful defaults in an SSL_CTX.
18438
18439   *Bodo Moeller*
18440
18441 * New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
18442   from the internal representation. Various PKCS#7 fixes: remove some
18443   evil casts and set the enc_dig_alg field properly based on the signing
18444   key type.
18445
18446   *Steve Henson*
18447
18448 * Allow PKCS#12 password to be set from the command line or the
18449   environment. Let 'ca' get its config file name from the environment
18450   variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
18451   and 'x509').
18452
18453   *Steve Henson*
18454
18455 * Allow certificate policies extension to use an IA5STRING for the
18456   organization field. This is contrary to the PKIX definition but
18457   VeriSign uses it and IE5 only recognises this form. Document 'x509'
18458   extension option.
18459
18460   *Steve Henson*
18461
18462 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18463   without disallowing inline assembler and the like for non-pedantic builds.
18464
18465   *Ben Laurie*
18466
18467 * Support Borland C++ builder.
18468
18469   *Janez Jere <jj@void.si>, modified by Ulf Möller*
18470
18471 * Support Mingw32.
18472
18473   *Ulf Möller*
18474
18475 * SHA-1 cleanups and performance enhancements.
18476
18477   *Andy Polyakov <appro@fy.chalmers.se>*
18478
18479 * Sparc v8plus assembler for the bignum library.
18480
18481   *Andy Polyakov <appro@fy.chalmers.se>*
18482
18483 * Accept any -xxx and +xxx compiler options in Configure.
18484
18485   *Ulf Möller*
18486
18487 * Update HPUX configuration.
18488
18489   *Anonymous*
18490
18491 * Add missing `sk_<type>_unshift()` function to safestack.h
18492
18493   *Ralf S. Engelschall*
18494
18495 * New function SSL_CTX_use_certificate_chain_file that sets the
18496   "extra_cert"s in addition to the certificate.  (This makes sense
18497   only for "PEM" format files, as chains as a whole are not
18498   DER-encoded.)
18499
18500   *Bodo Moeller*
18501
18502 * Support verify_depth from the SSL API.
18503   x509_vfy.c had what can be considered an off-by-one-error:
18504   Its depth (which was not part of the external interface)
18505   was actually counting the number of certificates in a chain;
18506   now it really counts the depth.
18507
18508   *Bodo Moeller*
18509
18510 * Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
18511   instead of X509err, which often resulted in confusing error
18512   messages since the error codes are not globally unique
18513   (e.g. an alleged error in ssl3_accept when a certificate
18514   didn't match the private key).
18515
18516 * New function SSL_CTX_set_session_id_context that allows to set a default
18517   value (so that you don't need SSL_set_session_id_context for each
18518   connection using the SSL_CTX).
18519
18520   *Bodo Moeller*
18521
18522 * OAEP decoding bug fix.
18523
18524   *Ulf Möller*
18525
18526 * Support INSTALL_PREFIX for package builders, as proposed by
18527   David Harris.
18528
18529   *Bodo Moeller*
18530
18531 * New Configure options "threads" and "no-threads".  For systems
18532   where the proper compiler options are known (currently Solaris
18533   and Linux), "threads" is the default.
18534
18535   *Bodo Moeller*
18536
18537 * New script util/mklink.pl as a faster substitute for util/mklink.sh.
18538
18539   *Bodo Moeller*
18540
18541 * Install various scripts to $(OPENSSLDIR)/misc, not to
18542   $(INSTALLTOP)/bin -- they shouldn't clutter directories
18543   such as /usr/local/bin.
18544
18545   *Bodo Moeller*
18546
18547 * "make linux-shared" to build shared libraries.
18548
18549   *Niels Poppe <niels@netbox.org>*
18550
18551 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18552
18553   *Ulf Möller*
18554
18555 * Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
18556   extension adding in x509 utility.
18557
18558   *Steve Henson*
18559
18560 * Remove NOPROTO sections and error code comments.
18561
18562   *Ulf Möller*
18563
18564 * Partial rewrite of the DEF file generator to now parse the ANSI
18565   prototypes.
18566
18567   *Steve Henson*
18568
18569 * New Configure options --prefix=DIR and --openssldir=DIR.
18570
18571   *Ulf Möller*
18572
18573 * Complete rewrite of the error code script(s). It is all now handled
18574   by one script at the top level which handles error code gathering,
18575   header rewriting and C source file generation. It should be much better
18576   than the old method: it now uses a modified version of Ulf's parser to
18577   read the ANSI prototypes in all header files (thus the old K&R definitions
18578   aren't needed for error creation any more) and do a better job of
18579   translating function codes into names. The old 'ASN1 error code embedded
18580   in a comment' is no longer necessary and it doesn't use .err files which
18581   have now been deleted. Also the error code call doesn't have to appear all
18582   on one line (which resulted in some large lines...).
18583
18584   *Steve Henson*
18585
18586 * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`.
18587
18588   *Bodo Moeller*
18589
18590 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18591   0 (which usually indicates a closed connection), but continue reading.
18592
18593   *Bodo Moeller*
18594
18595 * Fix some race conditions.
18596
18597   *Bodo Moeller*
18598
18599 * Add support for CRL distribution points extension. Add Certificate
18600   Policies and CRL distribution points documentation.
18601
18602   *Steve Henson*
18603
18604 * Move the autogenerated header file parts to crypto/opensslconf.h.
18605
18606   *Ulf Möller*
18607
18608 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18609   8 of keying material. Merlin has also confirmed interop with this fix
18610   between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
18611
18612   *Merlin Hughes <merlin@baltimore.ie>*
18613
18614 * Fix lots of warnings.
18615
18616   *Richard Levitte <levitte@stacken.kth.se>*
18617
18618 * In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
18619   the directory spec didn't end with a LIST_SEPARATOR_CHAR.
18620
18621   *Richard Levitte <levitte@stacken.kth.se>*
18622
18623 * Fix problems with sizeof(long) == 8.
18624
18625   *Andy Polyakov <appro@fy.chalmers.se>*
18626
18627 * Change functions to ANSI C.
18628
18629   *Ulf Möller*
18630
18631 * Fix typos in error codes.
18632
18633   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller*
18634
18635 * Remove defunct assembler files from Configure.
18636
18637   *Ulf Möller*
18638
18639 * SPARC v8 assembler BIGNUM implementation.
18640
18641   *Andy Polyakov <appro@fy.chalmers.se>*
18642
18643 * Support for Certificate Policies extension: both print and set.
18644   Various additions to support the r2i method this uses.
18645
18646   *Steve Henson*
18647
18648 * A lot of constification, and fix a bug in X509_NAME_oneline() that could
18649   return a const string when you are expecting an allocated buffer.
18650
18651   *Ben Laurie*
18652
18653 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
18654   types DirectoryString and DisplayText.
18655
18656   *Steve Henson*
18657
18658 * Add code to allow r2i extensions to access the configuration database,
18659   add an LHASH database driver and add several ctx helper functions.
18660
18661   *Steve Henson*
18662
18663 * Fix an evil bug in bn_expand2() which caused various BN functions to
18664   fail when they extended the size of a BIGNUM.
18665
18666   *Steve Henson*
18667
18668 * Various utility functions to handle SXNet extension. Modify mkdef.pl to
18669   support typesafe stack.
18670
18671   *Steve Henson*
18672
18673 * Fix typo in SSL_[gs]et_options().
18674
18675   *Nils Frostberg <nils@medcom.se>*
18676
18677 * Delete various functions and files that belonged to the (now obsolete)
18678   old X509V3 handling code.
18679
18680   *Steve Henson*
18681
18682 * New Configure option "rsaref".
18683
18684   *Ulf Möller*
18685
18686 * Don't auto-generate pem.h.
18687
18688   *Bodo Moeller*
18689
18690 * Introduce type-safe ASN.1 SETs.
18691
18692   *Ben Laurie*
18693
18694 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18695
18696   *Ben Laurie, Ralf S. Engelschall, Steve Henson*
18697
18698 * Introduce type-safe STACKs. This will almost certainly break lots of code
18699   that links with OpenSSL (well at least cause lots of warnings), but fear
18700   not: the conversion is trivial, and it eliminates loads of evil casts. A
18701   few STACKed things have been converted already. Feel free to convert more.
18702   In the fullness of time, I'll do away with the STACK type altogether.
18703
18704   *Ben Laurie*
18705
18706 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18707   specified in `<certfile>` by updating the entry in the index.txt file.
18708   This way one no longer has to edit the index.txt file manually for
18709   revoking a certificate. The -revoke option does the gory details now.
18710
18711   *Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall*
18712
18713 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18714   `-text` option at all and this way the `-noout -text` combination was
18715   inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`.
18716
18717   *Ralf S. Engelschall*
18718
18719 * Make sure a corresponding plain text error message exists for the
18720   X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
18721   verify callback function determined that a certificate was revoked.
18722
18723   *Ralf S. Engelschall*
18724
18725 * Bugfix: In test/testenc, don't test `openssl <cipher>` for
18726   ciphers that were excluded, e.g. by -DNO_IDEA.  Also, test
18727   all available ciphers including rc5, which was forgotten until now.
18728   In order to let the testing shell script know which algorithms
18729   are available, a new (up to now undocumented) command
18730   `openssl list-cipher-commands` is used.
18731
18732   *Bodo Moeller*
18733
18734 * Bugfix: s_client occasionally would sleep in select() when
18735   it should have checked SSL_pending() first.
18736
18737   *Bodo Moeller*
18738
18739 * New functions DSA_do_sign and DSA_do_verify to provide access to
18740   the raw DSA values prior to ASN.1 encoding.
18741
18742   *Ulf Möller*
18743
18744 * Tweaks to Configure
18745
18746   *Niels Poppe <niels@netbox.org>*
18747
18748 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
18749   yet...
18750
18751   *Steve Henson*
18752
18753 * New variables $(RANLIB) and $(PERL) in the Makefiles.
18754
18755   *Ulf Möller*
18756
18757 * New config option to avoid instructions that are illegal on the 80386.
18758   The default code is faster, but requires at least a 486.
18759
18760   *Ulf Möller*
18761
18762 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
18763   SSL2_SERVER_VERSION (not used at all) macros, which are now the
18764   same as SSL2_VERSION anyway.
18765
18766   *Bodo Moeller*
18767
18768 * New "-showcerts" option for s_client.
18769
18770   *Bodo Moeller*
18771
18772 * Still more PKCS#12 integration. Add pkcs12 application to openssl
18773   application. Various cleanups and fixes.
18774
18775   *Steve Henson*
18776
18777 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
18778   modify error routines to work internally. Add error codes and PBE init
18779   to library startup routines.
18780
18781   *Steve Henson*
18782
18783 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and
18784   packing functions to asn1 and evp. Changed function names and error
18785   codes along the way.
18786
18787   *Steve Henson*
18788
18789 * PKCS12 integration: and so it begins... First of several patches to
18790   slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
18791   objects to objects.h
18792
18793   *Steve Henson*
18794
18795 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1
18796   and display support for Thawte strong extranet extension.
18797
18798   *Steve Henson*
18799
18800 * Add LinuxPPC support.
18801
18802   *Jeff Dubrule <igor@pobox.org>*
18803
18804 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
18805   bn_div_words in alpha.s.
18806
18807   *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie*
18808
18809 * Make sure the RSA OAEP test is skipped under -DRSAref because
18810   OAEP isn't supported when OpenSSL is built with RSAref.
18811
18812   *Ulf Moeller <ulf@fitug.de>*
18813
18814 * Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
18815   so they no longer are missing under -DNOPROTO.
18816
18817   *Soren S. Jorvang <soren@t.dk>*
18818
18819### Changes between 0.9.1c and 0.9.2b  [22 Mar 1999]
18820
18821 * Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
18822   doesn't work when the session is reused. Coming soon!
18823
18824   *Ben Laurie*
18825
18826 * Fix a security hole, that allows sessions to be reused in the wrong
18827   context thus bypassing client cert protection! All software that uses
18828   client certs and session caches in multiple contexts NEEDS PATCHING to
18829   allow session reuse! A fuller solution is in the works.
18830
18831   *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)*
18832
18833 * Some more source tree cleanups (removed obsolete files
18834   crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
18835   permission on "config" script to be executable) and a fix for the INSTALL
18836   document.
18837
18838   *Ulf Moeller <ulf@fitug.de>*
18839
18840 * Remove some legacy and erroneous uses of malloc, free instead of
18841   Malloc, Free.
18842
18843   *Lennart Bang <lob@netstream.se>, with minor changes by Steve*
18844
18845 * Make rsa_oaep_test return non-zero on error.
18846
18847   *Ulf Moeller <ulf@fitug.de>*
18848
18849 * Add support for native Solaris shared libraries. Configure
18850   solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
18851   if someone would make that last step automatic.
18852
18853   *Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>*
18854
18855 * ctx_size was not built with the right compiler during "make links". Fixed.
18856
18857   *Ben Laurie*
18858
18859 * Change the meaning of 'ALL' in the cipher list. It now means "everything
18860   except NULL ciphers". This means the default cipher list will no longer
18861   enable NULL ciphers. They need to be specifically enabled e.g. with
18862   the string "DEFAULT:eNULL".
18863
18864   *Steve Henson*
18865
18866 * Fix to RSA private encryption routines: if p < q then it would
18867   occasionally produce an invalid result. This will only happen with
18868   externally generated keys because OpenSSL (and SSLeay) ensure p > q.
18869
18870   *Steve Henson*
18871
18872 * Be less restrictive and allow also `perl util/perlpath.pl
18873   /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`,
18874   because this way one can also use an interpreter named `perl5` (which is
18875   usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
18876   installed as `perl`).
18877
18878   *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
18879
18880 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
18881
18882   *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
18883
18884 * Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
18885   advapi32.lib to Win32 build and change the pem test comparison
18886   to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
18887   suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
18888   and crypto/des/ede_cbcm_enc.c.
18889
18890   *Steve Henson*
18891
18892 * DES quad checksum was broken on big-endian architectures. Fixed.
18893
18894   *Ben Laurie*
18895
18896 * Comment out two functions in bio.h that aren't implemented. Fix up the
18897   Win32 test batch file so it (might) work again. The Win32 test batch file
18898   is horrible: I feel ill....
18899
18900   *Steve Henson*
18901
18902 * Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
18903   in e_os.h. Audit of header files to check ANSI and non ANSI
18904   sections: 10 functions were absent from non ANSI section and not exported
18905   from Windows DLLs. Fixed up libeay.num for new functions.
18906
18907   *Steve Henson*
18908
18909 * Make `openssl version` output lines consistent.
18910
18911   *Ralf S. Engelschall*
18912
18913 * Fix Win32 symbol export lists for BIO functions: Added
18914   BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
18915   to ms/libeay{16,32}.def.
18916
18917   *Ralf S. Engelschall*
18918
18919 * Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
18920   fine under Unix and passes some trivial tests I've now added. But the
18921   whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
18922   added to make sure no one expects that this stuff really works in the
18923   OpenSSL 0.9.2 release.  Additionally I've started to clean the XS sources
18924   up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
18925   openssl_bio.xs.
18926
18927   *Ralf S. Engelschall*
18928
18929 * Fix the generation of two part addresses in perl.
18930
18931   *Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie*
18932
18933 * Add config entry for Linux on MIPS.
18934
18935   *John Tobey <jtobey@channel1.com>*
18936
18937 * Make links whenever Configure is run, unless we are on Windoze.
18938
18939   *Ben Laurie*
18940
18941 * Permit extensions to be added to CRLs using crl_section in openssl.cnf.
18942   Currently only issuerAltName and AuthorityKeyIdentifier make any sense
18943   in CRLs.
18944
18945   *Steve Henson*
18946
18947 * Add a useful kludge to allow package maintainers to specify compiler and
18948   other platforms details on the command line without having to patch the
18949   Configure script every time: One now can use
18950   `perl Configure <id>:<details>`,
18951   i.e. platform ids are allowed to have details appended
18952   to them (separated by colons). This is treated as there would be a static
18953   pre-configured entry in Configure's %table under key `<id>` with value
18954   `<details>` and `perl Configure <id>` is called.  So, when you want to
18955   perform a quick test-compile under FreeBSD 3.1 with pgcc and without
18956   assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
18957   now, which overrides the FreeBSD-elf entry on-the-fly.
18958
18959   *Ralf S. Engelschall*
18960
18961 * Disable new TLS1 ciphersuites by default: they aren't official yet.
18962
18963   *Ben Laurie*
18964
18965 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
18966   on the `perl Configure ...` command line. This way one can compile
18967   OpenSSL libraries with Position Independent Code (PIC) which is needed
18968   for linking it into DSOs.
18969
18970   *Ralf S. Engelschall*
18971
18972 * Remarkably, export ciphers were totally broken and no-one had noticed!
18973   Fixed.
18974
18975   *Ben Laurie*
18976
18977 * Cleaned up the LICENSE document: The official contact for any license
18978   questions now is the OpenSSL core team under openssl-core@openssl.org.
18979   And add a paragraph about the dual-license situation to make sure people
18980   recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
18981   to the OpenSSL toolkit.
18982
18983   *Ralf S. Engelschall*
18984
18985 * General source tree makefile cleanups: Made `making xxx in yyy...`
18986   display consistent in the source tree and replaced `/bin/rm` by `rm`.
18987   Additionally cleaned up the `make links` target: Remove unnecessary
18988   semicolons, subsequent redundant removes, inline point.sh into mklink.sh
18989   to speed processing and no longer clutter the display with confusing
18990   stuff. Instead only the actually done links are displayed.
18991
18992   *Ralf S. Engelschall*
18993
18994 * Permit null encryption ciphersuites, used for authentication only. It used
18995   to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
18996   It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
18997   encryption.
18998
18999   *Ben Laurie*
19000
19001 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
19002   signed attributes when verifying signatures (this would break them),
19003   the detached data encoding was wrong and public keys obtained using
19004   X509_get_pubkey() weren't freed.
19005
19006   *Steve Henson*
19007
19008 * Add text documentation for the BUFFER functions. Also added a work around
19009   to a Win95 console bug. This was triggered by the password read stuff: the
19010   last character typed gets carried over to the next fread(). If you were
19011   generating a new cert request using 'req' for example then the last
19012   character of the passphrase would be CR which would then enter the first
19013   field as blank.
19014
19015   *Steve Henson*
19016
19017 * Added the new 'Includes OpenSSL Cryptography Software' button as
19018   doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
19019   button and can be used by applications based on OpenSSL to show the
19020   relationship to the OpenSSL project.
19021
19022   *Ralf S. Engelschall*
19023
19024 * Remove confusing variables in function signatures in files
19025   ssl/ssl_lib.c and ssl/ssl.h.
19026
19027   *Lennart Bong <lob@kulthea.stacken.kth.se>*
19028
19029 * Don't install bss_file.c under PREFIX/include/
19030
19031   *Lennart Bong <lob@kulthea.stacken.kth.se>*
19032
19033 * Get the Win32 compile working again. Modify mkdef.pl so it can handle
19034   functions that return function pointers and has support for NT specific
19035   stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19036   #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
19037   unsigned to signed types: this was killing the Win32 compile.
19038
19039   *Steve Henson*
19040
19041 * Add new certificate file to stack functions,
19042   SSL_add_dir_cert_subjects_to_stack() and
19043   SSL_add_file_cert_subjects_to_stack().  These largely supplant
19044   SSL_load_client_CA_file(), and can be used to add multiple certs easily
19045   to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
19046   This means that Apache-SSL and similar packages don't have to mess around
19047   to add as many CAs as they want to the preferred list.
19048
19049   *Ben Laurie*
19050
19051 * Experiment with doxygen documentation. Currently only partially applied to
19052   ssl/ssl_lib.c.
19053   See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with
19054   openssl.doxy as the configuration file.
19055
19056   *Ben Laurie*
19057
19058 * Get rid of remaining C++-style comments which strict C compilers hate.
19059
19060   *Ralf S. Engelschall, pointed out by Carlos Amengual*
19061
19062 * Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
19063   compiled in by default: it has problems with large keys.
19064
19065   *Steve Henson*
19066
19067 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
19068   DH private keys and/or callback functions which directly correspond to
19069   their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19070   is needed for applications which have to configure certificates on a
19071   per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19072   (e.g. s_server).
19073      For the RSA certificate situation is makes no difference, but
19074   for the DSA certificate situation this fixes the "no shared cipher"
19075   problem where the OpenSSL cipher selection procedure failed because the
19076   temporary keys were not overtaken from the context and the API provided
19077   no way to reconfigure them.
19078      The new functions now let applications reconfigure the stuff and they
19079   are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
19080   SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
19081   non-public-API function ssl_cert_instantiate() is used as a helper
19082   function and also to reduce code redundancy inside ssl_rsa.c.
19083
19084   *Ralf S. Engelschall*
19085
19086 * Move s_server -dcert and -dkey options out of the undocumented feature
19087   area because they are useful for the DSA situation and should be
19088   recognized by the users.
19089
19090   *Ralf S. Engelschall*
19091
19092 * Fix the cipher decision scheme for export ciphers: the export bits are
19093   *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
19094   SSL_EXP_MASK.  So, the original variable has to be used instead of the
19095   already masked variable.
19096
19097   *Richard Levitte <levitte@stacken.kth.se>*
19098
19099 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c
19100
19101   *Richard Levitte <levitte@stacken.kth.se>*
19102
19103 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
19104   from `int` to `unsigned int` because it is a length and initialized by
19105   EVP_DigestFinal() which expects an `unsigned int *`.
19106
19107   *Richard Levitte <levitte@stacken.kth.se>*
19108
19109 * Don't hard-code path to Perl interpreter on shebang line of Configure
19110   script. Instead use the usual Shell->Perl transition trick.
19111
19112   *Ralf S. Engelschall*
19113
19114 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19115   (in addition to RSA certificates) to match the behaviour of `openssl dsa
19116   -noout -modulus` as it's already the case for `openssl rsa -noout
19117   -modulus`.  For RSA the -modulus is the real "modulus" while for DSA
19118   currently the public key is printed (a decision which was already done by
19119   `openssl dsa -modulus` in the past) which serves a similar purpose.
19120   Additionally the NO_RSA no longer completely removes the whole -modulus
19121   option; it now only avoids using the RSA stuff. Same applies to NO_DSA
19122   now, too.
19123
19124   *Ralf S.  Engelschall*
19125
19126 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19127   BIO. See the source (crypto/evp/bio_ok.c) for more info.
19128
19129   *Arne Ansper <arne@ats.cyber.ee>*
19130
19131 * Dump the old yucky req code that tried (and failed) to allow raw OIDs
19132   to be added. Now both 'req' and 'ca' can use new objects defined in the
19133   config file.
19134
19135   *Steve Henson*
19136
19137 * Add cool BIO that does syslog (or event log on NT).
19138
19139   *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie*
19140
19141 * Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
19142   TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
19143   TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19144   Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19145
19146   *Ben Laurie*
19147
19148 * Add preliminary config info for new extension code.
19149
19150   *Steve Henson*
19151
19152 * Make RSA_NO_PADDING really use no padding.
19153
19154   *Ulf Moeller <ulf@fitug.de>*
19155
19156 * Generate errors when private/public key check is done.
19157
19158   *Ben Laurie*
19159
19160 * Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
19161   for some CRL extensions and new objects added.
19162
19163   *Steve Henson*
19164
19165 * Really fix the ASN1 IMPLICIT bug this time... Partial support for private
19166   key usage extension and fuller support for authority key id.
19167
19168   *Steve Henson*
19169
19170 * Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
19171   padding method for RSA, which is recommended for new applications in PKCS
19172   #1 v2.0 (RFC 2437, October 1998).
19173   OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
19174   foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19175   against Bleichbacher's attack on RSA.
19176   *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
19177   Ben Laurie*
19178
19179 * Updates to the new SSL compression code
19180
19181   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19182
19183 * Fix so that the version number in the master secret, when passed
19184   via RSA, checks that if TLS was proposed, but we roll back to SSLv3
19185   (because the server will not accept higher), that the version number
19186   is 0x03,0x01, not 0x03,0x00
19187
19188   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19189
19190 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory
19191   leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes
19192   in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`.
19193
19194   *Steve Henson*
19195
19196 * Support for RAW extensions where an arbitrary extension can be
19197   created by including its DER encoding. See `apps/openssl.cnf` for
19198   an example.
19199
19200   *Steve Henson*
19201
19202 * Make sure latest Perl versions don't interpret some generated C array
19203   code as Perl array code in the crypto/err/err_genc.pl script.
19204
19205   *Lars Weber <3weber@informatik.uni-hamburg.de>*
19206
19207 * Modify ms/do_ms.bat to not generate assembly language makefiles since
19208   not many people have the assembler. Various Win32 compilation fixes and
19209   update to the INSTALL.W32 file with (hopefully) more accurate Win32
19210   build instructions.
19211
19212   *Steve Henson*
19213
19214 * Modify configure script 'Configure' to automatically create crypto/date.h
19215   file under Win32 and also build pem.h from pem.org. New script
19216   util/mkfiles.pl to create the MINFO file on environments that can't do a
19217   'make files': perl util/mkfiles.pl >MINFO should work.
19218
19219   *Steve Henson*
19220
19221 * Major rework of DES function declarations, in the pursuit of correctness
19222   and purity. As a result, many evil casts evaporated, and some weirdness,
19223   too. You may find this causes warnings in your code. Zapping your evil
19224   casts will probably fix them. Mostly.
19225
19226   *Ben Laurie*
19227
19228 * Fix for a typo in asn1.h. Bug fix to object creation script
19229   obj_dat.pl. It considered a zero in an object definition to mean
19230   "end of object": none of the objects in objects.h have any zeros
19231   so it wasn't spotted.
19232
19233   *Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>*
19234
19235 * Add support for Triple DES Cipher Block Chaining with Output Feedback
19236   Masking (CBCM). In the absence of test vectors, the best I have been able
19237   to do is check that the decrypt undoes the encrypt, so far. Send me test
19238   vectors if you have them.
19239
19240   *Ben Laurie*
19241
19242 * Correct calculation of key length for export ciphers (too much space was
19243   allocated for null ciphers). This has not been tested!
19244
19245   *Ben Laurie*
19246
19247 * Modifications to the mkdef.pl for Win32 DEF file creation. The usage
19248   message is now correct (it understands "crypto" and "ssl" on its
19249   command line). There is also now an "update" option. This will update
19250   the util/ssleay.num and util/libeay.num files with any new functions.
19251   If you do a:
19252   perl util/mkdef.pl crypto ssl update
19253   it will update them.
19254
19255   *Steve Henson*
19256
19257 * Overhauled the Perl interface:
19258   - ported BN stuff to OpenSSL's different BN library
19259   - made the perl/ source tree CVS-aware
19260   - renamed the package from SSLeay to OpenSSL (the files still contain
19261     their history because I've copied them in the repository)
19262   - removed obsolete files (the test scripts will be replaced
19263     by better Test::Harness variants in the future)
19264
19265   *Ralf S. Engelschall*
19266
19267 * First cut for a very conservative source tree cleanup:
19268   1. merge various obsolete readme texts into doc/ssleay.txt
19269   where we collect the old documents and readme texts.
19270   2. remove the first part of files where I'm already sure that we no
19271   longer need them because of three reasons: either they are just temporary
19272   files which were left by Eric or they are preserved original files where
19273   I've verified that the diff is also available in the CVS via "cvs diff
19274   -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19275   the crypto/md/ stuff).
19276
19277   *Ralf S. Engelschall*
19278
19279 * More extension code. Incomplete support for subject and issuer alt
19280   name, issuer and authority key id. Change the i2v function parameters
19281   and add an extra 'crl' parameter in the X509V3_CTX structure: guess
19282   what that's for :-) Fix to ASN1 macro which messed up
19283   IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
19284
19285   *Steve Henson*
19286
19287 * Preliminary support for ENUMERATED type. This is largely copied from the
19288   INTEGER code.
19289
19290   *Steve Henson*
19291
19292 * Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
19293
19294   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19295
19296 * Make sure `make rehash` target really finds the `openssl` program.
19297
19298   *Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
19299
19300 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
19301   like to hear about it if this slows down other processors.
19302
19303   *Ben Laurie*
19304
19305 * Add CygWin32 platform information to Configure script.
19306
19307   *Alan Batie <batie@aahz.jf.intel.com>*
19308
19309 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19310
19311   *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19312
19313 * New program nseq to manipulate netscape certificate sequences
19314
19315   *Steve Henson*
19316
19317 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19318   few typos.
19319
19320   *Steve Henson*
19321
19322 * Fixes to BN code.  Previously the default was to define BN_RECURSION
19323   but the BN code had some problems that would cause failures when
19324   doing certificate verification and some other functions.
19325
19326   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
19327
19328 * Add ASN1 and PEM code to support netscape certificate sequences.
19329
19330   *Steve Henson*
19331
19332 * Add ASN1 and PEM code to support netscape certificate sequences.
19333
19334   *Steve Henson*
19335
19336 * Add several PKIX and private extended key usage OIDs.
19337
19338   *Steve Henson*
19339
19340 * Modify the 'ca' program to handle the new extension code. Modify
19341   openssl.cnf for new extension format, add comments.
19342
19343   *Steve Henson*
19344
19345 * More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
19346   and add a sample to openssl.cnf so req -x509 now adds appropriate
19347   CA extensions.
19348
19349   *Steve Henson*
19350
19351 * Continued X509 V3 changes. Add to other makefiles, integrate with the
19352   error code, add initial support to X509_print() and x509 application.
19353
19354   *Steve Henson*
19355
19356 * Takes a deep breath and start adding X509 V3 extension support code. Add
19357   files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
19358   stuff is currently isolated and isn't even compiled yet.
19359
19360   *Steve Henson*
19361
19362 * Continuing patches for GeneralizedTime. Fix up certificate and CRL
19363   ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
19364   Removed the versions check from X509 routines when loading extensions:
19365   this allows certain broken certificates that don't set the version
19366   properly to be processed.
19367
19368   *Steve Henson*
19369
19370 * Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
19371   Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19372   can still be regenerated with "make depend".
19373
19374   *Ben Laurie*
19375
19376 * Spelling mistake in C version of CAST-128.
19377
19378   *Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>*
19379
19380 * Changes to the error generation code. The perl script err-code.pl
19381   now reads in the old error codes and retains the old numbers, only
19382   adding new ones if necessary. It also only changes the .err files if new
19383   codes are added. The makefiles have been modified to only insert errors
19384   when needed (to avoid needlessly modifying header files). This is done
19385   by only inserting errors if the .err file is newer than the auto generated
19386   C file. To rebuild all the error codes from scratch (the old behaviour)
19387   either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19388   or delete all the .err files.
19389
19390   *Steve Henson*
19391
19392 * CAST-128 was incorrectly implemented for short keys. The C version has
19393   been fixed, but is untested. The assembler versions are also fixed, but
19394   new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19395   to regenerate it if needed.
19396   *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19397    Hagino <itojun@kame.net>*
19398
19399 * File was opened incorrectly in randfile.c.
19400
19401   *Ulf Möller <ulf@fitug.de>*
19402
19403 * Beginning of support for GeneralizedTime. d2i, i2d, check and print
19404   functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
19405   GeneralizedTime. ASN1_TIME is the proper type used in certificates et
19406   al: it's just almost always a UTCTime. Note this patch adds new error
19407   codes so do a "make errors" if there are problems.
19408
19409   *Steve Henson*
19410
19411 * Correct Linux 1 recognition in config.
19412
19413   *Ulf Möller <ulf@fitug.de>*
19414
19415 * Remove pointless MD5 hash when using DSA keys in ca.
19416
19417   *Anonymous <nobody@replay.com>*
19418
19419 * Generate an error if given an empty string as a cert directory. Also
19420   generate an error if handed NULL (previously returned 0 to indicate an
19421   error, but didn't set one).
19422
19423   *Ben Laurie, reported by Anonymous <nobody@replay.com>*
19424
19425 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
19426
19427   *Ben Laurie*
19428
19429 * Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
19430   parameters. This was causing a warning which killed off the Win32 compile.
19431
19432   *Steve Henson*
19433
19434 * Remove C++ style comments from crypto/bn/bn_local.h.
19435
19436   *Neil Costigan <neil.costigan@celocom.com>*
19437
19438 * The function OBJ_txt2nid was broken. It was supposed to return a nid
19439   based on a text string, looking up short and long names and finally
19440   "dot" format. The "dot" format stuff didn't work. Added new function
19441   OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
19442   OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
19443   OID is not part of the table.
19444
19445   *Steve Henson*
19446
19447 * Add prototypes to X509 lookup/verify methods, fixing a bug in
19448   X509_LOOKUP_by_alias().
19449
19450   *Ben Laurie*
19451
19452 * Sort openssl functions by name.
19453
19454   *Ben Laurie*
19455
19456 * Get the `gendsa` command working and add it to the `list` command. Remove
19457   encryption from sample DSA keys (in case anyone is interested the password
19458   was "1234").
19459
19460   *Steve Henson*
19461
19462 * Make *all* `*_free` functions accept a NULL pointer.
19463
19464   *Frans Heymans <fheymans@isaserver.be>*
19465
19466 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use
19467   NULL pointers.
19468
19469   *Anonymous <nobody@replay.com>*
19470
19471 * s_server should send the CAfile as acceptable CAs, not its own cert.
19472
19473   *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19474
19475 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19476
19477   *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19478
19479 * Temp key "for export" tests were wrong in s3_srvr.c.
19480
19481   *Anonymous <nobody@replay.com>*
19482
19483 * Add prototype for temp key callback functions
19484   SSL_CTX_set_tmp_{rsa,dh}_callback().
19485
19486   *Ben Laurie*
19487
19488 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
19489   DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
19490
19491   *Steve Henson*
19492
19493 * X509_name_add_entry() freed the wrong thing after an error.
19494
19495   *Arne Ansper <arne@ats.cyber.ee>*
19496
19497 * rsa_eay.c would attempt to free a NULL context.
19498
19499   *Arne Ansper <arne@ats.cyber.ee>*
19500
19501 * BIO_s_socket() had a broken should_retry() on Windoze.
19502
19503   *Arne Ansper <arne@ats.cyber.ee>*
19504
19505 * BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
19506
19507   *Arne Ansper <arne@ats.cyber.ee>*
19508
19509 * Make sure the already existing X509_STORE->depth variable is initialized
19510   in X509_STORE_new(), but document the fact that this variable is still
19511   unused in the certificate verification process.
19512
19513   *Ralf S. Engelschall*
19514
19515 * Fix the various library and `apps/` files to free up pkeys obtained from
19516   X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
19517
19518   *Steve Henson*
19519
19520 * Fix reference counting in X509_PUBKEY_get(). This makes
19521   demos/maurice/example2.c work, amongst others, probably.
19522
19523   *Steve Henson and Ben Laurie*
19524
19525 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named
19526   `openssl` and second, the shortcut symlinks for the `openssl <command>`
19527   are no longer created. This way we have a single and consistent command
19528   line interface `openssl <command>`, similar to `cvs <command>`.
19529
19530   *Ralf S. Engelschall, Paul Sutton and Ben Laurie*
19531
19532 * ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
19533   BIT STRING wrapper always have zero unused bits.
19534
19535   *Steve Henson*
19536
19537 * Add CA.pl, perl version of CA.sh, add extended key usage OID.
19538
19539   *Steve Henson*
19540
19541 * Make the top-level INSTALL documentation easier to understand.
19542
19543   *Paul Sutton*
19544
19545 * Makefiles updated to exit if an error occurs in a sub-directory
19546   make (including if user presses ^C) [Paul Sutton]
19547
19548 * Make Montgomery context stuff explicit in RSA data structure.
19549
19550   *Ben Laurie*
19551
19552 * Fix build order of pem and err to allow for generated pem.h.
19553
19554   *Ben Laurie*
19555
19556 * Fix renumbering bug in X509_NAME_delete_entry().
19557
19558   *Ben Laurie*
19559
19560 * Enhanced the err-ins.pl script so it makes the error library number
19561   global and can add a library name. This is needed for external ASN1 and
19562   other error libraries.
19563
19564   *Steve Henson*
19565
19566 * Fixed sk_insert which never worked properly.
19567
19568   *Steve Henson*
19569
19570 * Fix ASN1 macros so they can handle indefinite length constructed
19571   EXPLICIT tags. Some non standard certificates use these: they can now
19572   be read in.
19573
19574   *Steve Henson*
19575
19576 * Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
19577   into a single doc/ssleay.txt bundle. This way the information is still
19578   preserved but no longer messes up this directory. Now it's new room for
19579   the new set of documentation files.
19580
19581   *Ralf S. Engelschall*
19582
19583 * SETs were incorrectly DER encoded. This was a major pain, because they
19584   shared code with SEQUENCEs, which aren't coded the same. This means that
19585   almost everything to do with SETs or SEQUENCEs has either changed name or
19586   number of arguments.
19587
19588   *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>*
19589
19590 * Fix test data to work with the above.
19591
19592   *Ben Laurie*
19593
19594 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
19595   was already fixed by Eric for 0.9.1 it seems.
19596
19597   *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19598
19599 * Autodetect FreeBSD3.
19600
19601   *Ben Laurie*
19602
19603 * Fix various bugs in Configure. This affects the following platforms:
19604   nextstep
19605   ncr-scde
19606   unixware-2.0
19607   unixware-2.0-pentium
19608   sco5-cc.
19609
19610   *Ben Laurie*
19611
19612 * Eliminate generated files from CVS. Reorder tests to regenerate files
19613   before they are needed.
19614
19615   *Ben Laurie*
19616
19617 * Generate Makefile.ssl from Makefile.org (to keep CVS happy).
19618
19619   *Ben Laurie*
19620
19621### Changes between 0.9.1b and 0.9.1c  [23-Dec-1998]
19622
19623 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
19624   changed SSLeay to OpenSSL in version strings.
19625
19626   *Ralf S. Engelschall*
19627
19628 * Some fixups to the top-level documents.
19629
19630   *Paul Sutton*
19631
19632 * Fixed the nasty bug where rsaref.h was not found under compile-time
19633   because the symlink to include/ was missing.
19634
19635   *Ralf S. Engelschall*
19636
19637 * Incorporated the popular no-RSA/DSA-only patches
19638   which allow to compile an RSA-free SSLeay.
19639
19640   *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall*
19641
19642 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19643   when "ssleay" is still not found.
19644
19645   *Ralf S. Engelschall*
19646
19647 * Added more platforms to Configure: Cray T3E, HPUX 11,
19648
19649   *Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>*
19650
19651 * Updated the README file.
19652
19653   *Ralf S. Engelschall*
19654
19655 * Added various .cvsignore files in the CVS repository subdirs
19656   to make a "cvs update" really silent.
19657
19658   *Ralf S. Engelschall*
19659
19660 * Recompiled the error-definition header files and added
19661   missing symbols to the Win32 linker tables.
19662
19663   *Ralf S. Engelschall*
19664
19665 * Cleaned up the top-level documents;
19666   o new files: CHANGES and LICENSE
19667   o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
19668   o merged COPYRIGHT into LICENSE
19669   o removed obsolete TODO file
19670   o renamed MICROSOFT to INSTALL.W32
19671
19672   *Ralf S. Engelschall*
19673
19674 * Removed dummy files from the 0.9.1b source tree:
19675   crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
19676   crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
19677   crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
19678   crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
19679   util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
19680
19681   *Ralf S. Engelschall*
19682
19683 * Added various platform portability fixes.
19684
19685   *Mark J. Cox*
19686
19687 * The Genesis of the OpenSSL rpject:
19688   We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
19689   Young and Tim J. Hudson created while they were working for C2Net until
19690   summer 1998.
19691
19692   *The OpenSSL Project*
19693
19694### Changes between 0.9.0b and 0.9.1b  [not released]
19695
19696 * Updated a few CA certificates under certs/
19697
19698   *Eric A. Young*
19699
19700 * Changed some BIGNUM api stuff.
19701
19702   *Eric A. Young*
19703
19704 * Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
19705   DGUX x86, Linux Alpha, etc.
19706
19707   *Eric A. Young*
19708
19709 * New COMP library [crypto/comp/] for SSL Record Layer Compression:
19710   RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
19711   available).
19712
19713   *Eric A. Young*
19714
19715 * Add -strparse option to asn1pars program which parses nested
19716   binary structures
19717
19718   *Dr Stephen Henson <shenson@bigfoot.com>*
19719
19720 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
19721
19722   *Eric A. Young*
19723
19724 * DSA fix for "ca" program.
19725
19726   *Eric A. Young*
19727
19728 * Added "-genkey" option to "dsaparam" program.
19729
19730   *Eric A. Young*
19731
19732 * Added RIPE MD160 (rmd160) message digest.
19733
19734   *Eric A. Young*
19735
19736 * Added -a (all) option to "ssleay version" command.
19737
19738   *Eric A. Young*
19739
19740 * Added PLATFORM define which is the id given to Configure.
19741
19742   *Eric A. Young*
19743
19744 * Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
19745
19746   *Eric A. Young*
19747
19748 * Extended the ASN.1 parser routines.
19749
19750   *Eric A. Young*
19751
19752 * Extended BIO routines to support REUSEADDR, seek, tell, etc.
19753
19754   *Eric A. Young*
19755
19756 * Added a BN_CTX to the BN library.
19757
19758   *Eric A. Young*
19759
19760 * Fixed the weak key values in DES library
19761
19762   *Eric A. Young*
19763
19764 * Changed API in EVP library for cipher aliases.
19765
19766   *Eric A. Young*
19767
19768 * Added support for RC2/64bit cipher.
19769
19770   *Eric A. Young*
19771
19772 * Converted the lhash library to the crypto/mem.c functions.
19773
19774   *Eric A. Young*
19775
19776 * Added more recognized ASN.1 object ids.
19777
19778   *Eric A. Young*
19779
19780 * Added more RSA padding checks for SSL/TLS.
19781
19782   *Eric A. Young*
19783
19784 * Added BIO proxy/filter functionality.
19785
19786   *Eric A. Young*
19787
19788 * Added extra_certs to SSL_CTX which can be used
19789   send extra CA certificates to the client in the CA cert chain sending
19790   process. It can be configured with SSL_CTX_add_extra_chain_cert().
19791
19792   *Eric A. Young*
19793
19794 * Now Fortezza is denied in the authentication phase because
19795   this is key exchange mechanism is not supported by SSLeay at all.
19796
19797   *Eric A. Young*
19798
19799 * Additional PKCS1 checks.
19800
19801   *Eric A. Young*
19802
19803 * Support the string "TLSv1" for all TLS v1 ciphers.
19804
19805   *Eric A. Young*
19806
19807 * Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
19808   ex_data index of the SSL context in the X509_STORE_CTX ex_data.
19809
19810   *Eric A. Young*
19811
19812 * Fixed a few memory leaks.
19813
19814   *Eric A. Young*
19815
19816 * Fixed various code and comment typos.
19817
19818   *Eric A. Young*
19819
19820 * A minor bug in ssl/s3_clnt.c where there would always be 4 0
19821   bytes sent in the client random.
19822
19823   *Edward Bishop <ebishop@spyglass.com>*
19824
19825<!-- Links -->
19826
19827[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19828[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19829[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19830[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19831[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19832[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19833[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19834[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19835[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19836[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19837[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19838[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19839[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19840[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19841[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19842[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19843[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19844[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19845[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19846[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19847[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19848[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19849[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19850[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19851[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19852[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19853[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19854[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19855[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19856[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19857[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19858[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19859[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19860[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19861[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19862[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19863[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
19864[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
19865[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
19866[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
19867[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
19868[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
19869[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
19870[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
19871[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
19872[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
19873[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
19874[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
19875[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
19876[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
19877[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
19878[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
19879[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
19880[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
19881[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
19882[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
19883[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
19884[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
19885[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
19886[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
19887[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
19888[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
19889[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
19890[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
19891[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
19892[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
19893[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
19894[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
19895[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
19896[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
19897[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
19898[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
19899[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
19900[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
19901[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
19902[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
19903[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
19904[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
19905[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
19906[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
19907[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
19908[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
19909[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
19910[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
19911[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
19912[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
19913[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
19914[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
19915[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
19916[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
19917[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
19918[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
19919[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
19920[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
19921[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
19922[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
19923[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
19924[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
19925[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
19926[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
19927[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
19928[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
19929[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
19930[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
19931[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
19932[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
19933[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
19934[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
19935[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
19936[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
19937[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
19938[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
19939[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
19940[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
19941[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
19942[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
19943[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
19944[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
19945[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
19946[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
19947[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
19948[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
19949[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
19950[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
19951[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
19952[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
19953[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
19954[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
19955[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
19956[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
19957[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
19958[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
19959[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
19960[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
19961[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
19962[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
19963[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
19964[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
19965[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
19966[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
19967[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
19968[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
19969[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
19970[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
19971[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
19972[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
19973[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
19974[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
19975[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
19976[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
19977[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
19978[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
19979[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
19980[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
19981[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
19982[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
19983[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
19984[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
19985[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
19986[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
19987[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
19988[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
19989[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
19990[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
19991[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
19992[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
19993[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
19994[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
19995[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
19996[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
19997[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
19998[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
19999[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20000[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20001[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20002[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20003[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20004[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20005[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20006[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20007[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20008[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20009[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20010[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20011[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20012[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20013[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20014[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
20015