xref: /openssl/CHANGES.md (revision ef39dd05)
1OpenSSL CHANGES
2===============
3
4This is a detailed breakdown of significant changes. For a high-level overview
5of changes in each release, see [NEWS.md](./NEWS.md).
6
7For a full list of changes, see the [git commit log][log] and pick the
8appropriate release branch.
9
10  [log]: https://github.com/openssl/openssl/commits/
11
12OpenSSL Releases
13----------------
14
15 - [OpenSSL 3.5](#openssl-35)
16 - [OpenSSL 3.4](#openssl-34)
17 - [OpenSSL 3.3](#openssl-33)
18 - [OpenSSL 3.2](#openssl-32)
19 - [OpenSSL 3.1](#openssl-31)
20 - [OpenSSL 3.0](#openssl-30)
21 - [OpenSSL 1.1.1](#openssl-111)
22 - [OpenSSL 1.1.0](#openssl-110)
23 - [OpenSSL 1.0.2](#openssl-102)
24 - [OpenSSL 1.0.1](#openssl-101)
25 - [OpenSSL 1.0.0](#openssl-100)
26 - [OpenSSL 0.9.x](#openssl-09x)
27
28OpenSSL 3.5
29-----------
30
31### Changes between 3.4 and 3.5 [xx XXX xxxx]
32
33* Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list().
34  SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which sets the
35  available groups to the default selection. The '-' prefix allows the calling
36  application to remove a group from the selection.
37
38  *Frederik Wedel-Heinen*
39
40 * Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
41   from `des-ede3-cbc` to `aes-256-cbc`.
42
43   AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
44
45   *Aditya*
46
47 * Enhanced PKCS#7 inner contents verification.
48   In the PKCS7_verify() function, the BIO *indata parameter refers to the
49   signed data if the content is detached from p7. Otherwise, indata should be
50   NULL, and then the signed data must be in p7.
51
52   The previous OpenSSL implementation only supported MIME inner content
53   [RFC 5652, section 5.2].
54
55   The added functionality now enables support for PKCS#7 inner content
56   [RFC 2315, section 7].
57
58   *Małgorzata Olszówka*
59
60 * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
61   longer required) when using `-digest` or when signing or verifying with an
62   Ed25519 or Ed448 key.
63   The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
64
65   *David von Oheimb*
66
67 * Optionally allow the FIPS provider to use the `JITTER` entropy source.
68   Note that using this option will require the resulting FIPS provider
69   to undergo entropy source validation [ESV] by the [CMVP], without this
70   the FIPS provider will not be FIPS compliant.  Enable this using the
71   configuration option `enable-fips-jitter`.
72
73   *Paul Dale*
74
75OpenSSL 3.4
76-----------
77
78### Changes between 3.3 and 3.4 [xx XXX xxxx]
79
80 * For the FIPS provider only, replaced the primary DRBG with a continuous
81   health check module.  This also removes the now forbidden DRBG chaining.
82
83   *Paul Dale*
84
85 * Improved base64 BIO correctness and error reporting.
86
87   *Viktor Dukhovni*
88
89 * Added support for directly fetched composite signature algorithms such as
90   RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
91   EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
92
93   *Richard Levitte*
94
95 * XOF Digest API improvements
96
97   EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were aliased to
98   EVP_MD_get_size which returns a constant value. XOF Digests such as SHAKE
99   have an output size that is not fixed, so calling EVP_MD_get_size() is not
100   sufficent. The existing macros now point to the new function
101   EVP_MD_CTX_get_size_ex() which will retrieve the "size" for a XOF digest,
102   otherwise it falls back to calling EVP_MD_get_size(). Note that the SHAKE
103   implementation did not have a context getter previously, so the "size" will
104   only be able to be retrieved with new providers.
105
106   Also added a EVP_xof() helper.
107
108   *Shane Lontis*
109
110 * Added FIPS indicators to the FIPS provider.
111
112   FIPS 140-3 requires indicators to be used if the FIPS provider allows
113   non-approved algorithms. An algorithm is approved if it passes all
114   required checks such as minimum key size. By default an error will
115   occur if any check fails. For backwards compatibility individual
116   algorithms may override the checks by using either an option in the
117   FIPS configuration OR in code using an algorithm context setter.
118   Overriding the check means that the algorithm is not FIPS compliant.
119   OSSL_INDICATOR_set_callback() can be called to register a callback
120   to log unapproved algorithms. At the end of any algorithm operation
121   the approved status can be queried using an algorithm context getter.
122   FIPS provider configuration options are set using 'openssl fipsinstall'.
123
124   Note that new FIPS 140-3 restrictions have been enforced such as
125   RSA Encryption using PKCS1 padding is no longer approved.
126   Documentation related to the changes can be found on the [fips_module(7)]
127   manual page.
128
129   [fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS indicators
130
131   *Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov*
132
133 * Added support for hardware acceleration for HMAC on S390x architecture.
134
135   *Ingo Franzki*
136
137 * Added debuginfo Makefile target for unix platforms to produce
138   a separate DWARF info file from the corresponding shared libs.
139
140   *Neil Horman*
141
142 * Added support for encapsulation and decapsulation operations in the
143   pkeyutl command.
144
145   *Dmitry Belyavskiy*
146
147 * Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
148
149   *Dmitry Belyavskiy*
150
151 * Add a new random seed source RNG `JITTER` using a statically linked
152   jitterentropy library.
153
154   *Dimitri John Ledkov*
155
156 * Added a feature to retrieve configured TLS signature algorithms,
157   e.g., via the openssl list command.
158
159   *Michael Baentsch*
160
161 * Deprecated TS_VERIFY_CTX_set_* functions and added replacement
162   TS_VERIFY_CTX_set0_* functions with improved semantics.
163
164   *Tobias Erbsland*
165
166 * Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such that
167   what were formerly build time locations can now be defined at run time
168   with registry keys. See NOTES-WINDOWS.md.
169
170   *Neil Horman*
171
172 * Added options `-not_before` and `-not_after` for explicit setting
173   start and end dates of certificates created with the `req` and `x509`
174   commands. Added the same options also to `ca` command as alias for
175   `-startdate` and `-enddate` options.
176
177   *Stephan Wurm*
178
179 * The X25519 and X448 key exchange implementation in the FIPS provider
180   is unapproved and has `fips=no` property.
181
182   *Tomáš Mráz*
183
184 * SHAKE-128 and SHAKE-256 implementations have no default digest length
185   anymore. That means these algorithms cannot be used with
186   EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
187
188   This change was necessary because the preexisting default lengths were
189   half the size necessary for full collision resistance supported by these
190   algorithms.
191
192   *Tomáš Mráz*
193
194 * Setting `config_diagnostics=1` in the config file will cause errors to
195   be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
196   in the ssl module configuration.
197
198   *Tomáš Mráz*
199
200 * An empty renegotiate extension will be used in TLS client hellos instead
201   of the empty renegotiation SCSV, for all connections with a minimum TLS
202   version > 1.0.
203
204   *Tim Perry*
205
206 * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
207   TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
208
209   This work was sponsored by Siemens AG.
210
211   *Rajeev Ranjan*
212
213 * Added support for requesting CRL in CMP.
214
215   This work was sponsored by Siemens AG.
216
217   *Rajeev Ranjan*
218
219 * Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
220   userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
221   subjectDirectoryAttributes, associatedInformation, delegatedNameConstraints,
222   holderNameConstraints and targetingInformation X.509v3 extensions.
223
224   *Jonathan M. Wilbur*
225
226 * Added Attribute Certificate (RFC 5755) support. Attribute
227   Certificates can be created, parsed, modified and printed via the
228   public API. There is no command-line tool support at this time.
229
230   *Damian Hobson-Garcia*
231
232 * Added support to build Position Independent Executables (PIE). Configuration
233   option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
234   support Address Space Layout Randomization (ASLR) in the openssl executable,
235   removes reliance on external toolchain configurations.
236
237   *Craig Lorentzen*
238
239 * SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions() have
240   been deprecated in favour of their respective ..._ex() replacement functions
241   which are Y2038-safe.
242
243   *Alexander Kanavin*
244
245 * ECC groups may now customize their initialization to save CPU by using
246   precomputed values. This is used by the P-256 implementation.
247
248   *Watson Ladd*
249
250OpenSSL 3.3
251-----------
252
253### Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
254
255 * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
256   curve parameters.
257
258   Use of the low-level GF(2^m) elliptic curve APIs with untrusted
259   explicit values for the field polynomial can lead to out-of-bounds memory
260   reads or writes.
261   Applications working with "exotic" explicit binary (GF(2^m)) curve
262   parameters, that make it possible to represent invalid field polynomials
263   with a zero constant term, via the above or similar APIs, may terminate
264   abruptly as a result of reading or writing outside of array bounds. Remote
265   code execution cannot easily be ruled out.
266
267   ([CVE-2024-9143])
268
269   *Viktor Dukhovni*
270
271### Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
272
273 * Fixed possible denial of service in X.509 name checks.
274
275   Applications performing certificate name checks (e.g., TLS clients checking
276   server certificates) may attempt to read an invalid memory address when
277   comparing the expected name with an `otherName` subject alternative name of
278   an X.509 certificate. This may result in an exception that terminates the
279   application program.
280
281   ([CVE-2024-6119])
282
283   *Viktor Dukhovni*
284
285 * Fixed possible buffer overread in SSL_select_next_proto().
286
287   Calling the OpenSSL API function SSL_select_next_proto with an empty
288   supported client protocols buffer may cause a crash or memory contents
289   to be sent to the peer.
290
291   ([CVE-2024-5535])
292
293   *Matt Caswell*
294
295### Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
296
297 * Fixed potential use after free after SSL_free_buffers() is called.
298
299   The SSL_free_buffers function is used to free the internal OpenSSL
300   buffer used when processing an incoming record from the network.
301   The call is only expected to succeed if the buffer is not currently
302   in use. However, two scenarios have been identified where the buffer
303   is freed even when still in use.
304
305   The first scenario occurs where a record header has been received
306   from the network and processed by OpenSSL, but the full record body
307   has not yet arrived. In this case calling SSL_free_buffers will succeed
308   even though a record has only been partially processed and the buffer
309   is still in use.
310
311   The second scenario occurs where a full record containing application
312   data has been received and processed by OpenSSL but the application has
313   only read part of this data. Again a call to SSL_free_buffers will
314   succeed even though the buffer is still in use.
315
316   ([CVE-2024-4741])
317
318   *Matt Caswell*
319
320 * Fixed an issue where checking excessively long DSA keys or parameters may
321   be very slow.
322
323   Applications that use the functions EVP_PKEY_param_check() or
324   EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
325   experience long delays. Where the key or parameters that are being checked
326   have been obtained from an untrusted source this may lead to a Denial of
327   Service.
328
329   To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
330   will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
331   reason.
332
333   ([CVE-2024-4603])
334
335   *Tomáš Mráz*
336
337 * Improved EC/DSA nonce generation routines to avoid bias and timing
338   side channel leaks.
339
340   Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
341   and Hubert Kario from Red Hat for reporting the issues.
342
343   *Tomáš Mráz and Paul Dale*
344
345### Changes between 3.2 and 3.3.0 [9 Apr 2024]
346
347 * The `-verify` option to the `openssl crl` and `openssl req` will make
348   the program exit with 1 on failure.
349
350   *Vladimír Kotal*
351
352 * The BIO_get_new_index() function can only be called 127 times before it
353   reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
354   error of -1 once it is exhausted. Users may need to reserve using this
355   function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE
356   or BIO_get_new_index() can be used to supply a type to BIO_meth_new().
357
358   *Shane Lontis*
359
360 * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
361   using time_t which is Y2038 safe on 32 bit systems when 64 bit time
362   is enabled (e.g via setting glibc macro _TIME_BITS=64).
363
364   *Ijtaba Hussain*
365
366 * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
367   related functions have been augmented to check for a minimum length of
368   the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
369
370   *Job Snijders*
371
372 * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
373   config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
374   SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
375   ignored and the configuration will still be used.
376
377   Similarly unknown entries that start with `?` character in a TLS
378   Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
379   and the configuration will still be used.
380
381   In both cases if the resulting list is empty, an error is returned.
382
383   *Tomáš Mráz*
384
385 * The EVP_PKEY_fromdata function has been augmented to allow for the derivation
386   of CRT (Chinese Remainder Theorem) parameters when requested.  See the
387   OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
388
389   *Neil Horman*
390
391 * The activate and soft_load configuration settings for providers in
392   openssl.cnf have been updated to require a value of [1|yes|true|on]
393   (in lower or UPPER case) to enable the setting. Conversely a value
394   of [0|no|false|off] will disable the setting. All other values, or the
395   omission of a value for these settings will result in an error.
396
397    *Neil Horman*
398
399 * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
400   override the Issuer and Subject when creating a certificate. The `-subj`
401   option now is an alias for `-set_subject`.
402
403    *Job Snijders, George Michaelson*
404
405 * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
406   if called with a NULL stack argument.
407
408   *Tomáš Mráz*
409
410 * In `openssl speed`, changed the default hash function used with `hmac` from
411   `md5` to `sha256`.
412
413   *James Muir*
414
415 * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483:
416   - `certProfile` request message header and respective `-profile` CLI option
417   - support for delayed delivery of all types of response messages
418
419   *David von Oheimb*
420
421 * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
422   be less hard coded in the build file templates, and to allow easier
423   addition of more exporters.  With that, an exporter for CMake is also
424   added.
425
426   *Richard Levitte*
427
428 * The BLAKE2s hash algorithm matches BLAKE2b's support
429   for configurable output length.
430
431   *Ahelenia Ziemiańska*
432
433 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
434   server to prefer session resumption using PSK-only key exchange over PSK
435   with DHE, if both are available.
436
437   *Markus Minichmayr, Tapkey GmbH*
438
439 * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
440   condition in an optimised way when using QUIC.
441
442   *Hugo Landau*
443
444 * New atexit configuration switch, which controls whether the OPENSSL_cleanup
445   is registered when libcrypto is unloaded. This is turned off on NonStop
446   configurations because of loader differences on that platform compared to
447   Linux.
448
449   *Randall S. Becker*
450
451 * Support for qlog for tracing QUIC connections has been added.
452
453   The qlog output from OpenSSL currently uses a pre-standard draft version of
454   qlog. The output from OpenSSL will change in incompatible ways in future
455   releases, and is not subject to any format stability or compatibility
456   guarantees at this time. This functionality can be
457   disabled with the build-time option `no-unstable-qlog`. See the
458   openssl-qlog(7) manpage for details.
459
460   *Hugo Landau*
461
462 * Added APIs to allow configuring the negotiated idle timeout for QUIC
463   connections, and to allow determining the number of additional streams
464   that can currently be created for a QUIC connection.
465
466   *Hugo Landau*
467
468 * Added APIs to allow disabling implicit QUIC event processing for
469   QUIC SSL objects, allowing applications to control when event handling
470   occurs. Refer to the SSL_get_value_uint(3) manpage for details.
471
472   *Hugo Landau*
473
474 * Limited support for polling of QUIC connection and stream objects in a
475   non-blocking manner. Refer to the SSL_poll(3) manpage for details.
476
477   *Hugo Landau*
478
479 * Added APIs to allow querying the size and utilisation of a QUIC stream's
480   write buffer. Refer to the SSL_get_value_uint(3) manpage for details.
481
482   *Hugo Landau*
483
484 * New limit on HTTP response headers is introduced to HTTP client. The
485   default limit is set to 256 header lines. If limit is exceeded the
486   response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
487   Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
488   to change the default. Setting the value to 0 disables the limit.
489
490   *Alexandr Nedvedicky*
491
492 * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
493
494   *Tom Cosgrove*
495
496 * Added X509_STORE_get1_objects to avoid issues with the existing
497   X509_STORE_get0_objects API in multi-threaded applications. Refer to the
498   documentation for details.
499
500   *David Benjamin*
501
502 * Added assembly implementation for md5 on loongarch64
503
504   *Min Zhou*
505
506 * Optimized AES-CTR for ARM Neoverse V1 and V2
507
508   *Fisher Yu*
509
510 * Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS systems
511   similar to M1/M2.
512
513   *Tom Cosgrove*
514
515 * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
516   times with different output sizes.
517
518   *Shane Lontis, Holger Dengler*
519
520 * Various optimizations for cryptographic routines using RISC-V vector crypto
521   extensions
522
523   *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen,
524    Jerry Shih*
525
526 * Accept longer context for TLS 1.2 exporters
527
528   While RFC 5705 implies that the maximum length of a context for exporters is
529   65535 bytes as the length is embedded in uint16, the previous implementation
530   enforced a much smaller limit, which is less than 1024 bytes. This
531   restriction has been removed.
532
533   *Daiki Ueno*
534
535OpenSSL 3.2
536-----------
537
538### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
539
540 * Fixed an issue where some non-default TLS server configurations can cause
541   unbounded memory growth when processing TLSv1.3 sessions. An attacker may
542   exploit certain server configurations to trigger unbounded memory growth that
543   would lead to a Denial of Service
544
545   This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
546   is being used (but not if early_data is also configured and the default
547   anti-replay protection is in use). In this case, under certain conditions,
548   the session cache can get into an incorrect state and it will fail to flush
549   properly as it fills. The session cache will continue to grow in an unbounded
550   manner. A malicious client could deliberately create the scenario for this
551   failure to force a Denial of Service. It may also happen by accident in
552   normal operation.
553
554   ([CVE-2024-2511])
555
556   *Matt Caswell*
557
558 * Fixed bug where SSL_export_keying_material() could not be used with QUIC
559   connections. (#23560)
560
561   *Hugo Landau*
562
563### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
564
565 * A file in PKCS12 format can contain certificates and keys and may come from
566   an untrusted source. The PKCS12 specification allows certain fields to be
567   NULL, but OpenSSL did not correctly check for this case. A fix has been
568   applied to prevent a NULL pointer dereference that results in OpenSSL
569   crashing. If an application processes PKCS12 files from an untrusted source
570   using the OpenSSL APIs then that application will be vulnerable to this
571   issue prior to this fix.
572
573   OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
574   PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
575   and PKCS12_newpass().
576
577   We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
578   function is related to writing data we do not consider it security
579   significant.
580
581   ([CVE-2024-0727])
582
583   *Matt Caswell*
584
585 * When function EVP_PKEY_public_check() is called on RSA public keys,
586   a computation is done to confirm that the RSA modulus, n, is composite.
587   For valid RSA keys, n is a product of two or more large primes and this
588   computation completes quickly. However, if n is an overly large prime,
589   then this computation would take a long time.
590
591   An application that calls EVP_PKEY_public_check() and supplies an RSA key
592   obtained from an untrusted source could be vulnerable to a Denial of Service
593   attack.
594
595   The function EVP_PKEY_public_check() is not called from other OpenSSL
596   functions however it is called from the OpenSSL pkey command line
597   application. For that reason that application is also vulnerable if used
598   with the "-pubin" and "-check" options on untrusted data.
599
600   To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
601   now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
602
603   ([CVE-2023-6237])
604
605   *Tomáš Mráz*
606
607 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
608   have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
609   rather than SM2.
610
611   *Richard Levitte*
612
613 * The POLY1305 MAC (message authentication code) implementation in OpenSSL
614   for PowerPC CPUs saves the contents of vector registers in different
615   order than they are restored. Thus the contents of some of these vector
616   registers is corrupted when returning to the caller. The vulnerable code is
617   used only on newer PowerPC processors supporting the PowerISA 2.07
618   instructions.
619
620   The consequences of this kind of internal application state corruption can
621   be various - from no consequences, if the calling application does not
622   depend on the contents of non-volatile XMM registers at all, to the worst
623   consequences, where the attacker could get complete control of the
624   application process. However unless the compiler uses the vector registers
625   for storing pointers, the most likely consequence, if any, would be an
626   incorrect result of some application dependent calculations or a crash
627   leading to a denial of service.
628
629   ([CVE-2023-6129])
630
631   *Rohan McLure*
632
633 * Disable building QUIC server utility when OpenSSL is configured with
634   `no-apps`.
635
636   *Vitalii Koshura*
637
638### Changes between 3.1 and 3.2.0 [23 Nov 2023]
639
640 * Fix excessive time spent in DH check / generation with large Q parameter
641   value.
642
643   Applications that use the functions DH_generate_key() to generate an
644   X9.42 DH key may experience long delays. Likewise, applications that use
645   DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
646   to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
647   Where the key or parameters that are being checked have been obtained from
648   an untrusted source this may lead to a Denial of Service.
649
650   ([CVE-2023-5678])
651
652   *Richard Levitte*
653
654 * The BLAKE2b hash algorithm supports a configurable output length
655   by setting the "size" parameter.
656
657   *Čestmír Kalina and Tomáš Mráz*
658
659 * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES.
660
661   *Evgeny Karpov*
662
663 * Added a function to delete objects from store by URI - OSSL_STORE_delete()
664   and the corresponding provider-storemgmt API function
665   OSSL_FUNC_store_delete().
666
667   *Dmitry Belyavskiy*
668
669 * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
670   a passphrase callback when opening a store.
671
672   *Simo Sorce*
673
674 * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt)
675   from 8 bytes to 16 bytes.
676   The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and
677   recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2
678   requires a salt length of 128 bits. This affects OpenSSL command line
679   applications such as "genrsa" and "pkcs8" and API's such as
680   PEM_write_bio_PrivateKey() that are reliant on the default value.
681   The additional commandline option 'saltlen' has been added to the
682   OpenSSL command line applications for "pkcs8" and "enc" to allow the
683   salt length to be set to a non default value.
684
685   *Shane Lontis*
686
687 * Changed the default value of the `ess_cert_id_alg` configuration
688   option which is used to calculate the TSA's public key certificate
689   identifier. The default algorithm is updated to be sha256 instead
690   of sha1.
691
692   *Małgorzata Olszówka*
693
694 * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed
695   table for point multiplication of the base point, which increases the size of
696   libcrypto from 4.4 MB to 4.9 MB. A new configure option `no-sm2-precomp` has
697   been added to disable the precomputed table.
698
699   *Xu Yizhou*
700
701 * Added client side support for QUIC
702
703   *Hugo Landau, Matt Caswell, Paul Dale, Tomáš Mráz, Richard Levitte*
704
705 * Added multiple tutorials on the OpenSSL library and in particular
706   on writing various clients (using TLS and QUIC protocols) with libssl.
707
708   *Matt Caswell*
709
710 * Added secp384r1 implementation using Solinas' reduction to improve
711   speed of the NIST P-384 elliptic curve. To enable the implementation
712   the build option `enable-ec_nistp_64_gcc_128` must be used.
713
714   *Rohan McLure*
715
716 * Improved RFC7468 compliance of the asn1parse command.
717
718   *Matthias St. Pierre*
719
720 * Added SHA256/192 algorithm support.
721
722   *Fergus Dall*
723
724 * Added support for securely getting root CA certificate update in
725   CMP.
726
727   *David von Oheimb*
728
729 * Improved contention on global write locks by using more read locks where
730   appropriate.
731
732   *Matt Caswell*
733
734 * Improved performance of OSSL_PARAM lookups in performance critical
735   provider functions.
736
737   *Paul Dale*
738
739 * Added the SSL_get0_group_name() function to provide access to the
740   name of the group used for the TLS key exchange.
741
742   *Alex Bozarth*
743
744 * Provide a new configure option `no-http` that can be used to disable the
745   HTTP support. Provide new configure options `no-apps` and `no-docs` to
746   disable building the openssl command line application and the documentation.
747
748   *Vladimír Kotal*
749
750 * Provide a new configure option `no-ecx` that can be used to disable the
751   X25519, X448, and EdDSA support.
752
753   *Yi Li*
754
755 * When multiple OSSL_KDF_PARAM_INFO parameters are passed to
756   the EVP_KDF_CTX_set_params() function they are now concatenated not just
757   for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms.
758
759   *Paul Dale*
760
761 * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get
762   the provider context as a parameter.
763
764   *Ingo Franzki*
765
766 * TLS round-trip time calculation was added by a Brigham Young University
767   Capstone team partnering with Sandia National Laboratories. A new function
768   in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this
769   value.
770
771   *Jairus Christensen*
772
773 * Added the "-quic" option to s_client to enable connectivity to QUIC servers.
774   QUIC requires the use of ALPN, so this must be specified via the "-alpn"
775   option. Use of the "advanced" s_client command command via the "-adv" option
776   is recommended.
777
778   *Matt Caswell*
779
780 * Added an "advanced" command mode to s_client. Use this with the "-adv"
781   option. The old "basic" command mode recognises certain letters that must
782   always appear at the start of a line and cannot be escaped. The advanced
783   command mode enables commands to be entered anywhere and there is an
784   escaping mechanism. After starting s_client with "-adv" type "{help}"
785   to show a list of available commands.
786
787   *Matt Caswell*
788
789 * Add Raw Public Key (RFC7250) support. Authentication is supported
790   by matching keys against either local policy (TLSA records synthesised
791   from the expected keys) or DANE (TLSA records obtained by the
792   application from DNS). TLSA records will also match the same key in
793   the server certificate, should RPK use not happen to be negotiated.
794
795   *Todd Short*
796
797 * Added support for modular exponentiation and CRT offloading for the
798   S390x architecture.
799
800   *Juergen Christ*
801
802 * Added further assembler code for the RISC-V architecture.
803
804   *Christoph Müllner*
805
806 * Added EC_GROUP_to_params() which creates an OSSL_PARAM array
807   from a given EC_GROUP.
808
809   *Oliver Mihatsch*
810
811 * Improved support for non-default library contexts and property queries
812   when parsing PKCS#12 files.
813
814   *Shane Lontis*
815
816 * Implemented support for all five instances of EdDSA from RFC8032:
817   Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph.
818   The streaming is not yet supported for the HashEdDSA variants
819   (Ed25519ph and Ed448ph).
820
821   *James Muir*
822
823 * Added SM4 optimization for ARM processors using ASIMD and AES HW
824   instructions.
825
826   *Xu Yizhou*
827
828 * Implemented SM4-XTS support.
829
830   *Xu Yizhou*
831
832 * Added platform-agnostic OSSL_sleep() function.
833
834   *Richard Levitte*
835
836 * Implemented deterministic ECDSA signatures (RFC6979) support.
837
838   *Shane Lontis*
839
840 * Implemented AES-GCM-SIV (RFC8452) support.
841
842   *Todd Short*
843
844 * Added support for pluggable (provider-based) TLS signature algorithms.
845   This enables TLS 1.3 authentication operations with algorithms embedded
846   in providers not included by default in OpenSSL. In combination with
847   the already available pluggable KEM and X.509 support, this enables
848   for example suitable providers to deliver post-quantum or quantum-safe
849   cryptography to OpenSSL users.
850
851   *Michael Baentsch*
852
853 * Added support for pluggable (provider-based) CMS signature algorithms.
854   This enables CMS sign and verify operations with algorithms embedded
855   in providers not included by default in OpenSSL.
856
857   *Michael Baentsch*
858
859 * Added support for Hybrid Public Key Encryption (HPKE) as defined
860   in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH),
861   Message Layer Security (MLS) and other IETF specifications.
862   HPKE can also be used by other applications that require
863   encrypting "to" an ECDH public key. External APIs are defined in
864   include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod
865
866   *Stephen Farrell*
867
868 * Implemented HPKE DHKEM support in providers used by HPKE (RFC9180)
869   API.
870
871   *Shane Lontis*
872
873 * Add support for certificate compression (RFC8879), including
874   library support for Brotli and Zstandard compression.
875
876   *Todd Short*
877
878 * Add the ability to add custom attributes to PKCS12 files. Add a new API
879   PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows
880   for a user specified callback and optional argument.
881   Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be
882   added to the existing STACK_OF attrs.
883
884   *Graham Woodward*
885
886 * Major refactor of the libssl record layer.
887
888   *Matt Caswell*
889
890 * Add a mac salt length option for the pkcs12 command.
891
892   *Xinping Chen*
893
894 * Add more SRTP protection profiles from RFC8723 and RFC8269.
895
896   *Kijin Kim*
897
898 * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload.
899
900   *Daiki Ueno, John Baldwin and Dmitry Podgorny*
901
902 * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where
903   supported and enabled.
904
905   *Todd Short*
906
907 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
908   to the list of ciphersuites providing Perfect Forward Secrecy as
909   required by SECLEVEL >= 3.
910
911   *Dmitry Belyavskiy, Nicola Tuveri*
912
913 * Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting.
914   The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the
915   SSL_get0_iana_groups() function-like macro, retrieves the list of
916   supported groups sent by the peer.
917   The function SSL_client_hello_get_extension_order() populates
918   a caller-supplied array with the list of extension types present in the
919   ClientHello, in order of appearance.
920
921   *Phus Lu*
922
923 * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid()
924   to make it possible to use empty passphrase strings.
925
926   *Darshan Sen*
927
928 * The PKCS12_parse() function now supports MAC-less PKCS12 files.
929
930   *Daniel Fiala*
931
932 * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able
933   to change functions used for allocating the memory of asynchronous call stack.
934
935   *Arran Cudbard-Bell*
936
937 * Added support for signed BIGNUMs in the OSSL_PARAM APIs.
938
939   *Richard Levitte*
940
941 * A failure exit code is returned when using the openssl x509 command to check
942   certificate attributes and the checks fail.
943
944   *Rami Khaldi*
945
946 * The default SSL/TLS security level has been changed from 1 to 2. RSA,
947   DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
948   of 160 bits and above and less than 224 bits were previously accepted by
949   default but are now no longer allowed. By default TLS compression was
950   already disabled in previous OpenSSL versions. At security level 2 it cannot
951   be enabled.
952
953   *Matt Caswell*
954
955 * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
956   IANA standard names.
957
958   *Erik Lax*
959
960 * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into
961   the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
962   will need to load the legacy crypto provider.
963
964   *Paul Dale*
965
966 * CCM8 cipher suites in TLS have been downgraded to security level zero
967   because they use a short authentication tag which lowers their strength.
968
969   *Paul Dale*
970
971 * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
972   by default. Also spaces surrounding `=` in DN output are removed.
973
974   *Dmitry Belyavskiy*
975
976 * Add X.509 certificate codeSigning purpose and related checks on key usage and
977   extended key usage of the leaf certificate according to the CA/Browser Forum.
978
979   * Lutz Jänicke*
980
981 * The `x509`, `ca`, and `req` commands now produce X.509 v3 certificates.
982   The `-x509v1` option of `req` prefers generation of X.509 v1 certificates.
983   `X509_sign()` and `X509_sign_ctx()` make sure that the certificate has
984   X.509 version 3 if the certificate information includes X.509 extensions.
985
986   *David von Oheimb*
987
988 * Fix and extend certificate handling and the commands `x509`, `verify` etc.
989   such as adding a trace facility for debugging certificate chain building.
990
991   *David von Oheimb*
992
993 * Various fixes and extensions to the CMP+CRMF implementation and the `cmp` app
994   in particular supporting requests for central key generation, generalized
995   polling, and various types of genm/genp exchanges defined in CMP Updates.
996
997   *David von Oheimb*
998
999 * Fixes and extensions to the HTTP client and to the HTTP server in `apps/`
1000   like correcting the TLS and proxy support and adding tracing for debugging.
1001
1002   *David von Oheimb*
1003
1004 * Extended the CMS API for handling `CMS_SignedData` and `CMS_EnvelopedData`.
1005
1006   *David von Oheimb*
1007
1008 * `CMS_add0_cert()` and `CMS_add1_cert()` no longer throw an error if
1009   a certificate to be added is already present. `CMS_sign_ex()` and
1010   `CMS_sign()` now ignore any duplicate certificates in their `certs` argument
1011   and no longer throw an error for them.
1012
1013   *David von Oheimb*
1014
1015 * Fixed and extended `util/check-format.pl` for checking adherence to the
1016   coding style <https://www.openssl.org/policies/technical/coding-style.html>.
1017   The checks are meanwhile more complete and yield fewer false positives.
1018
1019   *David von Oheimb*
1020
1021 * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based
1022   BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg()
1023   calls. They can be used as the transport BIOs for QUIC.
1024
1025   *Hugo Landau, Matt Caswell and Tomáš Mráz*
1026
1027 * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
1028   sending and receiving multiple messages in a single call. An implementation
1029   is provided for BIO_dgram. For further details, see BIO_sendmmsg(3).
1030
1031   *Hugo Landau*
1032
1033 * Support for loading root certificates from the Windows certificate store
1034   has been added. The support is in the form of a store which recognises the
1035   URI string of `org.openssl.winstore://`. This URI scheme currently takes no
1036   arguments. This store is built by default and can be disabled using the new
1037   compile-time option `no-winstore`. This store is not currently used by
1038   default and must be loaded explicitly using the above store URI. It is
1039   expected to be loaded by default in the future.
1040
1041   *Hugo Landau*
1042
1043 * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux
1044   kernel versions that support KTLS have a known bug in CCM processing. That
1045   has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7,
1046   and all releases since 5.16. KTLS with CCM ciphersuites should be only used
1047   on these releases.
1048
1049   *Tianjia Zhang*
1050
1051 * Added `-ktls` option to `s_server` and `s_client` commands to enable the
1052   KTLS support.
1053
1054   *Tianjia Zhang*
1055
1056 * Zerocopy KTLS sendfile() support on Linux.
1057
1058   *Maxim Mikityanskiy*
1059
1060 * The OBJ_ calls are now thread safe using a global lock.
1061
1062   *Paul Dale*
1063
1064 * New parameter `-digest` for openssl cms command allowing signing
1065   pre-computed digests and new CMS API functions supporting that
1066   functionality.
1067
1068   *Viktor Söderqvist*
1069
1070 * OPENSSL_malloc() and other allocation functions now raise errors on
1071   allocation failures. The callers do not need to explicitly raise errors
1072   unless they want to for tracing purposes.
1073
1074   *David von Oheimb*
1075
1076 * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
1077   decryption as a protection against Bleichenbacher-like attacks.
1078   The RSA decryption API will now return a randomly generated deterministic
1079   message instead of an error in case it detects an error when checking
1080   padding during PKCS#1 v1.5 decryption. This is a general protection against
1081   issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
1082   disabled by calling
1083   `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")`
1084   on the RSA decryption context.
1085
1086   *Hubert Kario*
1087
1088 * Added support for Brainpool curves in TLS-1.3.
1089
1090   *Bernd Edlinger and Matt Caswell*
1091
1092 * Added OpenBSD specific build targets.
1093
1094   *David Carlier*
1095
1096 * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
1097   a basic thread pool implementation for select platforms.
1098
1099   *Čestmír Kalina*
1100
1101OpenSSL 3.1
1102-----------
1103
1104### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
1105
1106 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
1107   EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
1108   that alter the key or IV length ([CVE-2023-5363]).
1109
1110   *Paul Dale*
1111
1112### Changes between 3.1.2 and 3.1.3 [19 Sep 2023]
1113
1114 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
1115
1116   The POLY1305 MAC (message authentication code) implementation in OpenSSL
1117   does not save the contents of non-volatile XMM registers on Windows 64
1118   platform when calculating the MAC of data larger than 64 bytes. Before
1119   returning to the caller all the XMM registers are set to zero rather than
1120   restoring their previous content. The vulnerable code is used only on newer
1121   x86_64 processors supporting the AVX512-IFMA instructions.
1122
1123   The consequences of this kind of internal application state corruption can
1124   be various - from no consequences, if the calling application does not
1125   depend on the contents of non-volatile XMM registers at all, to the worst
1126   consequences, where the attacker could get complete control of the
1127   application process. However given the contents of the registers are just
1128   zeroized so the attacker cannot put arbitrary values inside, the most likely
1129   consequence, if any, would be an incorrect result of some application
1130   dependent calculations or a crash leading to a denial of service.
1131
1132   ([CVE-2023-4807])
1133
1134   *Bernd Edlinger*
1135
1136### Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
1137
1138 * Fix excessive time spent checking DH q parameter value.
1139
1140   The function DH_check() performs various checks on DH parameters. After
1141   fixing CVE-2023-3446 it was discovered that a large q parameter value can
1142   also trigger an overly long computation during some of these checks.
1143   A correct q value, if present, cannot be larger than the modulus p
1144   parameter, thus it is unnecessary to perform these checks if q is larger
1145   than p.
1146
1147   If DH_check() is called with such q parameter value,
1148   DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
1149   intensive checks are skipped.
1150
1151   ([CVE-2023-3817])
1152
1153   *Tomáš Mráz*
1154
1155 * Fix DH_check() excessive time with over sized modulus.
1156
1157   The function DH_check() performs various checks on DH parameters. One of
1158   those checks confirms that the modulus ("p" parameter) is not too large.
1159   Trying to use a very large modulus is slow and OpenSSL will not normally use
1160   a modulus which is over 10,000 bits in length.
1161
1162   However the DH_check() function checks numerous aspects of the key or
1163   parameters that have been supplied. Some of those checks use the supplied
1164   modulus value even if it has already been found to be too large.
1165
1166   A new limit has been added to DH_check of 32,768 bits. Supplying a
1167   key/parameters with a modulus over this size will simply cause DH_check() to
1168   fail.
1169
1170   ([CVE-2023-3446])
1171
1172   *Matt Caswell*
1173
1174 * Do not ignore empty associated data entries with AES-SIV.
1175
1176   The AES-SIV algorithm allows for authentication of multiple associated
1177   data entries along with the encryption. To authenticate empty data the
1178   application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
1179   with NULL pointer as the output buffer and 0 as the input buffer length.
1180   The AES-SIV implementation in OpenSSL just returns success for such call
1181   instead of performing the associated data authentication operation.
1182   The empty data thus will not be authenticated. ([CVE-2023-2975])
1183
1184   Thanks to Juerg Wullschleger (Google) for discovering the issue.
1185
1186   The fix changes the authentication tag value and the ciphertext for
1187   applications that use empty associated data entries with AES-SIV.
1188   To decrypt data encrypted with previous versions of OpenSSL the application
1189   has to skip calls to `EVP_DecryptUpdate()` for empty associated data
1190   entries.
1191
1192   *Tomáš Mráz*
1193
1194 * When building with the `enable-fips` option and using the resulting
1195   FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
1196   master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
1197   not operate with truncated digests (FIPS 140-3 IG G.R).
1198
1199   *Paul Dale*
1200
1201### Changes between 3.1.0 and 3.1.1 [30 May 2023]
1202
1203 * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
1204   OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
1205
1206   OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
1207   numeric text form.  For gigantic sub-identifiers, this would take a very
1208   long time, the time complexity being O(n^2) where n is the size of that
1209   sub-identifier.  ([CVE-2023-2650])
1210
1211   To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
1212   IDENTIFIER to canonical numeric text form if the size of that OBJECT
1213   IDENTIFIER is 586 bytes or less, and fail otherwise.
1214
1215   The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
1216   IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
1217   most 128 sub-identifiers, and that the maximum value that each sub-
1218   identifier may have is 2^32-1 (4294967295 decimal).
1219
1220   For each byte of every sub-identifier, only the 7 lower bits are part of
1221   the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
1222   these restrictions may occupy is 32 * 128 / 7, which is approximately 586
1223   bytes.
1224
1225   *Richard Levitte*
1226
1227 * Multiple algorithm implementation fixes for ARM BE platforms.
1228
1229   *Liu-ErMeng*
1230
1231 * Added a -pedantic option to fipsinstall that adjusts the various
1232   settings to ensure strict FIPS compliance rather than backwards
1233   compatibility.
1234
1235   *Paul Dale*
1236
1237 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
1238   happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
1239   trigger a crash of an application using AES-XTS decryption if the memory
1240   just after the buffer being decrypted is not mapped.
1241   Thanks to Anton Romanov (Amazon) for discovering the issue.
1242   ([CVE-2023-1255])
1243
1244   *Nevine Ebeid*
1245
1246 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
1247   The previous fix for this timing side channel turned out to cause
1248   a severe 2-3x performance regression in the typical use case
1249   compared to 3.0.7. The new fix uses existing constant time
1250   code paths, and restores the previous performance level while
1251   fully eliminating all existing timing side channels.
1252   The fix was developed by Bernd Edlinger with testing support
1253   by Hubert Kario.
1254
1255   *Bernd Edlinger*
1256
1257 * Add FIPS provider configuration option to disallow the use of
1258   truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
1259   The option '-no_drbg_truncated_digests' can optionally be
1260   supplied to 'openssl fipsinstall'.
1261
1262   *Paul Dale*
1263
1264 * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
1265   that it does not enable policy checking. Thanks to David Benjamin for
1266   discovering this issue.
1267   ([CVE-2023-0466])
1268
1269   *Tomáš Mráz*
1270
1271 * Fixed an issue where invalid certificate policies in leaf certificates are
1272   silently ignored by OpenSSL and other certificate policy checks are skipped
1273   for that certificate. A malicious CA could use this to deliberately assert
1274   invalid certificate policies in order to circumvent policy checking on the
1275   certificate altogether.
1276   ([CVE-2023-0465])
1277
1278   *Matt Caswell*
1279
1280 * Limited the number of nodes created in a policy tree to mitigate
1281   against CVE-2023-0464.  The default limit is set to 1000 nodes, which
1282   should be sufficient for most installations.  If required, the limit
1283   can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
1284   time define to a desired maximum number of nodes or zero to allow
1285   unlimited growth.
1286   ([CVE-2023-0464])
1287
1288   *Paul Dale*
1289
1290### Changes between 3.0 and 3.1.0 [14 Mar 2023]
1291
1292 * Add FIPS provider configuration option to enforce the
1293   Extended Master Secret (EMS) check during the TLS1_PRF KDF.
1294   The option '-ems_check' can optionally be supplied to
1295   'openssl fipsinstall'.
1296
1297   *Shane Lontis*
1298
1299 * The FIPS provider includes a few non-approved algorithms for
1300   backward compatibility purposes and the "fips=yes" property query
1301   must be used for all algorithm fetches to ensure FIPS compliance.
1302
1303   The algorithms that are included but not approved are Triple DES ECB,
1304   Triple DES CBC and EdDSA.
1305
1306   *Paul Dale*
1307
1308 * Added support for KMAC in KBKDF.
1309
1310   *Shane Lontis*
1311
1312 * RNDR and RNDRRS support in provider functions to provide
1313   random number generation for Arm CPUs (aarch64).
1314
1315   *Orr Toledano*
1316
1317 * `s_client` and `s_server` commands now explicitly say when the TLS version
1318   does not include the renegotiation mechanism. This avoids confusion
1319   between that scenario versus when the TLS version includes secure
1320   renegotiation but the peer lacks support for it.
1321
1322   *Felipe Gasper*
1323
1324 * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
1325
1326   *Tomasz Kantecki, Andrey Matyukov*
1327
1328 * The various OBJ_* functions have been made thread safe.
1329
1330   *Paul Dale*
1331
1332 * Parallel dual-prime 1536/2048-bit modular exponentiation for
1333   AVX512_IFMA capable processors.
1334
1335   *Sergey Kirillov, Andrey Matyukov (Intel Corp)*
1336
1337 * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`,
1338   `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`,
1339   `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now
1340   marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
1341   `OPENSSL_NO_DEPRECATED_3_1`.
1342
1343   The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro
1344   `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
1345   definitions for these functions regardless of whether
1346   `OPENSSL_NO_DEPRECATED_3_1` is defined.
1347
1348   Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these
1349   functions regardless of whether they are using them. It is recommended that
1350   users transition to the new macro, `DEFINE_LHASH_OF_EX`.
1351
1352   *Hugo Landau*
1353
1354 * When generating safe-prime DH parameters set the recommended private key
1355   length equivalent to minimum key lengths as in RFC 7919.
1356
1357   *Tomáš Mráz*
1358
1359 * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
1360   maximum size that is smaller or equal to the digest length to comply with
1361   FIPS 186-4 section 5. This is implemented by a new option
1362   `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
1363   `rsa_pss_saltlen` parameter, which is now the default. Signature
1364   verification is not affected by this change and continues to work as before.
1365
1366   *Clemens Lang*
1367
1368OpenSSL 3.0
1369-----------
1370
1371For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
1372listed here are only a brief description.
1373The migration guide contains more detailed information related to new features,
1374breaking changes, and mappings for the large list of deprecated functions.
1375
1376[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
1377
1378### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
1379
1380 * Fixed NULL dereference during PKCS7 data verification.
1381
1382   A NULL pointer can be dereferenced when signatures are being
1383   verified on PKCS7 signed or signedAndEnveloped data. In case the hash
1384   algorithm used for the signature is known to the OpenSSL library but
1385   the implementation of the hash algorithm is not available the digest
1386   initialization will fail. There is a missing check for the return
1387   value from the initialization function which later leads to invalid
1388   usage of the digest API most likely leading to a crash.
1389   ([CVE-2023-0401])
1390
1391   PKCS7 data is processed by the SMIME library calls and also by the
1392   time stamp (TS) library calls. The TLS implementation in OpenSSL does
1393   not call these functions however third party applications would be
1394   affected if they call these functions to verify signatures on untrusted
1395   data.
1396
1397   *Tomáš Mráz*
1398
1399 * Fixed X.400 address type confusion in X.509 GeneralName.
1400
1401   There is a type confusion vulnerability relating to X.400 address processing
1402   inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
1403   but the public structure definition for GENERAL_NAME incorrectly specified
1404   the type of the x400Address field as ASN1_TYPE. This field is subsequently
1405   interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
1406   than an ASN1_STRING.
1407
1408   When CRL checking is enabled (i.e. the application sets the
1409   X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
1410   pass arbitrary pointers to a memcmp call, enabling them to read memory
1411   contents or enact a denial of service.
1412   ([CVE-2023-0286])
1413
1414   *Hugo Landau*
1415
1416 * Fixed NULL dereference validating DSA public key.
1417
1418   An invalid pointer dereference on read can be triggered when an
1419   application tries to check a malformed DSA public key by the
1420   EVP_PKEY_public_check() function. This will most likely lead
1421   to an application crash. This function can be called on public
1422   keys supplied from untrusted sources which could allow an attacker
1423   to cause a denial of service attack.
1424
1425   The TLS implementation in OpenSSL does not call this function
1426   but applications might call the function if there are additional
1427   security requirements imposed by standards such as FIPS 140-3.
1428   ([CVE-2023-0217])
1429
1430   *Shane Lontis, Tomáš Mráz*
1431
1432 * Fixed Invalid pointer dereference in d2i_PKCS7 functions.
1433
1434   An invalid pointer dereference on read can be triggered when an
1435   application tries to load malformed PKCS7 data with the
1436   d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
1437
1438   The result of the dereference is an application crash which could
1439   lead to a denial of service attack. The TLS implementation in OpenSSL
1440   does not call this function however third party applications might
1441   call these functions on untrusted data.
1442   ([CVE-2023-0216])
1443
1444   *Tomáš Mráz*
1445
1446 * Fixed Use-after-free following BIO_new_NDEF.
1447
1448   The public API function BIO_new_NDEF is a helper function used for
1449   streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
1450   to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
1451   be called directly by end user applications.
1452
1453   The function receives a BIO from the caller, prepends a new BIO_f_asn1
1454   filter BIO onto the front of it to form a BIO chain, and then returns
1455   the new head of the BIO chain to the caller. Under certain conditions,
1456   for example if a CMS recipient public key is invalid, the new filter BIO
1457   is freed and the function returns a NULL result indicating a failure.
1458   However, in this case, the BIO chain is not properly cleaned up and the
1459   BIO passed by the caller still retains internal pointers to the previously
1460   freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
1461   then a use-after-free will occur. This will most likely result in a crash.
1462   ([CVE-2023-0215])
1463
1464   *Viktor Dukhovni, Matt Caswell*
1465
1466 * Fixed Double free after calling PEM_read_bio_ex.
1467
1468   The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
1469   decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
1470   data. If the function succeeds then the "name_out", "header" and "data"
1471   arguments are populated with pointers to buffers containing the relevant
1472   decoded data. The caller is responsible for freeing those buffers. It is
1473   possible to construct a PEM file that results in 0 bytes of payload data.
1474   In this case PEM_read_bio_ex() will return a failure code but will populate
1475   the header argument with a pointer to a buffer that has already been freed.
1476   If the caller also frees this buffer then a double free will occur. This
1477   will most likely lead to a crash.
1478
1479   The functions PEM_read_bio() and PEM_read() are simple wrappers around
1480   PEM_read_bio_ex() and therefore these functions are also directly affected.
1481
1482   These functions are also called indirectly by a number of other OpenSSL
1483   functions including PEM_X509_INFO_read_bio_ex() and
1484   SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
1485   internal uses of these functions are not vulnerable because the caller does
1486   not free the header argument if PEM_read_bio_ex() returns a failure code.
1487   ([CVE-2022-4450])
1488
1489   *Kurt Roeckx, Matt Caswell*
1490
1491 * Fixed Timing Oracle in RSA Decryption.
1492
1493   A timing based side channel exists in the OpenSSL RSA Decryption
1494   implementation which could be sufficient to recover a plaintext across
1495   a network in a Bleichenbacher style attack. To achieve a successful
1496   decryption an attacker would have to be able to send a very large number
1497   of trial messages for decryption. The vulnerability affects all RSA padding
1498   modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1499   ([CVE-2022-4304])
1500
1501   *Dmitry Belyavsky, Hubert Kario*
1502
1503 * Fixed X.509 Name Constraints Read Buffer Overflow.
1504
1505   A read buffer overrun can be triggered in X.509 certificate verification,
1506   specifically in name constraint checking. The read buffer overrun might
1507   result in a crash which could lead to a denial of service attack.
1508   In a TLS client, this can be triggered by connecting to a malicious
1509   server. In a TLS server, this can be triggered if the server requests
1510   client authentication and a malicious client connects.
1511   ([CVE-2022-4203])
1512
1513   *Viktor Dukhovni*
1514
1515 * Fixed X.509 Policy Constraints Double Locking security issue.
1516
1517   If an X.509 certificate contains a malformed policy constraint and
1518   policy processing is enabled, then a write lock will be taken twice
1519   recursively.  On some operating systems (most widely: Windows) this
1520   results in a denial of service when the affected process hangs.  Policy
1521   processing being enabled on a publicly facing server is not considered
1522   to be a common setup.
1523   ([CVE-2022-3996])
1524
1525   *Paul Dale*
1526
1527 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
1528   `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
1529   `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
1530   default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting
1531   `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using
1532   `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases.
1533   For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
1534   for legacy EC and SM2 keys is also changed similarly to honor the
1535   equivalent conversion format flag as specified in the underlying
1536   `EC_KEY` object being exported to a provider, when this function is
1537   called through `EVP_PKEY_export()`.
1538
1539   *Nicola Tuveri*
1540
1541### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
1542
1543 * Fixed two buffer overflows in punycode decoding functions.
1544
1545   A buffer overrun can be triggered in X.509 certificate verification,
1546   specifically in name constraint checking. Note that this occurs after
1547   certificate chain signature verification and requires either a CA to
1548   have signed the malicious certificate or for the application to continue
1549   certificate verification despite failure to construct a path to a trusted
1550   issuer.
1551
1552   In a TLS client, this can be triggered by connecting to a malicious
1553   server.  In a TLS server, this can be triggered if the server requests
1554   client authentication and a malicious client connects.
1555
1556   An attacker can craft a malicious email address to overflow
1557   an arbitrary number of bytes containing the `.`  character (decimal 46)
1558   on the stack.  This buffer overflow could result in a crash (causing a
1559   denial of service).
1560   ([CVE-2022-3786])
1561
1562   An attacker can craft a malicious email address to overflow four
1563   attacker-controlled bytes on the stack.  This buffer overflow could
1564   result in a crash (causing a denial of service) or potentially remote code
1565   execution depending on stack layout for any given platform/compiler.
1566   ([CVE-2022-3602])
1567
1568   *Paul Dale*
1569
1570 * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
1571   parameters in OpenSSL code.
1572   Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
1573   OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
1574   Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
1575   Using these invalid names may cause algorithms to use slower methods
1576   that ignore the CRT parameters.
1577
1578   *Shane Lontis*
1579
1580 * Fixed a regression introduced in 3.0.6 version raising errors on some stack
1581   operations.
1582
1583   *Tomáš Mráz*
1584
1585 * Fixed a regression introduced in 3.0.6 version not refreshing the certificate
1586   data to be signed before signing the certificate.
1587
1588   *Gibeom Gwon*
1589
1590 * Added RIPEMD160 to the default provider.
1591
1592   *Paul Dale*
1593
1594 * Ensured that the key share group sent or accepted for the key exchange
1595   is allowed for the protocol version.
1596
1597   *Matt Caswell*
1598
1599### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
1600
1601 * OpenSSL supports creating a custom cipher via the legacy
1602   EVP_CIPHER_meth_new() function and associated function calls. This function
1603   was deprecated in OpenSSL 3.0 and application authors are instead encouraged
1604   to use the new provider mechanism in order to implement custom ciphers.
1605
1606   OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers
1607   passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
1608   EVP_CipherInit_ex2() functions (as well as other similarly named encryption
1609   and decryption initialisation functions). Instead of using the custom cipher
1610   directly it incorrectly tries to fetch an equivalent cipher from the
1611   available providers. An equivalent cipher is found based on the NID passed to
1612   EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a
1613   given cipher. However it is possible for an application to incorrectly pass
1614   NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef
1615   is used in this way the OpenSSL encryption/decryption initialisation function
1616   will match the NULL cipher as being equivalent and will fetch this from the
1617   available providers. This will succeed if the default provider has been
1618   loaded (or if a third party provider has been loaded that offers this
1619   cipher). Using the NULL cipher means that the plaintext is emitted as the
1620   ciphertext.
1621
1622   Applications are only affected by this issue if they call
1623   EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
1624   encryption/decryption initialisation function. Applications that only use
1625   SSL/TLS are not impacted by this issue.
1626   ([CVE-2022-3358])
1627
1628   *Matt Caswell*
1629
1630 * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures
1631   on MacOS 10.11
1632
1633   *Richard Levitte*
1634
1635 * Fixed the linux-mips64 Configure target which was missing the
1636   SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
1637   platform.
1638
1639   *Adam Joseph*
1640
1641 * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a
1642   ticket
1643
1644   *Matt Caswell*
1645
1646 * Correctly handle a retransmitted ClientHello in DTLS
1647
1648   *Matt Caswell*
1649
1650 * Fixed detection of ktls support in cross-compile environment on Linux
1651
1652   *Tomas Mraz*
1653
1654 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider
1655   against 3.0.x
1656
1657   *Paul Dale*
1658
1659 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
1660   report correct results in some cases
1661
1662   *Matt Caswell*
1663
1664 * Fix UWP builds by defining VirtualLock
1665
1666   *Charles Milette*
1667
1668 * For known safe primes use the minimum key length according to RFC 7919.
1669   Longer private key sizes unnecessarily raise the cycles needed to compute the
1670   shared secret without any increase of the real security. This fixes a
1671   regression from 1.1.1 where these shorter keys were generated for the known
1672   safe primes.
1673
1674   *Tomas Mraz*
1675
1676 * Added the loongarch64 target
1677
1678   *Shi Pujin*
1679
1680 * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were
1681   only passed to the FIPS provider and not to the default or legacy provider.
1682
1683   *Juergen Christ*
1684
1685 * Fixed reported performance degradation on aarch64. Restored the
1686   implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
1687   32-bit lane assignment in CTR mode") for 64bit targets only, since it is
1688   reportedly 2-17% slower and the silicon errata only affects 32bit targets.
1689   The new algorithm is still used for 32 bit targets.
1690
1691   *Bernd Edlinger*
1692
1693 * Added a missing header for memcmp that caused compilation failure on some
1694   platforms
1695
1696   *Gregor Jasny*
1697
1698### Changes between 3.0.4 and 3.0.5 [5 Jul 2022]
1699
1700 * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
1701   implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
1702   This issue makes the RSA implementation with 2048 bit private keys
1703   incorrect on such machines and memory corruption will happen during
1704   the computation. As a consequence of the memory corruption an attacker
1705   may be able to trigger a remote code execution on the machine performing
1706   the computation.
1707
1708   SSL/TLS servers or other servers using 2048 bit RSA private keys running
1709   on machines supporting AVX512IFMA instructions of the X86_64 architecture
1710   are affected by this issue.
1711   ([CVE-2022-2274])
1712
1713   *Xi Ruoyao*
1714
1715 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
1716   implementation would not encrypt the entirety of the data under some
1717   circumstances.  This could reveal sixteen bytes of data that was
1718   preexisting in the memory that wasn't written.  In the special case of
1719   "in place" encryption, sixteen bytes of the plaintext would be revealed.
1720
1721   Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
1722   they are both unaffected.
1723   ([CVE-2022-2097])
1724
1725   *Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño*
1726
1727### Changes between 3.0.3 and 3.0.4 [21 Jun 2022]
1728
1729 * In addition to the c_rehash shell command injection identified in
1730   CVE-2022-1292, further bugs where the c_rehash script does not
1731   properly sanitise shell metacharacters to prevent command injection have been
1732   fixed.
1733
1734   When the CVE-2022-1292 was fixed it was not discovered that there
1735   are other places in the script where the file names of certificates
1736   being hashed were possibly passed to a command executed through the shell.
1737
1738   This script is distributed by some operating systems in a manner where
1739   it is automatically executed.  On such operating systems, an attacker
1740   could execute arbitrary commands with the privileges of the script.
1741
1742   Use of the c_rehash script is considered obsolete and should be replaced
1743   by the OpenSSL rehash command line tool.
1744   (CVE-2022-2068)
1745
1746   *Daniel Fiala, Tomáš Mráz*
1747
1748 * Case insensitive string comparison no longer uses locales.  It has instead
1749   been directly implemented.
1750
1751   *Paul Dale*
1752
1753### Changes between 3.0.2 and 3.0.3 [3 May 2022]
1754
1755 * Case insensitive string comparison is reimplemented via new locale-agnostic
1756   comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
1757   comparison. The previous implementation had problems when the Turkish locale
1758   was used.
1759
1760   *Dmitry Belyavskiy*
1761
1762 * Fixed a bug in the c_rehash script which was not properly sanitising shell
1763   metacharacters to prevent command injection.  This script is distributed by
1764   some operating systems in a manner where it is automatically executed.  On
1765   such operating systems, an attacker could execute arbitrary commands with the
1766   privileges of the script.
1767
1768   Use of the c_rehash script is considered obsolete and should be replaced
1769   by the OpenSSL rehash command line tool.
1770   (CVE-2022-1292)
1771
1772   *Tomáš Mráz*
1773
1774 * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer
1775   certificate on an OCSP response. The bug caused the function in the case
1776   where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
1777   response (meaning a successful verification) even in the case where the
1778   response signing certificate fails to verify.
1779
1780   It is anticipated that most users of `OCSP_basic_verify` will not use the
1781   OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return
1782   a negative value (indicating a fatal error) in the case of a certificate
1783   verification failure. The normal expected return value in this case would be
1784   0.
1785
1786   This issue also impacts the command line OpenSSL "ocsp" application. When
1787   verifying an ocsp response with the "-no_cert_checks" option the command line
1788   application will report that the verification is successful even though it
1789   has in fact failed. In this case the incorrect successful response will also
1790   be accompanied by error messages showing the failure and contradicting the
1791   apparently successful result.
1792   ([CVE-2022-1343])
1793
1794   *Matt Caswell*
1795
1796 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
1797   AAD data as the MAC key. This made the MAC key trivially predictable.
1798
1799   An attacker could exploit this issue by performing a man-in-the-middle attack
1800   to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such
1801   that the modified data would still pass the MAC integrity check.
1802
1803   Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
1804   endpoint will always be rejected by the recipient and the connection will
1805   fail at that point. Many application protocols require data to be sent from
1806   the client to the server first. Therefore, in such a case, only an OpenSSL
1807   3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
1808
1809   If both endpoints are OpenSSL 3.0 then the attacker could modify data being
1810   sent in both directions. In this case both clients and servers could be
1811   affected, regardless of the application protocol.
1812
1813   Note that in the absence of an attacker this bug means that an OpenSSL 3.0
1814   endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
1815   the handshake when using this ciphersuite.
1816
1817   The confidentiality of data is not impacted by this issue, i.e. an attacker
1818   cannot decrypt data that has been encrypted using this ciphersuite - they can
1819   only modify it.
1820
1821   In order for this attack to work both endpoints must legitimately negotiate
1822   the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
1823   OpenSSL 3.0, and is not available within the default provider or the default
1824   ciphersuite list. This ciphersuite will never be used if TLSv1.3 has been
1825   negotiated. In order for an OpenSSL 3.0 endpoint to use this ciphersuite the
1826   following must have occurred:
1827
1828   1) OpenSSL must have been compiled with the (non-default) compile time option
1829      enable-weak-ssl-ciphers
1830
1831   2) OpenSSL must have had the legacy provider explicitly loaded (either
1832      through application code or via configuration)
1833
1834   3) The ciphersuite must have been explicitly added to the ciphersuite list
1835
1836   4) The libssl security level must have been set to 0 (default is 1)
1837
1838   5) A version of SSL/TLS below TLSv1.3 must have been negotiated
1839
1840   6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
1841      others that both endpoints have in common
1842   (CVE-2022-1434)
1843
1844   *Matt Caswell*
1845
1846 * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
1847   occupied by the removed hash table entries.
1848
1849   This function is used when decoding certificates or keys. If a long lived
1850   process periodically decodes certificates or keys its memory usage will
1851   expand without bounds and the process might be terminated by the operating
1852   system causing a denial of service. Also traversing the empty hash table
1853   entries will take increasingly more time.
1854
1855   Typically such long lived processes might be TLS clients or TLS servers
1856   configured to accept client certificate authentication.
1857   (CVE-2022-1473)
1858
1859   *Hugo Landau, Aliaksei Levin*
1860
1861 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report
1862   the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other
1863   statistics are no longer supported. For compatibility, these statistics are
1864   still listed in the output but are now always reported as zero.
1865
1866   *Hugo Landau*
1867
1868### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
1869
1870 * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
1871   for non-prime moduli.
1872
1873   Internally this function is used when parsing certificates that contain
1874   elliptic curve public keys in compressed form or explicit elliptic curve
1875   parameters with a base point encoded in compressed form.
1876
1877   It is possible to trigger the infinite loop by crafting a certificate that
1878   has invalid explicit curve parameters.
1879
1880   Since certificate parsing happens prior to verification of the certificate
1881   signature, any process that parses an externally supplied certificate may thus
1882   be subject to a denial of service attack. The infinite loop can also be
1883   reached when parsing crafted private keys as they can contain explicit
1884   elliptic curve parameters.
1885
1886   Thus vulnerable situations include:
1887
1888    - TLS clients consuming server certificates
1889    - TLS servers consuming client certificates
1890    - Hosting providers taking certificates or private keys from customers
1891    - Certificate authorities parsing certification requests from subscribers
1892    - Anything else which parses ASN.1 elliptic curve parameters
1893
1894   Also any other applications that use the BN_mod_sqrt() where the attacker
1895   can control the parameter values are vulnerable to this DoS issue.
1896   ([CVE-2022-0778])
1897
1898   *Tomáš Mráz*
1899
1900 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
1901   to the list of ciphersuites providing Perfect Forward Secrecy as
1902   required by SECLEVEL >= 3.
1903
1904   *Dmitry Belyavskiy, Nicola Tuveri*
1905
1906 * Made the AES constant time code for no-asm configurations
1907   optional due to the resulting 95% performance degradation.
1908   The AES constant time code can be enabled, for no assembly
1909   builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
1910
1911   *Paul Dale*
1912
1913 * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty
1914   passphrase strings.
1915
1916   *Darshan Sen*
1917
1918 * The negative return value handling of the certificate verification callback
1919   was reverted. The replacement is to set the verification retry state with
1920   the SSL_set_retry_verify() function.
1921
1922   *Tomáš Mráz*
1923
1924### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
1925
1926 * Fixed invalid handling of X509_verify_cert() internal errors in libssl
1927   Internally libssl in OpenSSL calls X509_verify_cert() on the client side to
1928   verify a certificate supplied by a server. That function may return a
1929   negative return value to indicate an internal error (for example out of
1930   memory). Such a negative return value is mishandled by OpenSSL and will cause
1931   an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate
1932   success and a subsequent call to SSL_get_error() to return the value
1933   SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be
1934   returned by OpenSSL if the application has previously called
1935   SSL_CTX_set_cert_verify_callback(). Since most applications do not do this
1936   the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
1937   totally unexpected and applications may not behave correctly as a result. The
1938   exact behaviour will depend on the application but it could result in
1939   crashes, infinite loops or other similar incorrect responses.
1940
1941   This issue is made more serious in combination with a separate bug in OpenSSL
1942   3.0 that will cause X509_verify_cert() to indicate an internal error when
1943   processing a certificate chain. This will occur where a certificate does not
1944   include the Subject Alternative Name extension but where a Certificate
1945   Authority has enforced name constraints. This issue can occur even with valid
1946   chains.
1947   ([CVE-2021-4044])
1948
1949   *Matt Caswell*
1950
1951 * Corrected a few file name and file reference bugs in the build,
1952   installation and setup scripts, which lead to installation verification
1953   failures.  Slightly enhanced the installation verification script.
1954
1955   *Richard Levitte*
1956
1957 * Fixed EVP_PKEY_eq() to make it possible to use it with strictly private
1958   keys.
1959
1960   *Richard Levitte*
1961
1962 * Fixed PVK encoder to properly query for the passphrase.
1963
1964   *Tomáš Mráz*
1965
1966 * Multiple fixes in the OSSL_HTTP API functions.
1967
1968   *David von Oheimb*
1969
1970 * Allow sign extension in OSSL_PARAM_allocate_from_text() for the
1971   OSSL_PARAM_INTEGER data type and return error on negative numbers
1972   used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make
1973   OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.
1974
1975   *Richard Levitte*
1976
1977 * Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
1978
1979   *Tomáš Mráz*
1980
1981 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
1982
1983   *Allan Jude*
1984
1985 * Multiple threading fixes.
1986
1987   *Matt Caswell*
1988
1989 * Added NULL digest implementation to keep compatibility with 1.1.1 version.
1990
1991   *Tomáš Mráz*
1992
1993 * Allow fetching an operation from the provider that owns an unexportable key
1994   as a fallback if that is still allowed by the property query.
1995
1996   *Richard Levitte*
1997
1998### Changes between 1.1.1 and 3.0.0 [7 Sep 2021]
1999
2000 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
2001   deprecated.
2002
2003   *Matt Caswell*
2004
2005 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
2006   S390X capability vector to zero. This simplifies testing of different code
2007   paths on S390X architecture.
2008
2009   *Patrick Steuer*
2010
2011 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
2012   as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
2013   SP 800-38D". The communication will fail at this point.
2014
2015   *Paul Dale*
2016
2017 * The EC_GROUP_clear_free() function is deprecated as there is nothing
2018   confidential in EC_GROUP data.
2019
2020   *Nicola Tuveri*
2021
2022 * The byte order mark (BOM) character is ignored if encountered at the
2023   beginning of a PEM-formatted file.
2024
2025   *Dmitry Belyavskiy*
2026
2027 * Added CMS support for the Russian GOST algorithms.
2028
2029   *Dmitry Belyavskiy*
2030
2031 * Due to move of the implementation of cryptographic operations
2032   to the providers, validation of various operation parameters can
2033   be postponed until the actual operation is executed where previously
2034   it happened immediately when an operation parameter was set.
2035
2036   For example when setting an unsupported curve with
2037   EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not
2038   fail but later keygen operations with the EVP_PKEY_CTX will fail.
2039
2040   *OpenSSL team members and many third party contributors*
2041
2042 * The EVP_get_cipherbyname() function will return NULL for algorithms such as
2043   "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
2044   previously only accessible via low-level interfaces. Use EVP_CIPHER_fetch()
2045   instead to retrieve these algorithms from a provider.
2046
2047   *Shane Lontis*
2048
2049 * On build targets where the multilib postfix is set in the build
2050   configuration the libdir directory was changing based on whether
2051   the lib directory with the multilib postfix exists on the system
2052   or not. This unpredictable behavior was removed and eventual
2053   multilib postfix is now always added to the default libdir. Use
2054   `--libdir=lib` to override the libdir if adding the postfix is
2055   undesirable.
2056
2057   *Jan Lána*
2058
2059 * The triple DES key wrap functionality now conforms to RFC 3217 but is
2060   no longer interoperable with OpenSSL 1.1.1.
2061
2062   *Paul Dale*
2063
2064 * The ERR_GET_FUNC() function was removed.  With the loss of meaningful
2065   function codes, this function can only cause problems for calling
2066   applications.
2067
2068   *Paul Dale*
2069
2070 * Add a configurable flag to output date formats as ISO 8601. Does not
2071   change the default date format.
2072
2073   *William Edmisten*
2074
2075 * Version of MSVC earlier than 1300 could get link warnings, which could
2076   be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
2077   Support for this flag has been removed.
2078
2079   *Rich Salz*
2080
2081 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
2082   -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
2083   printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
2084   Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
2085   also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
2086
2087   *Rich Salz*
2088
2089 * The signatures of the functions to get and set options on SSL and
2090   SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
2091   Some source code changes may be required.
2092
2093   *Rich Salz*
2094
2095 * The public definitions of conf_method_st and conf_st have been
2096   deprecated. They will be made opaque in a future release.
2097
2098   *Rich Salz and Tomáš Mráz*
2099
2100 * Client-initiated renegotiation is disabled by default. To allow it, use
2101   the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
2102   flag, or the "ClientRenegotiation" config parameter as appropriate.
2103
2104   *Rich Salz*
2105
2106 * Add "abspath" and "includedir" pragma's to config files, to prevent,
2107   or modify relative pathname inclusion.
2108
2109   *Rich Salz*
2110
2111 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
2112   validated. Please consult the README-FIPS and
2113   README-PROVIDERS files, as well as the migration guide.
2114
2115   *OpenSSL team members and many third party contributors*
2116
2117 * For the key types DH and DHX the allowed settable parameters are now different.
2118
2119   *Shane Lontis*
2120
2121 * The openssl commands that read keys, certificates, and CRLs now
2122   automatically detect the PEM or DER format of the input files.
2123
2124   *David von Oheimb, Richard Levitte, and Tomáš Mráz*
2125
2126 * Added enhanced PKCS#12 APIs which accept a library context.
2127
2128   *Jon Spillett*
2129
2130 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
2131
2132   *Matt Caswell*
2133
2134 * Added support for Kernel TLS (KTLS).
2135
2136   *Boris Pismenny, John Baldwin and Andrew Gallatin*
2137
2138 * Support for RFC 5746 secure renegotiation is now required by default for
2139   SSL or TLS connections to succeed.
2140
2141   *Benjamin Kaduk*
2142
2143 * The signature of the `copy` functional parameter of the
2144   EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
2145   now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
2146   the signature of the `pub_decode` functional parameter of the
2147   EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
2148   now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
2149
2150   *David von Oheimb*
2151
2152 * The error return values from some control calls (ctrl) have changed.
2153
2154   *Paul Dale*
2155
2156 * A public key check is now performed during EVP_PKEY_derive_set_peer().
2157
2158   *Shane Lontis*
2159
2160 * Many functions in the EVP_ namespace that are getters of values from
2161   implementations or contexts were renamed to include get or get0 in their
2162   names. Old names are provided as macro aliases for compatibility and
2163   are not deprecated.
2164
2165   *Tomáš Mráz*
2166
2167 * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
2168   EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
2169   EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
2170   are deprecated.
2171
2172   *Tomáš Mráz*
2173
2174 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
2175   more key types.
2176
2177 * The output from the command line applications may have minor
2178   changes.
2179
2180   *Paul Dale*
2181
2182 * The output from numerous "printing" may have minor changes.
2183
2184   *David von Oheimb*
2185
2186 * Windows thread synchronization uses read/write primitives (SRWLock) when
2187   supported by the OS, otherwise CriticalSection continues to be used.
2188
2189   *Vincent Drake*
2190
2191 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to
2192   work on read only BIO source/sinks that do not support these functions.
2193   This allows piping or redirection of a file BIO using stdin to be buffered
2194   into memory. This is used internally in OSSL_DECODER_from_bio().
2195
2196   *Shane Lontis*
2197
2198 * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1
2199   this function would return one of the values OSSL_STORE_INFO_NAME,
2200   OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or
2201   OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported
2202   as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now
2203   reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications
2204   using this function should be amended to handle the changed return value.
2205
2206   *Richard Levitte*
2207
2208 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
2209   for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
2210   As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
2211   Correct the semantics of checking the validation chain in case ESSCertID{,v2}
2212   contains more than one certificate identifier: This means that all
2213   certificates referenced there MUST be part of the validation chain.
2214
2215   *David von Oheimb*
2216
2217 * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
2218   RC5, DESX and DES have been moved to the legacy provider.
2219
2220   *Matt Caswell*
2221
2222 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
2223   RIPEMD-160 have been moved to the legacy provider.
2224
2225   *Matt Caswell*
2226
2227 * The deprecated function EVP_PKEY_get0() now returns NULL being called for a
2228   provided key.
2229
2230   *Dmitry Belyavskiy*
2231
2232 * The deprecated functions EVP_PKEY_get0_RSA(),
2233   EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(),
2234   EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as
2235   well as the similarly named "get1" functions behave differently in
2236   OpenSSL 3.0.
2237
2238   *Matt Caswell*
2239
2240 * A number of functions handling low-level keys or engines were deprecated
2241   including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(),
2242   EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
2243   EVP_PKEY_get0_siphash().
2244
2245   *Matt Caswell*
2246
2247 * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into
2248   the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
2249   will need to load the legacy crypto provider. This includes these PBE
2250   algorithms which use this KDF:
2251   - NID_pbeWithMD2AndDES_CBC
2252   - NID_pbeWithMD5AndDES_CBC
2253   - NID_pbeWithSHA1AndRC2_CBC
2254   - NID_pbeWithMD2AndRC2_CBC
2255   - NID_pbeWithMD5AndRC2_CBC
2256   - NID_pbeWithSHA1AndDES_CBC
2257
2258   *Jon Spillett*
2259
2260 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and
2261   BIO_debug_callback() functions.
2262
2263   *Tomáš Mráz*
2264
2265 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
2266   EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
2267
2268   *Tomáš Mráz*
2269
2270 * The RAND_METHOD APIs have been deprecated.
2271
2272   *Paul Dale*
2273
2274 * The SRP APIs have been deprecated.
2275
2276   *Matt Caswell*
2277
2278 * Add a compile time option to prevent the caching of provider fetched
2279   algorithms.  This is enabled by including the no-cached-fetch option
2280   at configuration time.
2281
2282   *Paul Dale*
2283
2284 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
2285   count of PKCS12_DEFAULT_ITER.
2286
2287   *Tomáš Mráz and Sahana Prasad*
2288
2289 * The openssl speed command does not use low-level API calls anymore.
2290
2291   *Tomáš Mráz*
2292
2293 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
2294   capable processors.
2295
2296   *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)*
2297
2298 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
2299
2300   *Matt Caswell*
2301
2302 * Implemented support for fully "pluggable" TLSv1.3 groups. This means that
2303   providers may supply their own group implementations (using either the "key
2304   exchange" or the "key encapsulation" methods) which will automatically be
2305   detected and used by libssl.
2306
2307   *Matt Caswell, Nicola Tuveri*
2308
2309 * The undocumented function X509_certificate_type() has been deprecated;
2310
2311   *Rich Salz*
2312
2313 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
2314
2315   *Tomáš Mráz*
2316
2317 * Removed RSA padding mode for SSLv23 (which was only used for
2318   SSLv2). This includes the functions RSA_padding_check_SSLv23() and
2319   RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
2320   `rsautl` command.
2321
2322   *Rich Salz*
2323
2324 * Deprecated the obsolete X9.31 RSA key generation related functions.
2325
2326 * While a callback function set via `SSL_CTX_set_cert_verify_callback()`
2327   is not allowed to return a value > 1, this is no more taken as failure.
2328
2329   *Viktor Dukhovni and David von Oheimb*
2330
2331 * Deprecated the obsolete X9.31 RSA key generation related functions
2332   BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
2333   BN_X931_generate_prime_ex().
2334
2335   *Tomáš Mráz*
2336
2337 * The default key generation method for the regular 2-prime RSA keys was
2338   changed to the FIPS 186-4 B.3.6 method.
2339
2340   *Shane Lontis*
2341
2342 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
2343
2344   *Kurt Roeckx*
2345
2346 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
2347
2348   *Rich Salz*
2349
2350 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and
2351   replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
2352
2353   *Rich Salz, Richard Levitte, and David von Oheimb*
2354
2355 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
2356
2357   *David von Oheimb*
2358
2359 * Deprecated `OCSP_parse_url()`.
2360
2361   *David von Oheimb*
2362
2363 * Validation of SM2 keys has been separated from the validation of regular EC
2364   keys.
2365
2366   *Nicola Tuveri*
2367
2368 * Behavior of the `pkey` command is changed,
2369   when using the `-check` or `-pubcheck`
2370   switches: a validation failure triggers an early exit, returning a failure
2371   exit status to the parent process.
2372
2373   *Nicola Tuveri*
2374
2375 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
2376   to ignore unknown ciphers.
2377
2378   *Otto Hollmann*
2379
2380 * The `-cipher-commands` and `-digest-commands` options
2381   of the command line utility `list` have been deprecated.
2382   Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
2383
2384   *Dmitry Belyavskiy*
2385
2386 * Added convenience functions for generating asymmetric key pairs:
2387   The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
2388   and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
2389
2390   *David von Oheimb*
2391
2392 * All of the low-level EC_KEY functions have been deprecated.
2393
2394   *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
2395
2396 * Deprecated all the libcrypto and libssl error string loading
2397   functions.
2398
2399   *Richard Levitte*
2400
2401 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
2402   well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
2403   deprecated.
2404
2405   *Matt Caswell*
2406
2407 * The `-crypt` option to the `passwd` command line tool has been removed.
2408
2409   *Paul Dale*
2410
2411 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
2412   were removed.
2413
2414   *Rich Salz*
2415
2416 * Add support for AES Key Wrap inverse ciphers to the EVP layer.
2417
2418   *Shane Lontis*
2419
2420 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
2421   EVP_PKEY_get1_tls_encodedpoint().
2422
2423   *Matt Caswell*
2424
2425 * The security callback, which can be customised by application code, supports
2426   the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter
2427   was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
2428
2429   *Matt Caswell*
2430
2431 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
2432   interface. Their functionality remains unchanged.
2433
2434   *Jordan Montgomery*
2435
2436 * Added new option for 'openssl list', '-providers', which will display the
2437   list of loaded providers, their names, version and status.  It optionally
2438   displays their gettable parameters.
2439
2440   *Paul Dale*
2441
2442 * Removed EVP_PKEY_set_alias_type().
2443
2444   *Richard Levitte*
2445
2446 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
2447   `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred.
2448
2449   *Jeremy Walch*
2450
2451 * Changed all "STACK" functions to be macros instead of inline functions. Macro
2452   parameters are still checked for type safety at compile time via helper
2453   inline functions.
2454
2455   *Matt Caswell*
2456
2457 * Remove the RAND_DRBG API
2458
2459   *Paul Dale and Matthias St. Pierre*
2460
2461 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
2462   as well as actual hostnames.
2463
2464   *David Woodhouse*
2465
2466 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
2467   ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2468   conversely, silently ignore DTLS protocol version bounds when configuring
2469   TLS-based contexts.  The commands can be repeated to set bounds of both
2470   types.  The same applies with the corresponding "min_protocol" and
2471   "max_protocol" command-line switches, in case some application uses both TLS
2472   and DTLS.
2473
2474   SSL_CTX instances that are created for a fixed protocol version (e.g.
2475   `TLSv1_server_method()`) also silently ignore version bounds.  Previously
2476   attempts to apply bounds to these protocol versions would result in an
2477   error.  Now only the "version-flexible" SSL_CTX instances are subject to
2478   limits in configuration files in command-line options.
2479
2480   *Viktor Dukhovni*
2481
2482 * Deprecated the `ENGINE` API.  Engines should be replaced with providers
2483   going forward.
2484
2485   *Paul Dale*
2486
2487 * Reworked the recorded ERR codes to make better space for system errors.
2488   To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the
2489   given code is a system error (true) or an OpenSSL error (false).
2490
2491   *Richard Levitte*
2492
2493 * Reworked the test perl framework to better allow parallel testing.
2494
2495   *Nicola Tuveri and David von Oheimb*
2496
2497 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
2498   AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
2499
2500   *Shane Lontis*
2501
2502 * 'Configure' has been changed to figure out the configuration target if
2503   none is given on the command line.  Consequently, the 'config' script is
2504   now only a mere wrapper.  All documentation is changed to only mention
2505   'Configure'.
2506
2507   *Rich Salz and Richard Levitte*
2508
2509 * Added a library context `OSSL_LIB_CTX` that applications as well as
2510   other libraries can use to form a separate context within which
2511   libcrypto operations are performed.
2512
2513   *Richard Levitte*
2514
2515 * Added various `_ex` functions to the OpenSSL API that support using
2516   a non-default `OSSL_LIB_CTX`.
2517
2518   *OpenSSL team*
2519
2520 * Handshake now fails if Extended Master Secret extension is dropped
2521   on renegotiation.
2522
2523   *Tomáš Mráz*
2524
2525 * Dropped interactive mode from the `openssl` program.
2526
2527   *Richard Levitte*
2528
2529 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
2530
2531   *David von Oheimb and Shane Lontis*
2532
2533 * Deprecated `EC_METHOD_get_field_type()`.
2534
2535   *Billy Bob Brumley*
2536
2537 * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
2538   EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
2539   EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
2540
2541   *Billy Bob Brumley*
2542
2543 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
2544
2545   *Billy Bob Brumley*
2546
2547 * Add CAdES-BES signature verification support, mostly derived
2548   from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
2549
2550   *Filipe Raimundo da Silva*
2551
2552 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
2553
2554   *Antonio Iacono*
2555
2556 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
2557   parameter (RFC 5084) for the Cryptographic Message Syntax (CMS).
2558
2559   *Jakub Zelenka*
2560
2561 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
2562
2563   *Billy Bob Brumley*
2564
2565 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
2566   EC_KEY_precompute_mult().
2567
2568   *Billy Bob Brumley*
2569
2570 * Deprecated EC_POINTs_mul().
2571
2572   *Billy Bob Brumley*
2573
2574 * Removed FIPS_mode() and FIPS_mode_set().
2575
2576   *Shane Lontis*
2577
2578 * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
2579
2580   *Dmitry Belyavskiy*
2581
2582 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
2583   EC_POINT_get_Jprojective_coordinates_GFp().
2584
2585   *Billy Bob Brumley*
2586
2587 * Added OSSL_PARAM_BLD to the public interface.  This allows OSSL_PARAM
2588   arrays to be more easily constructed via a series of utility functions.
2589   Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
2590   the various push functions and finally convert to a passable OSSL_PARAM
2591   array using OSSL_PARAM_BLD_to_param().
2592
2593   *Paul Dale*
2594
2595 * The security strength of SHA1 and MD5 based signatures in TLS has been
2596   reduced.
2597
2598   *Kurt Roeckx*
2599
2600 * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
2601   contain a provider side internal key.
2602
2603   *Richard Levitte*
2604
2605 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
2606
2607   *Richard Levitte*
2608
2609 * Project text documents not yet having a proper file name extension
2610   (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to
2611   `*.md` as far as reasonable, else `*.txt`, for better use with file managers.
2612
2613   *David von Oheimb*
2614
2615 * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
2616   have been converted to Markdown with the goal to produce documents
2617   which not only look pretty when viewed online in the browser, but
2618   remain well readable inside a plain text editor.
2619
2620   To achieve this goal, a 'minimalistic' Markdown style has been applied
2621   which avoids formatting elements that interfere too much with the
2622   reading flow in the text file. For example, it
2623
2624   * avoids [ATX headings][] and uses [setext headings][] instead
2625     (which works for `<h1>` and `<h2>` headings only).
2626   * avoids [inline links][] and uses [reference links][] instead.
2627   * avoids [fenced code blocks][] and uses [indented code blocks][] instead.
2628
2629     [ATX headings]:         https://github.github.com/gfm/#atx-headings
2630     [setext headings]:      https://github.github.com/gfm/#setext-headings
2631     [inline links]:         https://github.github.com/gfm/#inline-link
2632     [reference links]:      https://github.github.com/gfm/#reference-link
2633     [fenced code blocks]:   https://github.github.com/gfm/#fenced-code-blocks
2634     [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
2635
2636   *Matthias St. Pierre*
2637
2638 * The test suite is changed to preserve results of each test recipe.
2639   A new directory test-runs/ with subdirectories named like the
2640   test recipes are created in the build tree for this purpose.
2641
2642   *Richard Levitte*
2643
2644 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
2645   This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
2646   See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
2647
2648   *David von Oheimb, Martin Peylo*
2649
2650 * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`.
2651   It supports arbitrary request and response content types, GET redirection,
2652   TLS, connections via HTTP(S) proxies, connections and exchange via
2653   user-defined BIOs (allowing implicit connections), persistent connections,
2654   and timeout checks.  See L<OSSL_HTTP_transfer(3)> etc. for details.
2655   The legacy OCSP-focused (and only partly documented) API
2656   is retained for backward compatibility, while most of it is deprecated.
2657
2658   *David von Oheimb*
2659
2660 * Added `util/check-format.pl`, a tool for checking adherence to the
2661   OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>.
2662   The checks performed are incomplete and yield some false positives.
2663   Still the tool should be useful for detecting most typical glitches.
2664
2665   *David von Oheimb*
2666
2667 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
2668   If domain name resolution yields multiple IP addresses all of them are tried
2669   after `connect()` failures.
2670
2671   *David von Oheimb*
2672
2673 * All of the low-level RSA functions have been deprecated.
2674
2675   *Paul Dale*
2676
2677 * X509 certificates signed using SHA1 are no longer allowed at security
2678   level 1 and above.
2679
2680   *Kurt Roeckx*
2681
2682 * The command line utilities dhparam, dsa, gendsa and dsaparam have been
2683   modified to use PKEY APIs.  These commands are now in maintenance mode
2684   and no new features will be added to them.
2685
2686   *Paul Dale*
2687
2688 * The command line utility rsautl has been deprecated.
2689
2690   *Paul Dale*
2691
2692 * The command line utilities genrsa and rsa have been modified to use PKEY
2693   APIs. They now write PKCS#8 keys by default. These commands are now in
2694   maintenance mode and no new features will be added to them.
2695
2696   *Paul Dale*
2697
2698 * All of the low-level DH functions have been deprecated.
2699
2700   *Paul Dale and Matt Caswell*
2701
2702 * All of the low-level DSA functions have been deprecated.
2703
2704   *Paul Dale*
2705
2706 * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
2707   automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
2708
2709   *Richard Levitte*
2710
2711 * Deprecated low-level ECDH and ECDSA functions.
2712
2713   *Paul Dale*
2714
2715 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
2716
2717   *Richard Levitte*
2718
2719 * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits()
2720   and EVP_PKEY_get_security_bits().  Especially EVP_PKEY_get_size() needed
2721   a new formulation to include all the things it can be used for,
2722   as well as words of caution.
2723
2724   *Richard Levitte*
2725
2726 * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
2727
2728   *Paul Dale*
2729
2730 * All of the low-level HMAC functions have been deprecated.
2731
2732   *Paul Dale and David von Oheimb*
2733
2734 * Over two thousand fixes were made to the documentation, including:
2735   - Common options (such as -rand/-writerand, TLS version control, etc)
2736     were refactored and point to newly-enhanced descriptions in openssl.pod.
2737   - Added style conformance for all options (with help from Richard Levitte),
2738     documented all reported missing options, added a CI build to check
2739     that all options are documented and that no unimplemented options
2740     are documented.
2741   - Documented some internals, such as all use of environment variables.
2742   - Addressed all internal broken L<> references.
2743
2744   *Rich Salz*
2745
2746 * All of the low-level CMAC functions have been deprecated.
2747
2748   *Paul Dale*
2749
2750 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
2751   functions have been deprecated.
2752
2753   *Paul Dale and David von Oheimb*
2754
2755 * Corrected the documentation of the return values from the `EVP_DigestSign*`
2756   set of functions.  The documentation mentioned negative values for some
2757   errors, but this was never the case, so the mention of negative values
2758   was removed.
2759
2760   Code that followed the documentation and thereby check with something
2761   like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
2762
2763   *Richard Levitte*
2764
2765 * All of the low-level cipher functions have been deprecated.
2766
2767   *Matt Caswell and Paul Dale*
2768
2769 * Removed include/openssl/opensslconf.h.in and replaced it with
2770   include/openssl/configuration.h.in, which differs in not including
2771   <openssl/macros.h>.  A short header include/openssl/opensslconf.h
2772   was added to include both.
2773
2774   This allows internal hacks where one might need to modify the set
2775   of configured macros, for example this if deprecated symbols are
2776   still supposed to be available internally:
2777
2778       #include <openssl/configuration.h>
2779
2780       #undef OPENSSL_NO_DEPRECATED
2781       #define OPENSSL_SUPPRESS_DEPRECATED
2782
2783       #include <openssl/macros.h>
2784
2785   This should not be used by applications that use the exported
2786   symbols, as that will lead to linking errors.
2787
2788   *Richard Levitte*
2789
2790 * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
2791   used in exponentiation with 512-bit moduli. No EC algorithms are
2792   affected. Analysis suggests that attacks against 2-prime RSA1024,
2793   3-prime RSA1536, and DSA1024 as a result of this defect would be very
2794   difficult to perform and are not believed likely. Attacks against DH512
2795   are considered just feasible. However, for an attack the target would
2796   have to reuse the DH512 private key, which is not recommended anyway.
2797   Also applications directly using the low-level API BN_mod_exp may be
2798   affected if they use BN_FLG_CONSTTIME.
2799   ([CVE-2019-1551])
2800
2801   *Andy Polyakov*
2802
2803 * Most memory-debug features have been deprecated, and the functionality
2804   replaced with no-ops.
2805
2806   *Rich Salz*
2807
2808 * Added documentation for the STACK API.
2809
2810   *Rich Salz*
2811
2812 * Introduced a new method type and API, OSSL_ENCODER, to represent
2813   generic encoders.  These do the same sort of job that PEM writers
2814   and d2i functions do, but with support for methods supplied by
2815   providers, and the possibility for providers to support other
2816   formats as well.
2817
2818   *Richard Levitte*
2819
2820 * Introduced a new method type and API, OSSL_DECODER, to represent
2821   generic decoders.  These do the same sort of job that PEM readers
2822   and i2d functions do, but with support for methods supplied by
2823   providers, and the possibility for providers to support other
2824   formats as well.
2825
2826   *Richard Levitte*
2827
2828 * Added a .pragma directive to the syntax of configuration files, to
2829   allow varying behavior in a supported and predictable manner.
2830   Currently added pragma:
2831
2832           .pragma dollarid:on
2833
2834   This allows dollar signs to be a keyword character unless it's
2835   followed by a opening brace or parenthesis.  This is useful for
2836   platforms where dollar signs are commonly used in names, such as
2837   volume names and system directory names on VMS.
2838
2839   *Richard Levitte*
2840
2841 * Added functionality to create an EVP_PKEY from user data.
2842
2843   *Richard Levitte*
2844
2845 * Change the interpretation of the '--api' configuration option to
2846   mean that this is a desired API compatibility level with no
2847   further meaning.  The previous interpretation, that this would
2848   also mean to remove all deprecated symbols up to and including
2849   the given version, no requires that 'no-deprecated' is also used
2850   in the configuration.
2851
2852   When building applications, the desired API compatibility level
2853   can be set with the OPENSSL_API_COMPAT macro like before.  For
2854   API compatibility version below 3.0, the old style numerical
2855   value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
2856   For version 3.0 and on, the value is expected to be the decimal
2857   value calculated from the major and minor version like this:
2858
2859           MAJOR * 10000 + MINOR * 100
2860
2861   Examples:
2862
2863           -DOPENSSL_API_COMPAT=30000             For 3.0
2864           -DOPENSSL_API_COMPAT=30200             For 3.2
2865
2866   To hide declarations that are deprecated up to and including the
2867   given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
2868   given when building the application as well.
2869
2870   *Richard Levitte*
2871
2872 * Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow
2873   access to certificate and CRL stores via URIs and OSSL_STORE
2874   loaders.
2875
2876   This adds the following functions:
2877
2878   - X509_LOOKUP_store()
2879   - X509_STORE_load_file()
2880   - X509_STORE_load_path()
2881   - X509_STORE_load_store()
2882   - SSL_add_store_cert_subjects_to_stack()
2883   - SSL_CTX_set_default_verify_store()
2884   - SSL_CTX_load_verify_file()
2885   - SSL_CTX_load_verify_dir()
2886   - SSL_CTX_load_verify_store()
2887
2888   *Richard Levitte*
2889
2890 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
2891   The presence of this system service is determined at run-time.
2892
2893   *Richard Levitte*
2894
2895 * Added functionality to create an EVP_PKEY context based on data
2896   for methods from providers.  This takes an algorithm name and a
2897   property query string and simply stores them, with the intent
2898   that any operation that uses this context will use those strings
2899   to fetch the needed methods implicitly, thereby making the port
2900   of application written for pre-3.0 OpenSSL easier.
2901
2902   *Richard Levitte*
2903
2904 * The undocumented function NCONF_WIN32() has been deprecated; for
2905   conversion details see the HISTORY section of doc/man5/config.pod
2906
2907   *Rich Salz*
2908
2909 * Introduced the new functions EVP_DigestSignInit_ex() and
2910   EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
2911   EVP_DigestVerifyUpdate() have been converted to functions. See the man
2912   pages for further details.
2913
2914   *Matt Caswell*
2915
2916 * Over two thousand fixes were made to the documentation, including:
2917   adding missing command flags, better style conformance, documentation
2918   of internals, etc.
2919
2920   *Rich Salz, Richard Levitte*
2921
2922 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
2923   X25519, X448, Ed25519 and Ed448.
2924
2925   *Patrick Steuer*
2926
2927 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
2928   the first value.
2929
2930   *Jon Spillett*
2931
2932 * Deprecated the public definition of `ERR_STATE` as well as the function
2933   `ERR_get_state()`.  This is done in preparation of making `ERR_STATE` an
2934   opaque type.
2935
2936   *Richard Levitte*
2937
2938 * Added ERR functionality to give callers access to the stored function
2939   names that have replaced the older function code based functions.
2940
2941   New functions are ERR_peek_error_func(), ERR_peek_last_error_func(),
2942   ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(),
2943   ERR_peek_error_all() and ERR_peek_last_error_all().
2944
2945   Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(),
2946   ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
2947   ERR_func_error_string().
2948
2949   *Richard Levitte*
2950
2951 * Extended testing to be verbose for failing tests only.  The make variables
2952   VERBOSE_FAILURE or VF can be used to enable this:
2953
2954           $ make VF=1 test                           # Unix
2955           $ mms /macro=(VF=1) test                   ! OpenVMS
2956           $ nmake VF=1 test                          # Windows
2957
2958   *Richard Levitte*
2959
2960 * Added the `-copy_extensions` option to the `x509` command for use with
2961   `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
2962   all extensions in the request are copied to the certificate or vice versa.
2963
2964   *David von Oheimb*, *Kirill Stefanenkov <kirill_stefanenkov@rambler.ru>*
2965
2966 * Added the `-copy_extensions` option to the `req` command for use with
2967   `-x509`. When given with the `copy` or `copyall` argument,
2968   all extensions in the certification request are copied to the certificate.
2969
2970   *David von Oheimb*
2971
2972 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates
2973   they generate are by default RFC 5280 compliant in the following sense:
2974   There is a subjectKeyIdentifier extension with a hash value of the public key
2975   and for not self-signed certs there is an authorityKeyIdentifier extension
2976   with a keyIdentifier field or issuer information identifying the signing key.
2977   This is done unless some configuration overrides the new default behavior,
2978   such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`.
2979
2980   *David von Oheimb*
2981
2982 * Added several checks to `X509_verify_cert()` according to requirements in
2983   RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set
2984   (which may be done by using the CLI option `-x509_strict`):
2985   * The basicConstraints of CA certificates must be marked critical.
2986   * CA certificates must explicitly include the keyUsage extension.
2987   * If a pathlenConstraint is given the key usage keyCertSign must be allowed.
2988   * The issuer name of any certificate must not be empty.
2989   * The subject name of CA certs, certs with keyUsage crlSign,
2990     and certs without subjectAlternativeName must not be empty.
2991   * If a subjectAlternativeName extension is given it must not be empty.
2992   * The signatureAlgorithm field and the cert signature must be consistent.
2993   * Any given authorityKeyIdentifier and any given subjectKeyIdentifier
2994     must not be marked critical.
2995   * The authorityKeyIdentifier must be given for X.509v3 certs
2996     unless they are self-signed.
2997   * The subjectKeyIdentifier must be given for all X.509v3 CA certs.
2998
2999   *David von Oheimb*
3000
3001 * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys
3002   with explicit curve parameters (specifiedCurve) as required by RFC 5480.
3003
3004   *Tomáš Mráz*
3005
3006 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3007   used even when parsing explicit parameters, when loading a encoded key
3008   or calling `EC_GROUP_new_from_ecpkparameters()`/
3009   `EC_GROUP_new_from_ecparameters()`.
3010   This prevents bypass of security hardening and performance gains,
3011   especially for curves with specialized EC_METHODs.
3012   By default, if a key encoded with explicit parameters is loaded and later
3013   encoded, the output is still encoded with explicit parameters, even if
3014   internally a "named" EC_GROUP is used for computation.
3015
3016   *Nicola Tuveri*
3017
3018 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
3019   this change, EC_GROUP_set_generator would accept order and/or cofactor as
3020   NULL. After this change, only the cofactor parameter can be NULL. It also
3021   does some minimal sanity checks on the passed order.
3022   ([CVE-2019-1547])
3023
3024   *Billy Bob Brumley*
3025
3026 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3027   An attack is simple, if the first CMS_recipientInfo is valid but the
3028   second CMS_recipientInfo is chosen ciphertext. If the second
3029   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
3030   encryption key will be replaced by garbage, and the message cannot be
3031   decoded, but if the RSA decryption fails, the correct encryption key is
3032   used and the recipient will not notice the attack.
3033   As a work around for this potential attack the length of the decrypted
3034   key must be equal to the cipher default key length, in case the
3035   certificate is not given and all recipientInfo are tried out.
3036   The old behaviour can be re-enabled in the CMS code by setting the
3037   CMS_DEBUG_DECRYPT flag.
3038
3039   *Bernd Edlinger*
3040
3041 * Early start up entropy quality from the DEVRANDOM seed source has been
3042   improved for older Linux systems.  The RAND subsystem will wait for
3043   /dev/random to be producing output before seeding from /dev/urandom.
3044   The seeded state is stored for future library initialisations using
3045   a system global shared memory segment.  The shared memory identifier
3046   can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
3047   the desired value.  The default identifier is 114.
3048
3049   *Paul Dale*
3050
3051 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
3052   when primes for RSA keys are computed.
3053   Since we previously always generated primes == 2 (mod 3) for RSA keys,
3054   the 2-prime and 3-prime RSA modules were easy to distinguish, since
3055   `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore, fingerprinting
3056   2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3057   This avoids possible fingerprinting of newly generated RSA modules.
3058
3059   *Bernd Edlinger*
3060
3061 * Correct the extended master secret constant on EBCDIC systems. Without this
3062   fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3063   negotiate EMS will fail. Unfortunately this also means that TLS connections
3064   between EBCDIC systems with this fix, and EBCDIC systems without this
3065   fix will fail if they negotiate EMS.
3066
3067   *Matt Caswell*
3068
3069 * Changed the library initialisation so that the config file is now loaded
3070   by default. This was already the case for libssl. It now occurs for both
3071   libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
3072   `OPENSSL_init_crypto()` to suppress automatic loading of a config file.
3073
3074   *Matt Caswell*
3075
3076 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`,
3077   where the former acts as a replacement for `ERR_put_error()`, and the
3078   latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`.
3079   `ERR_raise_data()` adds more flexibility by taking a format string and
3080   an arbitrary number of arguments following it, to be processed with
3081   `BIO_snprintf()`.
3082
3083   *Richard Levitte*
3084
3085 * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used
3086   to check if a named provider is loaded and available.  When called, it
3087   will also activate all fallback providers if such are still present.
3088
3089   *Richard Levitte*
3090
3091 * Enforce a minimum DH modulus size of 512 bits.
3092
3093   *Bernd Edlinger*
3094
3095 * Changed DH parameters to generate the order q subgroup instead of 2q.
3096   Previously generated DH parameters are still accepted by DH_check
3097   but DH_generate_key works around that by clearing bit 0 of the
3098   private key for those. This avoids leaking bit 0 of the private key.
3099
3100   *Bernd Edlinger*
3101
3102 * Significantly reduce secure memory usage by the randomness pools.
3103
3104   *Paul Dale*
3105
3106 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
3107   deprecated.
3108
3109   *Rich Salz*
3110
3111 * A new type, EVP_KEYEXCH, has been introduced to represent key exchange
3112   algorithms. An implementation of a key exchange algorithm can be obtained
3113   by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be
3114   used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
3115   the older EVP_PKEY_derive_init() function. See the man pages for the new
3116   functions for further details.
3117
3118   *Matt Caswell*
3119
3120 * The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
3121
3122   *Matt Caswell*
3123
3124 * Removed the function names from error messages and deprecated the
3125   xxx_F_xxx define's.
3126
3127   *Richard Levitte*
3128
3129 * Removed NextStep support and the macro OPENSSL_UNISTD
3130
3131   *Rich Salz*
3132
3133 * Removed DES_check_key.  Also removed OPENSSL_IMPLEMENT_GLOBAL,
3134   OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
3135   Also removed "export var as function" capability; we do not export
3136   variables, only functions.
3137
3138   *Rich Salz*
3139
3140 * RC5_32_set_key has been changed to return an int type, with 0 indicating
3141   an error and 1 indicating success. In previous versions of OpenSSL this
3142   was a void type. If a key was set longer than the maximum possible this
3143   would crash.
3144
3145   *Matt Caswell*
3146
3147 * Support SM2 signing and verification schemes with X509 certificate.
3148
3149   *Paul Yang*
3150
3151 * Use SHA256 as the default digest for TS query in the `ts` app.
3152
3153   *Tomáš Mráz*
3154
3155 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
3156
3157   *Shane Lontis*
3158
3159 * Default cipher lists/suites are now available via a function, the
3160   #defines are deprecated.
3161
3162   *Todd Short*
3163
3164 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
3165   VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
3166   for Windows Store apps easier. Also, the "no-uplink" option has been added.
3167
3168   *Kenji Mouri*
3169
3170 * Join the directories crypto/x509 and crypto/x509v3
3171
3172   *Richard Levitte*
3173
3174 * Added command 'openssl kdf' that uses the EVP_KDF API.
3175
3176   *Shane Lontis*
3177
3178 * Added command 'openssl mac' that uses the EVP_MAC API.
3179
3180   *Shane Lontis*
3181
3182 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
3183   as default directories.  Also added the command 'openssl info'
3184   for scripting purposes.
3185
3186   *Richard Levitte*
3187
3188 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
3189   deprecated.
3190
3191   *Matt Caswell*
3192
3193 * Add prediction resistance to the DRBG reseeding process.
3194
3195   *Paul Dale*
3196
3197 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
3198   mandated by IEEE Std 1619-2018.
3199
3200   *Paul Dale*
3201
3202 * Added newline escaping functionality to a filename when using openssl dgst.
3203   This output format is to replicate the output format found in the `*sum`
3204   checksum programs. This aims to preserve backward compatibility.
3205
3206   *Matt Eaton, Richard Levitte, and Paul Dale*
3207
3208 * Removed the heartbeat message in DTLS feature, as it has very
3209   little usage and doesn't seem to fulfill a valuable purpose.
3210   The configuration option is now deprecated.
3211
3212   *Richard Levitte*
3213
3214 * Changed the output of 'openssl {digestname} < file' to display the
3215   digest name in its output.
3216
3217   *Richard Levitte*
3218
3219 * Added a new generic trace API which provides support for enabling
3220   instrumentation through trace output.
3221
3222   *Richard Levitte & Matthias St. Pierre*
3223
3224 * Added build tests for C++.  These are generated files that only do one
3225   thing, to include one public OpenSSL head file each.  This tests that
3226   the public header files can be usefully included in a C++ application.
3227
3228   This test isn't enabled by default.  It can be enabled with the option
3229   'enable-buildtest-c++'.
3230
3231   *Richard Levitte*
3232
3233 * Added KB KDF (EVP_KDF_KB) to EVP_KDF.
3234
3235   *Robbie Harwood*
3236
3237 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
3238
3239   *Simo Sorce*
3240
3241 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
3242
3243   *Shane Lontis*
3244
3245 * Added KMAC to EVP_MAC.
3246
3247   *Shane Lontis*
3248
3249 * Added property based algorithm implementation selection framework to
3250   the core.
3251
3252   *Paul Dale*
3253
3254 * Added SCA hardening for modular field inversion in EC_GROUP through
3255   a new dedicated field_inv() pointer in EC_METHOD.
3256   This also addresses a leakage affecting conversions from projective
3257   to affine coordinates.
3258
3259   *Billy Bob Brumley, Nicola Tuveri*
3260
3261 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
3262   implementations.  This includes an EVP_PKEY to EVP_KDF bridge for
3263   those algorithms that were already supported through the EVP_PKEY API
3264   (scrypt, TLS1 PRF and HKDF).  The low-level KDF functions for PBKDF2
3265   and scrypt are now wrappers that call EVP_KDF.
3266
3267   *David Makepeace*
3268
3269 * Build devcrypto engine as a dynamic engine.
3270
3271   *Eneas U de Queiroz*
3272
3273 * Add keyed BLAKE2 to EVP_MAC.
3274
3275   *Antoine Salon*
3276
3277 * Fix a bug in the computation of the endpoint-pair shared secret used
3278   by DTLS over SCTP. This breaks interoperability with older versions
3279   of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
3280   switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
3281   interoperability with such broken implementations. However, enabling
3282   this switch breaks interoperability with correct implementations.
3283
3284 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
3285   reused X509_PUBKEY object if the second PUBKEY is malformed.
3286
3287   *Bernd Edlinger*
3288
3289 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
3290
3291   *Richard Levitte*
3292
3293 * Changed the license to the Apache License v2.0.
3294
3295   *Richard Levitte*
3296
3297 * Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
3298
3299   - Major releases (indicated by incrementing the MAJOR release number)
3300     may introduce incompatible API/ABI changes.
3301   - Minor releases (indicated by incrementing the MINOR release number)
3302     may introduce new features but retain API/ABI compatibility.
3303   - Patch releases (indicated by incrementing the PATCH number)
3304     are intended for bug fixes and other improvements of existing
3305     features only (like improving performance or adding documentation)
3306     and retain API/ABI compatibility.
3307
3308   *Richard Levitte*
3309
3310 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
3311
3312   *Todd Short*
3313
3314 * Remove the 'dist' target and add a tarball building script.  The
3315   'dist' target has fallen out of use, and it shouldn't be
3316   necessary to configure just to create a source distribution.
3317
3318   *Richard Levitte*
3319
3320 * Recreate the OS390-Unix config target.  It no longer relies on a
3321   special script like it did for OpenSSL pre-1.1.0.
3322
3323   *Richard Levitte*
3324
3325 * Instead of having the source directories listed in Configure, add
3326   a 'build.info' keyword SUBDIRS to indicate what sub-directories to
3327   look into.
3328
3329   *Richard Levitte*
3330
3331 * Add GMAC to EVP_MAC.
3332
3333   *Paul Dale*
3334
3335 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
3336
3337   *Richard Levitte*
3338
3339 * Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
3340   implementations.  This includes a generic EVP_PKEY to EVP_MAC bridge,
3341   to facilitate the continued use of MACs through raw private keys in
3342   functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
3343
3344   *Richard Levitte*
3345
3346 * Deprecate ECDH_KDF_X9_62().
3347
3348   *Antoine Salon*
3349
3350 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
3351   the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
3352   are retained for backwards compatibility.
3353
3354   *Antoine Salon*
3355
3356 * AES-XTS mode now enforces that its two keys are different to mitigate
3357   the attacked described in "Efficient Instantiations of Tweakable
3358   Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
3359   Details of this attack can be obtained from:
3360   <http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf>
3361
3362   *Paul Dale*
3363
3364 * Rename the object files, i.e. give them other names than in previous
3365   versions.  Their names now include the name of the final product, as
3366   well as its type mnemonic (bin, lib, shlib).
3367
3368   *Richard Levitte*
3369
3370 * Added new option for 'openssl list', '-objects', which will display the
3371   list of built in objects, i.e. OIDs with names.
3372
3373   *Richard Levitte*
3374
3375 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
3376   allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
3377   be set explicitly.
3378
3379   *Chris Novakovic*
3380
3381 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
3382   improves application performance by removing data copies and providing
3383   applications with zero-copy system calls such as sendfile and splice.
3384
3385   *Boris Pismenny*
3386
3387 * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
3388
3389   *Martin Elshuber*
3390
3391 * `PKCS12_parse` now maintains the order of the parsed certificates
3392   when outputting them via `*ca` (rather than reversing it).
3393
3394   *David von Oheimb*
3395
3396 * Deprecated pthread fork support methods.
3397
3398   *Randall S. Becker*
3399
3400 * Added support for FFDHE key exchange in TLS 1.3.
3401
3402   *Raja Ashok*
3403
3404 * Added a new concept for OpenSSL plugability: providers.  This
3405   functionality is designed to replace the ENGINE API and ENGINE
3406   implementations, and to be much more dynamic, allowing provider
3407   authors to introduce new algorithms among other things, as long as
3408   there's an API that supports the algorithm type.
3409
3410   With this concept comes a new core API for interaction between
3411   libcrypto and provider implementations.  Public libcrypto functions
3412   that want to use providers do so through this core API.
3413
3414   The main documentation for this core API is found in
3415   doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
3416   refer to other manuals describing the API specific for supported
3417   algorithm types (also called operations).
3418
3419   *The OpenSSL team*
3420
3421OpenSSL 1.1.1
3422-------------
3423
3424### Changes between 1.1.1m and 1.1.1n [xx XXX xxxx]
3425
3426### Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
3427
3428 * Avoid loading of a dynamic engine twice.
3429
3430   *Bernd Edlinger*
3431
3432 * Prioritise DANE TLSA issuer certs over peer certs
3433
3434   *Viktor Dukhovni*
3435
3436 * Fixed random API for MacOS prior to 10.12
3437
3438   These MacOS versions don't support the CommonCrypto APIs
3439
3440   *Lenny Primak*
3441
3442### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
3443
3444 * Fixed an SM2 Decryption Buffer Overflow.
3445
3446   In order to decrypt SM2 encrypted data an application is expected to
3447   call the API function EVP_PKEY_decrypt(). Typically an application will
3448   call this function twice. The first time, on entry, the "out" parameter
3449   can be NULL and, on exit, the "outlen" parameter is populated with the
3450   buffer size required to hold the decrypted plaintext. The application
3451   can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
3452   again, but this time passing a non-NULL value for the "out" parameter.
3453
3454   A bug in the implementation of the SM2 decryption code means that the
3455   calculation of the buffer size required to hold the plaintext returned
3456   by the first call to EVP_PKEY_decrypt() can be smaller than the actual
3457   size required by the second call. This can lead to a buffer overflow
3458   when EVP_PKEY_decrypt() is called by the application a second time with
3459   a buffer that is too small.
3460
3461   A malicious attacker who is able present SM2 content for decryption to
3462   an application could cause attacker chosen data to overflow the buffer
3463   by up to a maximum of 62 bytes altering the contents of other data held
3464   after the buffer, possibly changing application behaviour or causing
3465   the application to crash. The location of the buffer is application
3466   dependent but is typically heap allocated.
3467   ([CVE-2021-3711])
3468
3469   *Matt Caswell*
3470
3471 * Fixed various read buffer overruns processing ASN.1 strings
3472
3473   ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
3474   structure which contains a buffer holding the string data and a field
3475   holding the buffer length. This contrasts with normal C strings which
3476   are represented as a buffer for the string data which is terminated
3477   with a NUL (0) byte.
3478
3479   Although not a strict requirement, ASN.1 strings that are parsed using
3480   OpenSSL's own "d2i" functions (and other similar parsing functions) as
3481   well as any string whose value has been set with the ASN1_STRING_set()
3482   function will additionally NUL terminate the byte array in the
3483   ASN1_STRING structure.
3484
3485   However, it is possible for applications to directly construct valid
3486   ASN1_STRING structures which do not NUL terminate the byte array by
3487   directly setting the "data" and "length" fields in the ASN1_STRING
3488   array. This can also happen by using the ASN1_STRING_set0() function.
3489
3490   Numerous OpenSSL functions that print ASN.1 data have been found to
3491   assume that the ASN1_STRING byte array will be NUL terminated, even
3492   though this is not guaranteed for strings that have been directly
3493   constructed. Where an application requests an ASN.1 structure to be
3494   printed, and where that ASN.1 structure contains ASN1_STRINGs that have
3495   been directly constructed by the application without NUL terminating
3496   the "data" field, then a read buffer overrun can occur.
3497
3498   The same thing can also occur during name constraints processing
3499   of certificates (for example if a certificate has been directly
3500   constructed by the application instead of loading it via the OpenSSL
3501   parsing functions, and the certificate contains non NUL terminated
3502   ASN1_STRING structures). It can also occur in the X509_get1_email(),
3503   X509_REQ_get1_email() and X509_get1_ocsp() functions.
3504
3505   If a malicious actor can cause an application to directly construct an
3506   ASN1_STRING and then process it through one of the affected OpenSSL
3507   functions then this issue could be hit. This might result in a crash
3508   (causing a Denial of Service attack). It could also result in the
3509   disclosure of private memory contents (such as private keys, or
3510   sensitive plaintext).
3511   ([CVE-2021-3712])
3512
3513   *Matt Caswell*
3514
3515### Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
3516
3517 * Fixed a problem with verifying a certificate chain when using the
3518   X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of
3519   the certificates present in a certificate chain. It is not set by default.
3520
3521   Starting from OpenSSL version 1.1.1h a check to disallow certificates in
3522   the chain that have explicitly encoded elliptic curve parameters was added
3523   as an additional strict check.
3524
3525   An error in the implementation of this check meant that the result of a
3526   previous check to confirm that certificates in the chain are valid CA
3527   certificates was overwritten. This effectively bypasses the check
3528   that non-CA certificates must not be able to issue other certificates.
3529
3530   If a "purpose" has been configured then there is a subsequent opportunity
3531   for checks that the certificate is a valid CA.  All of the named "purpose"
3532   values implemented in libcrypto perform this check.  Therefore, where
3533   a purpose is set the certificate chain will still be rejected even when the
3534   strict flag has been used. A purpose is set by default in libssl client and
3535   server certificate verification routines, but it can be overridden or
3536   removed by an application.
3537
3538   In order to be affected, an application must explicitly set the
3539   X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
3540   for the certificate verification or, in the case of TLS client or server
3541   applications, override the default purpose.
3542   ([CVE-2021-3450])
3543
3544   *Tomáš Mráz*
3545
3546 * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
3547   crafted renegotiation ClientHello message from a client. If a TLSv1.2
3548   renegotiation ClientHello omits the signature_algorithms extension (where it
3549   was present in the initial ClientHello), but includes a
3550   signature_algorithms_cert extension then a NULL pointer dereference will
3551   result, leading to a crash and a denial of service attack.
3552
3553   A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
3554   (which is the default configuration). OpenSSL TLS clients are not impacted by
3555   this issue.
3556   ([CVE-2021-3449])
3557
3558   *Peter Kästle and Samuel Sapalski*
3559
3560### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
3561
3562 * Fixed the X509_issuer_and_serial_hash() function. It attempts to
3563   create a unique hash value based on the issuer and serial number data
3564   contained within an X509 certificate. However, it was failing to correctly
3565   handle any errors that may occur while parsing the issuer field (which might
3566   occur if the issuer field is maliciously constructed). This may subsequently
3567   result in a NULL pointer deref and a crash leading to a potential denial of
3568   service attack.
3569   ([CVE-2021-23841])
3570
3571   *Matt Caswell*
3572
3573 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
3574   padding mode to correctly check for rollback attacks. This is considered a
3575   bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
3576   CVE-2021-23839.
3577
3578   *Matt Caswell*
3579
3580   Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
3581   functions. Previously they could overflow the output length argument in some
3582   cases where the input length is close to the maximum permissible length for
3583   an integer on the platform. In such cases the return value from the function
3584   call would be 1 (indicating success), but the output length value would be
3585   negative. This could cause applications to behave incorrectly or crash.
3586   ([CVE-2021-23840])
3587
3588   *Matt Caswell*
3589
3590 * Fixed SRP_Calc_client_key so that it runs in constant time. The previous
3591   implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
3592   could be exploited in a side channel attack to recover the password. Since
3593   the attack is local host only this is outside of the current OpenSSL
3594   threat model and therefore no CVE is assigned.
3595
3596   Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
3597   issue.
3598
3599   *Matt Caswell*
3600
3601### Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
3602
3603 * Fixed NULL pointer deref in the GENERAL_NAME_cmp function
3604   This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
3605    If an attacker can control both items being compared  then this could lead
3606    to a possible denial of service attack. OpenSSL itself uses the
3607    GENERAL_NAME_cmp function for two purposes:
3608    1) Comparing CRL distribution point names between an available CRL and a
3609       CRL distribution point embedded in an X509 certificate
3610    2) When verifying that a timestamp response token signer matches the
3611       timestamp authority name (exposed via the API functions
3612       TS_RESP_verify_response and TS_RESP_verify_token)
3613   ([CVE-2020-1971])
3614
3615   *Matt Caswell*
3616
3617### Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
3618
3619 * Certificates with explicit curve parameters are now disallowed in
3620   verification chains if the X509_V_FLAG_X509_STRICT flag is used.
3621
3622   *Tomáš Mráz*
3623
3624 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
3625   ignore TLS protocol version bounds when configuring DTLS-based contexts, and
3626   conversely, silently ignore DTLS protocol version bounds when configuring
3627   TLS-based contexts.  The commands can be repeated to set bounds of both
3628   types.  The same applies with the corresponding "min_protocol" and
3629   "max_protocol" command-line switches, in case some application uses both TLS
3630   and DTLS.
3631
3632   SSL_CTX instances that are created for a fixed protocol version (e.g.
3633   TLSv1_server_method()) also silently ignore version bounds.  Previously
3634   attempts to apply bounds to these protocol versions would result in an
3635   error.  Now only the "version-flexible" SSL_CTX instances are subject to
3636   limits in configuration files in command-line options.
3637
3638   *Viktor Dukhovni*
3639
3640 * Handshake now fails if Extended Master Secret extension is dropped
3641   on renegotiation.
3642
3643   *Tomáš Mráz*
3644
3645 * The Oracle Developer Studio compiler will start reporting deprecated APIs
3646
3647### Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
3648
3649 * Fixed segmentation fault in SSL_check_chain()
3650   Server or client applications that call the SSL_check_chain() function
3651   during or after a TLS 1.3 handshake may crash due to a NULL pointer
3652   dereference as a result of incorrect handling of the
3653   "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
3654   or unrecognised signature algorithm is received from the peer. This could
3655   be exploited by a malicious peer in a Denial of Service attack.
3656   ([CVE-2020-1967])
3657
3658   *Benjamin Kaduk*
3659
3660 * Added AES consttime code for no-asm configurations
3661   an optional constant time support for AES was added
3662   when building openssl for no-asm.
3663   Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
3664   Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
3665   At this time this feature is by default disabled.
3666   It will be enabled by default in 3.0.
3667
3668   *Bernd Edlinger*
3669
3670### Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
3671
3672 * Revert the change of EOF detection while reading in libssl to avoid
3673   regressions in applications depending on the current way of reporting
3674   the EOF. As the existing method is not fully accurate the change to
3675   reporting the EOF via SSL_ERROR_SSL is kept on the current development
3676   branch and will be present in the 3.0 release.
3677
3678   *Tomáš Mráz*
3679
3680 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
3681   when primes for RSA keys are computed.
3682   Since we previously always generated primes == 2 (mod 3) for RSA keys,
3683   the 2-prime and 3-prime RSA modules were easy to distinguish, since
3684   N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore, fingerprinting
3685   2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3686   This avoids possible fingerprinting of newly generated RSA modules.
3687
3688   *Bernd Edlinger*
3689
3690### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
3691
3692 * Properly detect EOF while reading in libssl. Previously if we hit an EOF
3693   while reading in libssl then we would report an error back to the
3694   application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
3695   an error to the stack (which means we instead return SSL_ERROR_SSL) and
3696   therefore give a hint as to what went wrong.
3697
3698   *Matt Caswell*
3699
3700 * Check that ed25519 and ed448 are allowed by the security level. Previously
3701   signature algorithms not using an MD were not being checked that they were
3702   allowed by the security level.
3703
3704   *Kurt Roeckx*
3705
3706 * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
3707   was not quite right. The behaviour was not consistent between resumption
3708   and normal handshakes, and also not quite consistent with historical
3709   behaviour. The behaviour in various scenarios has been clarified and
3710   it has been updated to make it match historical behaviour as closely as
3711   possible.
3712
3713   *Matt Caswell*
3714
3715 * *[VMS only]* The header files that the VMS compilers include automatically,
3716   `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas
3717   that the C++ compiler doesn't understand.  This is a shortcoming in the
3718   compiler, but can be worked around with `__cplusplus` guards.
3719
3720   C++ applications that use OpenSSL libraries must be compiled using the
3721   qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL
3722   functions.  Otherwise, only functions with symbols of less than 31
3723   characters can be used, as the linker will not be able to successfully
3724   resolve symbols with longer names.
3725
3726   *Richard Levitte*
3727
3728 * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
3729   The presence of this system service is determined at run-time.
3730
3731   *Richard Levitte*
3732
3733 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
3734   the first value.
3735
3736   *Jon Spillett*
3737
3738### Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
3739
3740 * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
3741   number generator (RNG). This was intended to include protection in the
3742   event of a fork() system call in order to ensure that the parent and child
3743   processes did not share the same RNG state. However, this protection was not
3744   being used in the default case.
3745
3746   A partial mitigation for this issue is that the output from a high
3747   precision timer is mixed into the RNG state so the likelihood of a parent
3748   and child process sharing state is significantly reduced.
3749
3750   If an application already calls OPENSSL_init_crypto() explicitly using
3751   OPENSSL_INIT_ATFORK then this problem does not occur at all.
3752   ([CVE-2019-1549])
3753
3754   *Matthias St. Pierre*
3755
3756 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3757   used even when parsing explicit parameters, when loading a encoded key
3758   or calling `EC_GROUP_new_from_ecpkparameters()`/
3759   `EC_GROUP_new_from_ecparameters()`.
3760   This prevents bypass of security hardening and performance gains,
3761   especially for curves with specialized EC_METHODs.
3762   By default, if a key encoded with explicit parameters is loaded and later
3763   encoded, the output is still encoded with explicit parameters, even if
3764   internally a "named" EC_GROUP is used for computation.
3765
3766   *Nicola Tuveri*
3767
3768 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
3769   this change, EC_GROUP_set_generator would accept order and/or cofactor as
3770   NULL. After this change, only the cofactor parameter can be NULL. It also
3771   does some minimal sanity checks on the passed order.
3772   ([CVE-2019-1547])
3773
3774   *Billy Bob Brumley*
3775
3776 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3777   An attack is simple, if the first CMS_recipientInfo is valid but the
3778   second CMS_recipientInfo is chosen ciphertext. If the second
3779   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
3780   encryption key will be replaced by garbage, and the message cannot be
3781   decoded, but if the RSA decryption fails, the correct encryption key is
3782   used and the recipient will not notice the attack.
3783   As a work around for this potential attack the length of the decrypted
3784   key must be equal to the cipher default key length, in case the
3785   certificate is not given and all recipientInfo are tried out.
3786   The old behaviour can be re-enabled in the CMS code by setting the
3787   CMS_DEBUG_DECRYPT flag.
3788   ([CVE-2019-1563])
3789
3790   *Bernd Edlinger*
3791
3792 * Early start up entropy quality from the DEVRANDOM seed source has been
3793   improved for older Linux systems.  The RAND subsystem will wait for
3794   /dev/random to be producing output before seeding from /dev/urandom.
3795   The seeded state is stored for future library initialisations using
3796   a system global shared memory segment.  The shared memory identifier
3797   can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
3798   the desired value.  The default identifier is 114.
3799
3800   *Paul Dale*
3801
3802 * Correct the extended master secret constant on EBCDIC systems. Without this
3803   fix TLS connections between an EBCDIC system and a non-EBCDIC system that
3804   negotiate EMS will fail. Unfortunately this also means that TLS connections
3805   between EBCDIC systems with this fix, and EBCDIC systems without this
3806   fix will fail if they negotiate EMS.
3807
3808   *Matt Caswell*
3809
3810 * Use Windows installation paths in the mingw builds
3811
3812   Mingw isn't a POSIX environment per se, which means that Windows
3813   paths should be used for installation.
3814   ([CVE-2019-1552])
3815
3816   *Richard Levitte*
3817
3818 * Changed DH_check to accept parameters with order q and 2q subgroups.
3819   With order 2q subgroups the bit 0 of the private key is not secret
3820   but DH_generate_key works around that by clearing bit 0 of the
3821   private key for those. This avoids leaking bit 0 of the private key.
3822
3823   *Bernd Edlinger*
3824
3825 * Significantly reduce secure memory usage by the randomness pools.
3826
3827   *Paul Dale*
3828
3829 * Revert the DEVRANDOM_WAIT feature for Linux systems
3830
3831   The DEVRANDOM_WAIT feature added a select() call to wait for the
3832   /dev/random device to become readable before reading from the
3833   /dev/urandom device.
3834
3835   It turned out that this change had negative side effects on
3836   performance which were not acceptable. After some discussion it
3837   was decided to revert this feature and leave it up to the OS
3838   resp. the platform maintainer to ensure a proper initialization
3839   during early boot time.
3840
3841   *Matthias St. Pierre*
3842
3843### Changes between 1.1.1b and 1.1.1c [28 May 2019]
3844
3845 * Add build tests for C++.  These are generated files that only do one
3846   thing, to include one public OpenSSL head file each.  This tests that
3847   the public header files can be usefully included in a C++ application.
3848
3849   This test isn't enabled by default.  It can be enabled with the option
3850   'enable-buildtest-c++'.
3851
3852   *Richard Levitte*
3853
3854 * Enable SHA3 pre-hashing for ECDSA and DSA.
3855
3856   *Patrick Steuer*
3857
3858 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
3859   This changes the size when using the `genpkey` command when no size is given.
3860   It fixes an omission in earlier changes that changed all RSA, DSA and DH
3861   generation commands to use 2048 bits by default.
3862
3863   *Kurt Roeckx*
3864
3865 * Reorganize the manual pages to consistently have RETURN VALUES,
3866   EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
3867   util/fix-doc-nits accordingly.
3868
3869   *Paul Yang, Joshua Lock*
3870
3871 * Add the missing accessor EVP_PKEY_get0_engine()
3872
3873   *Matt Caswell*
3874
3875 * Have commands like `s_client` and `s_server` output the signature scheme
3876   along with other cipher suite parameters when debugging.
3877
3878   *Lorinczy Zsigmond*
3879
3880 * Make OPENSSL_config() error agnostic again.
3881
3882   *Richard Levitte*
3883
3884 * Do the error handling in RSA decryption constant time.
3885
3886   *Bernd Edlinger*
3887
3888 * Prevent over long nonces in ChaCha20-Poly1305.
3889
3890   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3891   for every encryption operation. RFC 7539 specifies that the nonce value
3892   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
3893   and front pads the nonce with 0 bytes if it is less than 12
3894   bytes. However it also incorrectly allows a nonce to be set of up to 16
3895   bytes. In this case only the last 12 bytes are significant and any
3896   additional leading bytes are ignored.
3897
3898   It is a requirement of using this cipher that nonce values are
3899   unique. Messages encrypted using a reused nonce value are susceptible to
3900   serious confidentiality and integrity attacks. If an application changes
3901   the default nonce length to be longer than 12 bytes and then makes a
3902   change to the leading bytes of the nonce expecting the new value to be a
3903   new unique nonce then such an application could inadvertently encrypt
3904   messages with a reused nonce.
3905
3906   Additionally the ignored bytes in a long nonce are not covered by the
3907   integrity guarantee of this cipher. Any application that relies on the
3908   integrity of these ignored leading bytes of a long nonce may be further
3909   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
3910   is safe because no such use sets such a long nonce value. However user
3911   applications that use this cipher directly and set a non-default nonce
3912   length to be longer than 12 bytes may be vulnerable.
3913
3914   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
3915   Greef of Ronomon.
3916   ([CVE-2019-1543])
3917
3918   *Matt Caswell*
3919
3920 * Add DEVRANDOM_WAIT feature for Linux systems
3921
3922   On older Linux systems where the getrandom() system call is not available,
3923   OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
3924   Contrary to getrandom(), the /dev/urandom device will not block during
3925   early boot when the kernel CSPRNG has not been seeded yet.
3926
3927   To mitigate this known weakness, use select() to wait for /dev/random to
3928   become readable before reading from /dev/urandom.
3929
3930 * Ensure that SM2 only uses SM3 as digest algorithm
3931
3932   *Paul Yang*
3933
3934### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
3935
3936 * Change the info callback signals for the start and end of a post-handshake
3937   message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
3938   and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
3939   confused by this and assume that a TLSv1.2 renegotiation has started. This
3940   can break KeyUpdate handling. Instead we no longer signal the start and end
3941   of a post handshake message exchange (although the messages themselves are
3942   still signalled). This could break some applications that were expecting
3943   the old signals. However without this KeyUpdate is not usable for many
3944   applications.
3945
3946   *Matt Caswell*
3947
3948### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
3949
3950 * Timing vulnerability in DSA signature generation
3951
3952   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
3953   timing side channel attack. An attacker could use variations in the signing
3954   algorithm to recover the private key.
3955
3956   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
3957   ([CVE-2018-0734])
3958
3959   *Paul Dale*
3960
3961 * Timing vulnerability in ECDSA signature generation
3962
3963   The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
3964   timing side channel attack. An attacker could use variations in the signing
3965   algorithm to recover the private key.
3966
3967   This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
3968   ([CVE-2018-0735])
3969
3970   *Paul Dale*
3971
3972 * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
3973   if its length exceeds 4096 bytes. The limit has been raised to a buffer size
3974   of two gigabytes and the error handling improved.
3975
3976   This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
3977   categorized as a normal bug, not a security issue, because the DRBG reseeds
3978   automatically and is fully functional even without additional randomness
3979   provided by the application.
3980
3981### Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
3982
3983 * Add a new ClientHello callback. Provides a callback interface that gives
3984   the application the ability to adjust the nascent SSL object at the
3985   earliest stage of ClientHello processing, immediately after extensions have
3986   been collected but before they have been processed. In particular, this
3987   callback can adjust the supported TLS versions in response to the contents
3988   of the ClientHello
3989
3990   *Benjamin Kaduk*
3991
3992 * Add SM2 base algorithm support.
3993
3994   *Jack Lloyd*
3995
3996 * s390x assembly pack: add (improved) hardware-support for the following
3997   cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
3998   aes-cfb/cfb8, aes-ecb.
3999
4000   *Patrick Steuer*
4001
4002 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
4003   parameter is no longer accepted, as it leads to a corrupt table.  NULL
4004   pem_str is reserved for alias entries only.
4005
4006   *Richard Levitte*
4007
4008 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
4009   step for prime curves. The new implementation is based on formulae from
4010   differential addition-and-doubling in homogeneous projective coordinates
4011   from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
4012   against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
4013   and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
4014   to work in projective coordinates.
4015
4016   *Billy Bob Brumley, Nicola Tuveri*
4017
4018 * Change generating and checking of primes so that the error rate of not
4019   being prime depends on the intended use based on the size of the input.
4020   For larger primes this will result in more rounds of Miller-Rabin.
4021   The maximal error rate for primes with more than 1080 bits is lowered
4022   to 2^-128.
4023
4024   *Kurt Roeckx, Annie Yousar*
4025
4026 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
4027
4028   *Kurt Roeckx*
4029
4030 * The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
4031   moving between systems, and to avoid confusion when a Windows build is
4032   done with mingw vs with MSVC.  For POSIX installs, there's still a
4033   symlink or copy named 'tsget' to avoid that confusion as well.
4034
4035   *Richard Levitte*
4036
4037 * Revert blinding in ECDSA sign and instead make problematic addition
4038   length-invariant. Switch even to fixed-length Montgomery multiplication.
4039
4040   *Andy Polyakov*
4041
4042 * Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
4043   step for binary curves. The new implementation is based on formulae from
4044   differential addition-and-doubling in mixed Lopez-Dahab projective
4045   coordinates, modified to independently blind the operands.
4046
4047   *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
4048
4049 * Add a scaffold to optionally enhance the Montgomery ladder implementation
4050   for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
4051   EC_METHODs to implement their own specialized "ladder step", to take
4052   advantage of more favorable coordinate systems or more efficient
4053   differential addition-and-doubling algorithms.
4054
4055   *Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri*
4056
4057 * Modified the random device based seed sources to keep the relevant
4058   file descriptors open rather than reopening them on each access.
4059   This allows such sources to operate in a chroot() jail without
4060   the associated device nodes being available. This behaviour can be
4061   controlled using RAND_keep_random_devices_open().
4062
4063   *Paul Dale*
4064
4065 * Numerous side-channel attack mitigations have been applied. This may have
4066   performance impacts for some algorithms for the benefit of improved
4067   security. Specific changes are noted in this change log by their respective
4068   authors.
4069
4070   *Matt Caswell*
4071
4072 * AIX shared library support overhaul. Switch to AIX "natural" way of
4073   handling shared libraries, which means collecting shared objects of
4074   different versions and bitnesses in one common archive. This allows to
4075   mitigate conflict between 1.0 and 1.1 side-by-side installations. It
4076   doesn't affect the way 3rd party applications are linked, only how
4077   multi-version installation is managed.
4078
4079   *Andy Polyakov*
4080
4081 * Make ec_group_do_inverse_ord() more robust and available to other
4082   EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
4083   mitigations are applied to the fallback BN_mod_inverse().
4084   When using this function rather than BN_mod_inverse() directly, new
4085   EC cryptosystem implementations are then safer-by-default.
4086
4087   *Billy Bob Brumley*
4088
4089 * Add coordinate blinding for EC_POINT and implement projective
4090   coordinate blinding for generic prime curves as a countermeasure to
4091   chosen point SCA attacks.
4092
4093   *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
4094
4095 * Add blinding to ECDSA and DSA signatures to protect against side channel
4096   attacks discovered by Keegan Ryan (NCC Group).
4097
4098   *Matt Caswell*
4099
4100 * Enforce checking in the `pkeyutl` command to ensure that the input
4101   length does not exceed the maximum supported digest length when performing
4102   a sign, verify or verifyrecover operation.
4103
4104   *Matt Caswell*
4105
4106 * SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
4107   I/O in combination with something like select() or poll() will hang. This
4108   can be turned off again using SSL_CTX_clear_mode().
4109   Many applications do not properly handle non-application data records, and
4110   TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
4111   around the problems in those applications, but can also break some.
4112   It's recommended to read the manpages about SSL_read(), SSL_write(),
4113   SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
4114   SSL_CTX_set_read_ahead() again.
4115
4116   *Kurt Roeckx*
4117
4118 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
4119   now allow empty (zero character) pass phrases.
4120
4121   *Richard Levitte*
4122
4123 * Apply blinding to binary field modular inversion and remove patent
4124   pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
4125
4126   *Billy Bob Brumley*
4127
4128 * Deprecate ec2_mult.c and unify scalar multiplication code paths for
4129   binary and prime elliptic curves.
4130
4131   *Billy Bob Brumley*
4132
4133 * Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
4134   constant time fixed point multiplication.
4135
4136   *Billy Bob Brumley*
4137
4138 * Revise elliptic curve scalar multiplication with timing attack
4139   defenses: ec_wNAF_mul redirects to a constant time implementation
4140   when computing fixed point and variable point multiplication (which
4141   in OpenSSL are mostly used with secret scalars in keygen, sign,
4142   ECDH derive operations).
4143   *Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
4144    Sohaib ul Hassan*
4145
4146 * Updated CONTRIBUTING
4147
4148   *Rich Salz*
4149
4150 * Updated DRBG / RAND to request nonce and additional low entropy
4151   randomness from the system.
4152
4153   *Matthias St. Pierre*
4154
4155 * Updated 'openssl rehash' to use OpenSSL consistent default.
4156
4157   *Richard Levitte*
4158
4159 * Moved the load of the ssl_conf module to libcrypto, which helps
4160   loading engines that libssl uses before libssl is initialised.
4161
4162   *Matt Caswell*
4163
4164 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
4165
4166   *Matt Caswell*
4167
4168 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
4169
4170   *Ingo Schwarze, Rich Salz*
4171
4172 * Added output of accepting IP address and port for 'openssl s_server'
4173
4174   *Richard Levitte*
4175
4176 * Added a new API for TLSv1.3 ciphersuites:
4177      SSL_CTX_set_ciphersuites()
4178      SSL_set_ciphersuites()
4179
4180   *Matt Caswell*
4181
4182 * Memory allocation failures consistently add an error to the error
4183   stack.
4184
4185   *Rich Salz*
4186
4187 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
4188   in libcrypto when run as setuid/setgid.
4189
4190   *Bernd Edlinger*
4191
4192 * Load any config file by default when libssl is used.
4193
4194   *Matt Caswell*
4195
4196 * Added new public header file <openssl/rand_drbg.h> and documentation
4197   for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
4198
4199   *Matthias St. Pierre*
4200
4201 * QNX support removed (cannot find contributors to get their approval
4202   for the license change).
4203
4204   *Rich Salz*
4205
4206 * TLSv1.3 replay protection for early data has been implemented. See the
4207   SSL_read_early_data() man page for further details.
4208
4209   *Matt Caswell*
4210
4211 * Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
4212   configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
4213   below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
4214   In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
4215   would otherwise inadvertently disable all TLSv1.3 ciphersuites the
4216   configuration has been separated out. See the ciphers man page or the
4217   SSL_CTX_set_ciphersuites() man page for more information.
4218
4219   *Matt Caswell*
4220
4221 * On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
4222   in responder mode now supports the new "-multi" option, which
4223   spawns the specified number of child processes to handle OCSP
4224   requests.  The "-timeout" option now also limits the OCSP
4225   responder's patience to wait to receive the full client request
4226   on a newly accepted connection. Child processes are respawned
4227   as needed, and the CA index file is automatically reloaded
4228   when changed.  This makes it possible to run the "ocsp" responder
4229   as a long-running service, making the OpenSSL CA somewhat more
4230   feature-complete.  In this mode, most diagnostic messages logged
4231   after entering the event loop are logged via syslog(3) rather than
4232   written to stderr.
4233
4234   *Viktor Dukhovni*
4235
4236 * Added support for X448 and Ed448. Heavily based on original work by
4237   Mike Hamburg.
4238
4239   *Matt Caswell*
4240
4241 * Extend OSSL_STORE with capabilities to search and to narrow the set of
4242   objects loaded.  This adds the functions OSSL_STORE_expect() and
4243   OSSL_STORE_find() as well as needed tools to construct searches and
4244   get the search data out of them.
4245
4246   *Richard Levitte*
4247
4248 * Support for TLSv1.3 added. Note that users upgrading from an earlier
4249   version of OpenSSL should review their configuration settings to ensure
4250   that they are still appropriate for TLSv1.3. For further information see:
4251   <https://wiki.openssl.org/index.php/TLS1.3>
4252
4253   *Matt Caswell*
4254
4255 * Grand redesign of the OpenSSL random generator
4256
4257   The default RAND method now utilizes an AES-CTR DRBG according to
4258   NIST standard SP 800-90Ar1. The new random generator is essentially
4259   a port of the default random generator from the OpenSSL FIPS 2.0
4260   object module. It is a hybrid deterministic random bit generator
4261   using an AES-CTR bit stream and which seeds and reseeds itself
4262   automatically using trusted system entropy sources.
4263
4264   Some of its new features are:
4265    - Support for multiple DRBG instances with seed chaining.
4266    - The default RAND method makes use of a DRBG.
4267    - There is a public and private DRBG instance.
4268    - The DRBG instances are fork-safe.
4269    - Keep all global DRBG instances on the secure heap if it is enabled.
4270    - The public and private DRBG instance are per thread for lock free
4271      operation
4272
4273   *Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre*
4274
4275 * Changed Configure so it only says what it does and doesn't dump
4276   so much data.  Instead, ./configdata.pm should be used as a script
4277   to display all sorts of configuration data.
4278
4279   *Richard Levitte*
4280
4281 * Added processing of "make variables" to Configure.
4282
4283   *Richard Levitte*
4284
4285 * Added SHA512/224 and SHA512/256 algorithm support.
4286
4287   *Paul Dale*
4288
4289 * The last traces of Netware support, first removed in 1.1.0, have
4290   now been removed.
4291
4292   *Rich Salz*
4293
4294 * Get rid of Makefile.shared, and in the process, make the processing
4295   of certain files (rc.obj, or the .def/.map/.opt files produced from
4296   the ordinal files) more visible and hopefully easier to trace and
4297   debug (or make silent).
4298
4299   *Richard Levitte*
4300
4301 * Make it possible to have environment variable assignments as
4302   arguments to config / Configure.
4303
4304   *Richard Levitte*
4305
4306 * Add multi-prime RSA (RFC 8017) support.
4307
4308   *Paul Yang*
4309
4310 * Add SM3 implemented according to GB/T 32905-2016
4311   *Jack Lloyd <jack.lloyd@ribose.com>,*
4312   *Ronald Tse <ronald.tse@ribose.com>,*
4313   *Erick Borsboom <erick.borsboom@ribose.com>*
4314
4315 * Add 'Maximum Fragment Length' TLS extension negotiation and support
4316   as documented in RFC6066.
4317   Based on a patch from Tomasz Moń
4318
4319   *Filipe Raimundo da Silva*
4320
4321 * Add SM4 implemented according to GB/T 32907-2016.
4322   *Jack Lloyd <jack.lloyd@ribose.com>,*
4323   *Ronald Tse <ronald.tse@ribose.com>,*
4324   *Erick Borsboom <erick.borsboom@ribose.com>*
4325
4326 * Reimplement -newreq-nodes and ERR_error_string_n; the
4327   original author does not agree with the license change.
4328
4329   *Rich Salz*
4330
4331 * Add ARIA AEAD TLS support.
4332
4333   *Jon Spillett*
4334
4335 * Some macro definitions to support VS6 have been removed.  Visual
4336   Studio 6 has not worked since 1.1.0
4337
4338   *Rich Salz*
4339
4340 * Add ERR_clear_last_mark(), to allow callers to clear the last mark
4341   without clearing the errors.
4342
4343   *Richard Levitte*
4344
4345 * Add "atfork" functions.  If building on a system that without
4346   pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
4347   requirements.  The RAND facility now uses/requires this.
4348
4349   *Rich Salz*
4350
4351 * Add SHA3.
4352
4353   *Andy Polyakov*
4354
4355 * The UI API becomes a permanent and integral part of libcrypto, i.e.
4356   not possible to disable entirely.  However, it's still possible to
4357   disable the console reading UI method, UI_OpenSSL() (use UI_null()
4358   as a fallback).
4359
4360   To disable, configure with 'no-ui-console'.  'no-ui' is still
4361   possible to use as an alias.  Check at compile time with the
4362   macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
4363   possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
4364
4365   *Richard Levitte*
4366
4367 * Add a STORE module, which implements a uniform and URI based reader of
4368   stores that can contain keys, certificates, CRLs and numerous other
4369   objects.  The main API is loosely based on a few stdio functions,
4370   and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
4371   OSSL_STORE_error and OSSL_STORE_close.
4372   The implementation uses backends called "loaders" to implement arbitrary
4373   URI schemes.  There is one built in "loader" for the 'file' scheme.
4374
4375   *Richard Levitte*
4376
4377 * Add devcrypto engine.  This has been implemented against cryptodev-linux,
4378   then adjusted to work on FreeBSD 8.4 as well.
4379   Enable by configuring with 'enable-devcryptoeng'.  This is done by default
4380   on BSD implementations, as cryptodev.h is assumed to exist on all of them.
4381
4382   *Richard Levitte*
4383
4384 * Module names can prefixed with OSSL_ or OPENSSL_.  This affects
4385   util/mkerr.pl, which is adapted to allow those prefixes, leading to
4386   error code calls like this:
4387
4388           OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
4389
4390   With this change, we claim the namespaces OSSL and OPENSSL in a manner
4391   that can be encoded in C.  For the foreseeable future, this will only
4392   affect new modules.
4393
4394   *Richard Levitte and Tim Hudson*
4395
4396 * Removed BSD cryptodev engine.
4397
4398   *Rich Salz*
4399
4400 * Add a build target 'build_all_generated', to build all generated files
4401   and only that.  This can be used to prepare everything that requires
4402   things like perl for a system that lacks perl and then move everything
4403   to that system and do the rest of the build there.
4404
4405   *Richard Levitte*
4406
4407 * In the UI interface, make it possible to duplicate the user data.  This
4408   can be used by engines that need to retain the data for a longer time
4409   than just the call where this user data is passed.
4410
4411   *Richard Levitte*
4412
4413 * Ignore the '-named_curve auto' value for compatibility of applications
4414   with OpenSSL 1.0.2.
4415
4416   *Tomáš Mráz <tmraz@fedoraproject.org>*
4417
4418 * Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
4419   bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
4420   alerts across multiple records (some of which could be empty). In practice
4421   it make no sense to send an empty alert record, or to fragment one. TLSv1.3
4422   prohibits this altogether and other libraries (BoringSSL, NSS) do not
4423   support this at all. Supporting it adds significant complexity to the
4424   record layer, and its removal is unlikely to cause interoperability
4425   issues.
4426
4427   *Matt Caswell*
4428
4429 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
4430   with Z.  These are meant to replace LONG and ZLONG and to be size safe.
4431   The use of LONG and ZLONG is discouraged and scheduled for deprecation
4432   in OpenSSL 1.2.0.
4433
4434   *Richard Levitte*
4435
4436 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
4437   'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
4438
4439   *Richard Levitte, Andy Polyakov*
4440
4441 * Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
4442   does for RSA, etc.
4443
4444   *Richard Levitte*
4445
4446 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4447   platform rather than 'mingw'.
4448
4449   *Richard Levitte*
4450
4451 * The functions X509_STORE_add_cert and X509_STORE_add_crl return
4452   success if they are asked to add an object which already exists
4453   in the store. This change cascades to other functions which load
4454   certificates and CRLs.
4455
4456   *Paul Dale*
4457
4458 * x86_64 assembly pack: annotate code with DWARF CFI directives to
4459   facilitate stack unwinding even from assembly subroutines.
4460
4461   *Andy Polyakov*
4462
4463 * Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
4464   Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
4465
4466   *Richard Levitte*
4467
4468 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
4469   VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
4470   which is the minimum version we support.
4471
4472   *Richard Levitte*
4473
4474 * Certificate time validation (X509_cmp_time) enforces stricter
4475   compliance with RFC 5280. Fractional seconds and timezone offsets
4476   are no longer allowed.
4477
4478   *Emilia Käsper*
4479
4480 * Add support for ARIA
4481
4482   *Paul Dale*
4483
4484 * s_client will now send the Server Name Indication (SNI) extension by
4485   default unless the new "-noservername" option is used. The server name is
4486   based on the host provided to the "-connect" option unless overridden by
4487   using "-servername".
4488
4489   *Matt Caswell*
4490
4491 * Add support for SipHash
4492
4493   *Todd Short*
4494
4495 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0
4496   or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
4497   prevent issues where no progress is being made and the peer continually
4498   sends unrecognised record types, using up resources processing them.
4499
4500   *Matt Caswell*
4501
4502 * 'openssl passwd' can now produce SHA256 and SHA512 based output,
4503   using the algorithm defined in
4504   <https://www.akkadia.org/drepper/SHA-crypt.txt>
4505
4506   *Richard Levitte*
4507
4508 * Heartbeat support has been removed; the ABI is changed for now.
4509
4510   *Richard Levitte, Rich Salz*
4511
4512 * Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
4513
4514   *Emilia Käsper*
4515
4516 * The RSA "null" method, which was partially supported to avoid patent
4517   issues, has been replaced to always returns NULL.
4518
4519   *Rich Salz*
4520
4521OpenSSL 1.1.0
4522-------------
4523
4524### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
4525
4526 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
4527   used even when parsing explicit parameters, when loading a encoded key
4528   or calling `EC_GROUP_new_from_ecpkparameters()`/
4529   `EC_GROUP_new_from_ecparameters()`.
4530   This prevents bypass of security hardening and performance gains,
4531   especially for curves with specialized EC_METHODs.
4532   By default, if a key encoded with explicit parameters is loaded and later
4533   encoded, the output is still encoded with explicit parameters, even if
4534   internally a "named" EC_GROUP is used for computation.
4535
4536   *Nicola Tuveri*
4537
4538 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
4539   this change, EC_GROUP_set_generator would accept order and/or cofactor as
4540   NULL. After this change, only the cofactor parameter can be NULL. It also
4541   does some minimal sanity checks on the passed order.
4542   ([CVE-2019-1547])
4543
4544   *Billy Bob Brumley*
4545
4546 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
4547   An attack is simple, if the first CMS_recipientInfo is valid but the
4548   second CMS_recipientInfo is chosen ciphertext. If the second
4549   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
4550   encryption key will be replaced by garbage, and the message cannot be
4551   decoded, but if the RSA decryption fails, the correct encryption key is
4552   used and the recipient will not notice the attack.
4553   As a work around for this potential attack the length of the decrypted
4554   key must be equal to the cipher default key length, in case the
4555   certificate is not given and all recipientInfo are tried out.
4556   The old behaviour can be re-enabled in the CMS code by setting the
4557   CMS_DEBUG_DECRYPT flag.
4558   ([CVE-2019-1563])
4559
4560   *Bernd Edlinger*
4561
4562 * Use Windows installation paths in the mingw builds
4563
4564   Mingw isn't a POSIX environment per se, which means that Windows
4565   paths should be used for installation.
4566   ([CVE-2019-1552])
4567
4568   *Richard Levitte*
4569
4570### Changes between 1.1.0j and 1.1.0k [28 May 2019]
4571
4572 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
4573   This changes the size when using the `genpkey` command when no size is given.
4574   It fixes an omission in earlier changes that changed all RSA, DSA and DH
4575   generation commands to use 2048 bits by default.
4576
4577   *Kurt Roeckx*
4578
4579 * Prevent over long nonces in ChaCha20-Poly1305.
4580
4581   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
4582   for every encryption operation. RFC 7539 specifies that the nonce value
4583   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
4584   and front pads the nonce with 0 bytes if it is less than 12
4585   bytes. However it also incorrectly allows a nonce to be set of up to 16
4586   bytes. In this case only the last 12 bytes are significant and any
4587   additional leading bytes are ignored.
4588
4589   It is a requirement of using this cipher that nonce values are
4590   unique. Messages encrypted using a reused nonce value are susceptible to
4591   serious confidentiality and integrity attacks. If an application changes
4592   the default nonce length to be longer than 12 bytes and then makes a
4593   change to the leading bytes of the nonce expecting the new value to be a
4594   new unique nonce then such an application could inadvertently encrypt
4595   messages with a reused nonce.
4596
4597   Additionally the ignored bytes in a long nonce are not covered by the
4598   integrity guarantee of this cipher. Any application that relies on the
4599   integrity of these ignored leading bytes of a long nonce may be further
4600   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
4601   is safe because no such use sets such a long nonce value. However user
4602   applications that use this cipher directly and set a non-default nonce
4603   length to be longer than 12 bytes may be vulnerable.
4604
4605   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
4606   Greef of Ronomon.
4607   ([CVE-2019-1543])
4608
4609   *Matt Caswell*
4610
4611 * Added SCA hardening for modular field inversion in EC_GROUP through
4612   a new dedicated field_inv() pointer in EC_METHOD.
4613   This also addresses a leakage affecting conversions from projective
4614   to affine coordinates.
4615
4616   *Billy Bob Brumley, Nicola Tuveri*
4617
4618 * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
4619   reused X509_PUBKEY object if the second PUBKEY is malformed.
4620
4621   *Bernd Edlinger*
4622
4623 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
4624
4625   *Richard Levitte*
4626
4627 * Remove the 'dist' target and add a tarball building script.  The
4628   'dist' target has fallen out of use, and it shouldn't be
4629   necessary to configure just to create a source distribution.
4630
4631   *Richard Levitte*
4632
4633### Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
4634
4635 * Timing vulnerability in DSA signature generation
4636
4637   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
4638   timing side channel attack. An attacker could use variations in the signing
4639   algorithm to recover the private key.
4640
4641   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
4642   ([CVE-2018-0734])
4643
4644   *Paul Dale*
4645
4646 * Timing vulnerability in ECDSA signature generation
4647
4648   The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
4649   timing side channel attack. An attacker could use variations in the signing
4650   algorithm to recover the private key.
4651
4652   This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
4653   ([CVE-2018-0735])
4654
4655   *Paul Dale*
4656
4657 * Add coordinate blinding for EC_POINT and implement projective
4658   coordinate blinding for generic prime curves as a countermeasure to
4659   chosen point SCA attacks.
4660
4661   *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
4662
4663### Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
4664
4665 * Client DoS due to large DH parameter
4666
4667   During key agreement in a TLS handshake using a DH(E) based ciphersuite a
4668   malicious server can send a very large prime value to the client. This will
4669   cause the client to spend an unreasonably long period of time generating a
4670   key for this prime resulting in a hang until the client has finished. This
4671   could be exploited in a Denial Of Service attack.
4672
4673   This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
4674   ([CVE-2018-0732])
4675
4676   *Guido Vranken*
4677
4678 * Cache timing vulnerability in RSA Key Generation
4679
4680   The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
4681   a cache timing side channel attack. An attacker with sufficient access to
4682   mount cache timing attacks during the RSA key generation process could
4683   recover the private key.
4684
4685   This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
4686   Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
4687   ([CVE-2018-0737])
4688
4689   *Billy Brumley*
4690
4691 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
4692   parameter is no longer accepted, as it leads to a corrupt table.  NULL
4693   pem_str is reserved for alias entries only.
4694
4695   *Richard Levitte*
4696
4697 * Revert blinding in ECDSA sign and instead make problematic addition
4698   length-invariant. Switch even to fixed-length Montgomery multiplication.
4699
4700   *Andy Polyakov*
4701
4702 * Change generating and checking of primes so that the error rate of not
4703   being prime depends on the intended use based on the size of the input.
4704   For larger primes this will result in more rounds of Miller-Rabin.
4705   The maximal error rate for primes with more than 1080 bits is lowered
4706   to 2^-128.
4707
4708   *Kurt Roeckx, Annie Yousar*
4709
4710 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
4711
4712   *Kurt Roeckx*
4713
4714 * Add blinding to ECDSA and DSA signatures to protect against side channel
4715   attacks discovered by Keegan Ryan (NCC Group).
4716
4717   *Matt Caswell*
4718
4719 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
4720   now allow empty (zero character) pass phrases.
4721
4722   *Richard Levitte*
4723
4724 * Certificate time validation (X509_cmp_time) enforces stricter
4725   compliance with RFC 5280. Fractional seconds and timezone offsets
4726   are no longer allowed.
4727
4728   *Emilia Käsper*
4729
4730 * Fixed a text canonicalisation bug in CMS
4731
4732   Where a CMS detached signature is used with text content the text goes
4733   through a canonicalisation process first prior to signing or verifying a
4734   signature. This process strips trailing space at the end of lines, converts
4735   line terminators to CRLF and removes additional trailing line terminators
4736   at the end of a file. A bug in the canonicalisation process meant that
4737   some characters, such as form-feed, were incorrectly treated as whitespace
4738   and removed. This is contrary to the specification (RFC5485). This fix
4739   could mean that detached text data signed with an earlier version of
4740   OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
4741   signed with a fixed OpenSSL may fail to verify with an earlier version of
4742   OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
4743   and use the "-binary" flag (for the "cms" command line application) or set
4744   the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
4745
4746   *Matt Caswell*
4747
4748### Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
4749
4750 * Constructed ASN.1 types with a recursive definition could exceed the stack
4751
4752   Constructed ASN.1 types with a recursive definition (such as can be found
4753   in PKCS7) could eventually exceed the stack given malicious input with
4754   excessive recursion. This could result in a Denial Of Service attack. There
4755   are no such structures used within SSL/TLS that come from untrusted sources
4756   so this is considered safe.
4757
4758   This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
4759   project.
4760   ([CVE-2018-0739])
4761
4762   *Matt Caswell*
4763
4764 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
4765
4766   Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
4767   effectively reduced to only comparing the least significant bit of each
4768   byte. This allows an attacker to forge messages that would be considered as
4769   authenticated in an amount of tries lower than that guaranteed by the
4770   security claims of the scheme. The module can only be compiled by the
4771   HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
4772
4773   This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
4774   (IBM).
4775   ([CVE-2018-0733])
4776
4777   *Andy Polyakov*
4778
4779 * Add a build target 'build_all_generated', to build all generated files
4780   and only that.  This can be used to prepare everything that requires
4781   things like perl for a system that lacks perl and then move everything
4782   to that system and do the rest of the build there.
4783
4784   *Richard Levitte*
4785
4786 * Backport SSL_OP_NO_RENGOTIATION
4787
4788   OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
4789   (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
4790   changes this is no longer possible in 1.1.0. Therefore, the new
4791   SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
4792   1.1.0 to provide equivalent functionality.
4793
4794   Note that if an application built against 1.1.0h headers (or above) is run
4795   using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
4796   accepted but nothing will happen, i.e. renegotiation will not be prevented.
4797
4798   *Matt Caswell*
4799
4800 * Removed the OS390-Unix config target.  It relied on a script that doesn't
4801   exist.
4802
4803   *Rich Salz*
4804
4805 * rsaz_1024_mul_avx2 overflow bug on x86_64
4806
4807   There is an overflow bug in the AVX2 Montgomery multiplication procedure
4808   used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
4809   Analysis suggests that attacks against RSA and DSA as a result of this
4810   defect would be very difficult to perform and are not believed likely.
4811   Attacks against DH1024 are considered just feasible, because most of the
4812   work necessary to deduce information about a private key may be performed
4813   offline. The amount of resources required for such an attack would be
4814   significant. However, for an attack on TLS to be meaningful, the server
4815   would have to share the DH1024 private key among multiple clients, which is
4816   no longer an option since CVE-2016-0701.
4817
4818   This only affects processors that support the AVX2 but not ADX extensions
4819   like Intel Haswell (4th generation).
4820
4821   This issue was reported to OpenSSL by David Benjamin (Google). The issue
4822   was originally found via the OSS-Fuzz project.
4823   ([CVE-2017-3738])
4824
4825   *Andy Polyakov*
4826
4827### Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
4828
4829 * bn_sqrx8x_internal carry bug on x86_64
4830
4831   There is a carry propagating bug in the x86_64 Montgomery squaring
4832   procedure. No EC algorithms are affected. Analysis suggests that attacks
4833   against RSA and DSA as a result of this defect would be very difficult to
4834   perform and are not believed likely. Attacks against DH are considered just
4835   feasible (although very difficult) because most of the work necessary to
4836   deduce information about a private key may be performed offline. The amount
4837   of resources required for such an attack would be very significant and
4838   likely only accessible to a limited number of attackers. An attacker would
4839   additionally need online access to an unpatched system using the target
4840   private key in a scenario with persistent DH parameters and a private
4841   key that is shared between multiple clients.
4842
4843   This only affects processors that support the BMI1, BMI2 and ADX extensions
4844   like Intel Broadwell (5th generation) and later or AMD Ryzen.
4845
4846   This issue was reported to OpenSSL by the OSS-Fuzz project.
4847   ([CVE-2017-3736])
4848
4849   *Andy Polyakov*
4850
4851 * Malformed X.509 IPAddressFamily could cause OOB read
4852
4853   If an X.509 certificate has a malformed IPAddressFamily extension,
4854   OpenSSL could do a one-byte buffer overread. The most likely result
4855   would be an erroneous display of the certificate in text format.
4856
4857   This issue was reported to OpenSSL by the OSS-Fuzz project.
4858   ([CVE-2017-3735])
4859
4860   *Rich Salz*
4861
4862### Changes between 1.1.0e and 1.1.0f [25 May 2017]
4863
4864 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
4865   platform rather than 'mingw'.
4866
4867   *Richard Levitte*
4868
4869 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
4870   VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
4871   which is the minimum version we support.
4872
4873   *Richard Levitte*
4874
4875### Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
4876
4877 * Encrypt-Then-Mac renegotiation crash
4878
4879   During a renegotiation handshake if the Encrypt-Then-Mac extension is
4880   negotiated where it was not in the original handshake (or vice-versa) then
4881   this can cause OpenSSL to crash (dependent on ciphersuite). Both clients
4882   and servers are affected.
4883
4884   This issue was reported to OpenSSL by Joe Orton (Red Hat).
4885   ([CVE-2017-3733])
4886
4887   *Matt Caswell*
4888
4889### Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
4890
4891 * Truncated packet could crash via OOB read
4892
4893   If one side of an SSL/TLS path is running on a 32-bit host and a specific
4894   cipher is being used, then a truncated packet can cause that host to
4895   perform an out-of-bounds read, usually resulting in a crash.
4896
4897   This issue was reported to OpenSSL by Robert Święcki of Google.
4898   ([CVE-2017-3731])
4899
4900   *Andy Polyakov*
4901
4902 * Bad (EC)DHE parameters cause a client crash
4903
4904   If a malicious server supplies bad parameters for a DHE or ECDHE key
4905   exchange then this can result in the client attempting to dereference a
4906   NULL pointer leading to a client crash. This could be exploited in a Denial
4907   of Service attack.
4908
4909   This issue was reported to OpenSSL by Guido Vranken.
4910   ([CVE-2017-3730])
4911
4912   *Matt Caswell*
4913
4914 * BN_mod_exp may produce incorrect results on x86_64
4915
4916   There is a carry propagating bug in the x86_64 Montgomery squaring
4917   procedure. No EC algorithms are affected. Analysis suggests that attacks
4918   against RSA and DSA as a result of this defect would be very difficult to
4919   perform and are not believed likely. Attacks against DH are considered just
4920   feasible (although very difficult) because most of the work necessary to
4921   deduce information about a private key may be performed offline. The amount
4922   of resources required for such an attack would be very significant and
4923   likely only accessible to a limited number of attackers. An attacker would
4924   additionally need online access to an unpatched system using the target
4925   private key in a scenario with persistent DH parameters and a private
4926   key that is shared between multiple clients. For example this can occur by
4927   default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
4928   similar to CVE-2015-3193 but must be treated as a separate problem.
4929
4930   This issue was reported to OpenSSL by the OSS-Fuzz project.
4931   ([CVE-2017-3732])
4932
4933   *Andy Polyakov*
4934
4935### Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
4936
4937 * ChaCha20/Poly1305 heap-buffer-overflow
4938
4939   TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
4940   a DoS attack by corrupting larger payloads. This can result in an OpenSSL
4941   crash. This issue is not considered to be exploitable beyond a DoS.
4942
4943   This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
4944   ([CVE-2016-7054])
4945
4946   *Richard Levitte*
4947
4948 * CMS Null dereference
4949
4950   Applications parsing invalid CMS structures can crash with a NULL pointer
4951   dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
4952   type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
4953   structure callback if an attempt is made to free certain invalid encodings.
4954   Only CHOICE structures using a callback which do not handle NULL value are
4955   affected.
4956
4957   This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
4958   ([CVE-2016-7053])
4959
4960   *Stephen Henson*
4961
4962 * Montgomery multiplication may produce incorrect results
4963
4964   There is a carry propagating bug in the Broadwell-specific Montgomery
4965   multiplication procedure that handles input lengths divisible by, but
4966   longer than 256 bits. Analysis suggests that attacks against RSA, DSA
4967   and DH private keys are impossible. This is because the subroutine in
4968   question is not used in operations with the private key itself and an input
4969   of the attacker's direct choice. Otherwise the bug can manifest itself as
4970   transient authentication and key negotiation failures or reproducible
4971   erroneous outcome of public-key operations with specially crafted input.
4972   Among EC algorithms only Brainpool P-512 curves are affected and one
4973   presumably can attack ECDH key negotiation. Impact was not analyzed in
4974   detail, because pre-requisites for attack are considered unlikely. Namely
4975   multiple clients have to choose the curve in question and the server has to
4976   share the private key among them, neither of which is default behaviour.
4977   Even then only clients that chose the curve will be affected.
4978
4979   This issue was publicly reported as transient failures and was not
4980   initially recognized as a security issue. Thanks to Richard Morgan for
4981   providing reproducible case.
4982   ([CVE-2016-7055])
4983
4984   *Andy Polyakov*
4985
4986 * Removed automatic addition of RPATH in shared libraries and executables,
4987   as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
4988
4989   *Richard Levitte*
4990
4991### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
4992
4993 * Fix Use After Free for large message sizes
4994
4995   The patch applied to address CVE-2016-6307 resulted in an issue where if a
4996   message larger than approx 16k is received then the underlying buffer to
4997   store the incoming message is reallocated and moved. Unfortunately a
4998   dangling pointer to the old location is left which results in an attempt to
4999   write to the previously freed location. This is likely to result in a
5000   crash, however it could potentially lead to execution of arbitrary code.
5001
5002   This issue only affects OpenSSL 1.1.0a.
5003
5004   This issue was reported to OpenSSL by Robert Święcki.
5005   ([CVE-2016-6309])
5006
5007   *Matt Caswell*
5008
5009### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
5010
5011 * OCSP Status Request extension unbounded memory growth
5012
5013   A malicious client can send an excessively large OCSP Status Request
5014   extension. If that client continually requests renegotiation, sending a
5015   large OCSP Status Request extension each time, then there will be unbounded
5016   memory growth on the server. This will eventually lead to a Denial Of
5017   Service attack through memory exhaustion. Servers with a default
5018   configuration are vulnerable even if they do not support OCSP. Builds using
5019   the "no-ocsp" build time option are not affected.
5020
5021   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5022   ([CVE-2016-6304])
5023
5024   *Matt Caswell*
5025
5026 * SSL_peek() hang on empty record
5027
5028   OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
5029   sends an empty record. This could be exploited by a malicious peer in a
5030   Denial Of Service attack.
5031
5032   This issue was reported to OpenSSL by Alex Gaynor.
5033   ([CVE-2016-6305])
5034
5035   *Matt Caswell*
5036
5037 * Excessive allocation of memory in tls_get_message_header() and
5038   dtls1_preprocess_fragment()
5039
5040   A (D)TLS message includes 3 bytes for its length in the header for the
5041   message. This would allow for messages up to 16Mb in length. Messages of
5042   this length are excessive and OpenSSL includes a check to ensure that a
5043   peer is sending reasonably sized messages in order to avoid too much memory
5044   being consumed to service a connection. A flaw in the logic of version
5045   1.1.0 means that memory for the message is allocated too early, prior to
5046   the excessive message length check. Due to way memory is allocated in
5047   OpenSSL this could mean an attacker could force up to 21Mb to be allocated
5048   to service a connection. This could lead to a Denial of Service through
5049   memory exhaustion. However, the excessive message length check still takes
5050   place, and this would cause the connection to immediately fail. Assuming
5051   that the application calls SSL_free() on the failed connection in a timely
5052   manner then the 21Mb of allocated memory will then be immediately freed
5053   again. Therefore, the excessive memory allocation will be transitory in
5054   nature. This then means that there is only a security impact if:
5055
5056   1) The application does not call SSL_free() in a timely manner in the event
5057   that the connection fails
5058   or
5059   2) The application is working in a constrained environment where there is
5060   very little free memory
5061   or
5062   3) The attacker initiates multiple connection attempts such that there are
5063   multiple connections in a state where memory has been allocated for the
5064   connection; SSL_free() has not yet been called; and there is insufficient
5065   memory to service the multiple requests.
5066
5067   Except in the instance of (1) above any Denial Of Service is likely to be
5068   transitory because as soon as the connection fails the memory is
5069   subsequently freed again in the SSL_free() call. However there is an
5070   increased risk during this period of application crashes due to the lack of
5071   memory - which would then mean a more serious Denial of Service.
5072
5073   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
5074   (CVE-2016-6307 and CVE-2016-6308)
5075
5076   *Matt Caswell*
5077
5078 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
5079   had to be removed. Primary reason is that vendor assembler can't
5080   assemble our modules with -KPIC flag. As result it, assembly
5081   support, was not even available as option. But its lack means
5082   lack of side-channel resistant code, which is incompatible with
5083   security by todays standards. Fortunately gcc is readily available
5084   prepackaged option, which we firmly point at...
5085
5086   *Andy Polyakov*
5087
5088### Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
5089
5090 * Windows command-line tool supports UTF-8 opt-in option for arguments
5091   and console input. Setting OPENSSL_WIN32_UTF8 environment variable
5092   (to any value) allows Windows user to access PKCS#12 file generated
5093   with Windows CryptoAPI and protected with non-ASCII password, as well
5094   as files generated under UTF-8 locale on Linux also protected with
5095   non-ASCII password.
5096
5097   *Andy Polyakov*
5098
5099 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
5100   have been disabled by default and removed from DEFAULT, just like RC4.
5101   See the RC4 item below to re-enable both.
5102
5103   *Rich Salz*
5104
5105 * The method for finding the storage location for the Windows RAND seed file
5106   has changed. First we check %RANDFILE%. If that is not set then we check
5107   the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
5108   all else fails we fall back to C:\.
5109
5110   *Matt Caswell*
5111
5112 * The EVP_EncryptUpdate() function has had its return type changed from void
5113   to int. A return of 0 indicates and error while a return of 1 indicates
5114   success.
5115
5116   *Matt Caswell*
5117
5118 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
5119   DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
5120   off the constant time implementation for RSA, DSA and DH have been made
5121   no-ops and deprecated.
5122
5123   *Matt Caswell*
5124
5125 * Windows RAND implementation was simplified to only get entropy by
5126   calling CryptGenRandom(). Various other RAND-related tickets
5127   were also closed.
5128
5129   *Joseph Wylie Yandle, Rich Salz*
5130
5131 * The stack and lhash API's were renamed to start with `OPENSSL_SK_`
5132   and `OPENSSL_LH_`, respectively.  The old names are available
5133   with API compatibility.  They new names are now completely documented.
5134
5135   *Rich Salz*
5136
5137 * Unify TYPE_up_ref(obj) methods signature.
5138   SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
5139   X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
5140   int (instead of void) like all others TYPE_up_ref() methods.
5141   So now these methods also check the return value of CRYPTO_atomic_add(),
5142   and the validity of object reference counter.
5143
5144   *fdasilvayy@gmail.com*
5145
5146 * With Windows Visual Studio builds, the .pdb files are installed
5147   alongside the installed libraries and executables.  For a static
5148   library installation, ossl_static.pdb is the associate compiler
5149   generated .pdb file to be used when linking programs.
5150
5151   *Richard Levitte*
5152
5153 * Remove openssl.spec.  Packaging files belong with the packagers.
5154
5155   *Richard Levitte*
5156
5157 * Automatic Darwin/OSX configuration has had a refresh, it will now
5158   recognise x86_64 architectures automatically.  You can still decide
5159   to build for a different bitness with the environment variable
5160   KERNEL_BITS (can be 32 or 64), for example:
5161
5162           KERNEL_BITS=32 ./config
5163
5164   *Richard Levitte*
5165
5166 * Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
5167   256 bit AES and HMAC with SHA256.
5168
5169   *Steve Henson*
5170
5171 * Remove support for MIPS o32 ABI on IRIX (and IRIX only).
5172
5173   *Andy Polyakov*
5174
5175 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
5176
5177   *Rich Salz*
5178
5179 * To enable users to have their own config files and build file templates,
5180   Configure looks in the directory indicated by the environment variable
5181   OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
5182   directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
5183   name and is used as is.
5184
5185   *Richard Levitte*
5186
5187 * The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
5188   X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
5189   X509_CERT_FILE_CTX was removed.
5190
5191   *Rich Salz*
5192
5193 * "shared" builds are now the default. To create only static libraries use
5194   the "no-shared" Configure option.
5195
5196   *Matt Caswell*
5197
5198 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
5199   All of these option have not worked for some while and are fundamental
5200   algorithms.
5201
5202   *Matt Caswell*
5203
5204 * Make various cleanup routines no-ops and mark them as deprecated. Most
5205   global cleanup functions are no longer required because they are handled
5206   via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
5207   Explicitly de-initing can cause problems (e.g. where a library that uses
5208   OpenSSL de-inits, but an application is still using it). The affected
5209   functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
5210   EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
5211   RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
5212   COMP_zlib_cleanup().
5213
5214   *Matt Caswell*
5215
5216 * --strict-warnings no longer enables runtime debugging options
5217   such as REF_DEBUG. Instead, debug options are automatically
5218   enabled with '--debug' builds.
5219
5220   *Andy Polyakov, Emilia Käsper*
5221
5222 * Made DH and DH_METHOD opaque. The structures for managing DH objects
5223   have been moved out of the public header files. New functions for managing
5224   these have been added.
5225
5226   *Matt Caswell*
5227
5228 * Made RSA and RSA_METHOD opaque. The structures for managing RSA
5229   objects have been moved out of the public header files. New
5230   functions for managing these have been added.
5231
5232   *Richard Levitte*
5233
5234 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
5235   have been moved out of the public header files. New functions for managing
5236   these have been added.
5237
5238   *Matt Caswell*
5239
5240 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
5241   moved out of the public header files. New functions for managing these
5242   have been added.
5243
5244   *Matt Caswell*
5245
5246 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
5247
5248   *Matt Caswell*
5249
5250 * Removed the mk1mf build scripts.
5251
5252   *Richard Levitte*
5253
5254 * Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
5255   it is always safe to #include a header now.
5256
5257   *Rich Salz*
5258
5259 * Removed the aged BC-32 config and all its supporting scripts
5260
5261   *Richard Levitte*
5262
5263 * Removed support for Ultrix, Netware, and OS/2.
5264
5265   *Rich Salz*
5266
5267 * Add support for HKDF.
5268
5269   *Alessandro Ghedini*
5270
5271 * Add support for blake2b and blake2s
5272
5273   *Bill Cox*
5274
5275 * Added support for "pipelining". Ciphers that have the
5276   EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
5277   encryptions/decryptions simultaneously. There are currently no built-in
5278   ciphers with this property but the expectation is that engines will be able
5279   to offer it to significantly improve throughput. Support has been extended
5280   into libssl so that multiple records for a single connection can be
5281   processed in one go (for >=TLS 1.1).
5282
5283   *Matt Caswell*
5284
5285 * Added the AFALG engine. This is an async capable engine which is able to
5286   offload work to the Linux kernel. In this initial version it only supports
5287   AES128-CBC. The kernel must be version 4.1.0 or greater.
5288
5289   *Catriona Lucey*
5290
5291 * OpenSSL now uses a new threading API. It is no longer necessary to
5292   set locking callbacks to use OpenSSL in a multi-threaded environment. There
5293   are two supported threading models: pthreads and windows threads. It is
5294   also possible to configure OpenSSL at compile time for "no-threads". The
5295   old threading API should no longer be used. The functions have been
5296   replaced with "no-op" compatibility macros.
5297
5298   *Alessandro Ghedini, Matt Caswell*
5299
5300 * Modify behavior of ALPN to invoke callback after SNI/servername
5301   callback, such that updates to the SSL_CTX affect ALPN.
5302
5303   *Todd Short*
5304
5305 * Add SSL_CIPHER queries for authentication and key-exchange.
5306
5307   *Todd Short*
5308
5309 * Changes to the DEFAULT cipherlist:
5310   - Prefer (EC)DHE handshakes over plain RSA.
5311   - Prefer AEAD ciphers over legacy ciphers.
5312   - Prefer ECDSA over RSA when both certificates are available.
5313   - Prefer TLSv1.2 ciphers/PRF.
5314   - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
5315     default cipherlist.
5316
5317   *Emilia Käsper*
5318
5319 * Change the ECC default curve list to be this, in order: x25519,
5320   secp256r1, secp521r1, secp384r1.
5321
5322   *Rich Salz*
5323
5324 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
5325   disabled by default. They can be re-enabled using the
5326   enable-weak-ssl-ciphers option to Configure.
5327
5328   *Matt Caswell*
5329
5330 * If the server has ALPN configured, but supports no protocols that the
5331   client advertises, send a fatal "no_application_protocol" alert.
5332   This behaviour is SHALL in RFC 7301, though it isn't universally
5333   implemented by other servers.
5334
5335   *Emilia Käsper*
5336
5337 * Add X25519 support.
5338   Add ASN.1 and EVP_PKEY methods for X25519. This includes support
5339   for public and private key encoding using the format documented in
5340   draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
5341   key generation and key derivation.
5342
5343   TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
5344   X25519(29).
5345
5346   *Steve Henson*
5347
5348 * Deprecate SRP_VBASE_get_by_user.
5349   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
5350   In order to fix an unavoidable memory leak ([CVE-2016-0798]),
5351   SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
5352   seed, even if the seed is configured.
5353
5354   Users should use SRP_VBASE_get1_by_user instead. Note that in
5355   SRP_VBASE_get1_by_user, caller must free the returned value. Note
5356   also that even though configuring the SRP seed attempts to hide
5357   invalid usernames by continuing the handshake with fake
5358   credentials, this behaviour is not constant time and no strong
5359   guarantees are made that the handshake is indistinguishable from
5360   that of a valid user.
5361
5362   *Emilia Käsper*
5363
5364 * Configuration change; it's now possible to build dynamic engines
5365   without having to build shared libraries and vice versa.  This
5366   only applies to the engines in `engines/`, those in `crypto/engine/`
5367   will always be built into libcrypto (i.e. "static").
5368
5369   Building dynamic engines is enabled by default; to disable, use
5370   the configuration option "disable-dynamic-engine".
5371
5372   The only requirements for building dynamic engines are the
5373   presence of the DSO module and building with position independent
5374   code, so they will also automatically be disabled if configuring
5375   with "disable-dso" or "disable-pic".
5376
5377   The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
5378   are also taken away from openssl/opensslconf.h, as they are
5379   irrelevant.
5380
5381   *Richard Levitte*
5382
5383 * Configuration change; if there is a known flag to compile
5384   position independent code, it will always be applied on the
5385   libcrypto and libssl object files, and never on the application
5386   object files.  This means other libraries that use routines from
5387   libcrypto / libssl can be made into shared libraries regardless
5388   of how OpenSSL was configured.
5389
5390   If this isn't desirable, the configuration options "disable-pic"
5391   or "no-pic" can be used to disable the use of PIC.  This will
5392   also disable building shared libraries and dynamic engines.
5393
5394   *Richard Levitte*
5395
5396 * Removed JPAKE code.  It was experimental and has no wide use.
5397
5398   *Rich Salz*
5399
5400 * The INSTALL_PREFIX Makefile variable has been renamed to
5401   DESTDIR.  That makes for less confusion on what this variable
5402   is for.  Also, the configuration option --install_prefix is
5403   removed.
5404
5405   *Richard Levitte*
5406
5407 * Heartbeat for TLS has been removed and is disabled by default
5408   for DTLS; configure with enable-heartbeats.  Code that uses the
5409   old #define's might need to be updated.
5410
5411   *Emilia Käsper, Rich Salz*
5412
5413 * Rename REF_CHECK to REF_DEBUG.
5414
5415   *Rich Salz*
5416
5417 * New "unified" build system
5418
5419   The "unified" build system is aimed to be a common system for all
5420   platforms we support.  With it comes new support for VMS.
5421
5422   This system builds supports building in a different directory tree
5423   than the source tree.  It produces one Makefile (for unix family
5424   or lookalikes), or one descrip.mms (for VMS).
5425
5426   The source of information to make the Makefile / descrip.mms is
5427   small files called 'build.info', holding the necessary
5428   information for each directory with source to compile, and a
5429   template in Configurations, like unix-Makefile.tmpl or
5430   descrip.mms.tmpl.
5431
5432   With this change, the library names were also renamed on Windows
5433   and on VMS.  They now have names that are closer to the standard
5434   on Unix, and include the major version number, and in certain
5435   cases, the architecture they are built for.  See "Notes on shared
5436   libraries" in INSTALL.
5437
5438   We rely heavily on the perl module Text::Template.
5439
5440   *Richard Levitte*
5441
5442 * Added support for auto-initialisation and de-initialisation of the library.
5443   OpenSSL no longer requires explicit init or deinit routines to be called,
5444   except in certain circumstances. See the OPENSSL_init_crypto() and
5445   OPENSSL_init_ssl() man pages for further information.
5446
5447   *Matt Caswell*
5448
5449 * The arguments to the DTLSv1_listen function have changed. Specifically the
5450   "peer" argument is now expected to be a BIO_ADDR object.
5451
5452 * Rewrite of BIO networking library. The BIO library lacked consistent
5453   support of IPv6, and adding it required some more extensive
5454   modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
5455   which hold all types of addresses and chains of address information.
5456   It also introduces a new API, with functions like BIO_socket,
5457   BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
5458   The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
5459   have been adapted accordingly.
5460
5461   *Richard Levitte*
5462
5463 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
5464   the leading 0-byte.
5465
5466   *Emilia Käsper*
5467
5468 * CRIME protection: disable compression by default, even if OpenSSL is
5469   compiled with zlib enabled. Applications can still enable compression
5470   by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
5471   using the SSL_CONF library to configure compression.
5472
5473   *Emilia Käsper*
5474
5475 * The signature of the session callback configured with
5476   SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
5477   was explicitly marked as `const unsigned char*` instead of
5478   `unsigned char*`.
5479
5480   *Emilia Käsper*
5481
5482 * Always DPURIFY. Remove the use of uninitialized memory in the
5483   RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
5484
5485   *Emilia Käsper*
5486
5487 * Removed many obsolete configuration items, including
5488      DES_PTR, DES_RISC1, DES_RISC2, DES_INT
5489      MD2_CHAR, MD2_INT, MD2_LONG
5490      BF_PTR, BF_PTR2
5491      IDEA_SHORT, IDEA_LONG
5492      RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
5493
5494   *Rich Salz, with advice from Andy Polyakov*
5495
5496 * Many BN internals have been moved to an internal header file.
5497
5498   *Rich Salz with help from Andy Polyakov*
5499
5500 * Configuration and writing out the results from it has changed.
5501   Files such as Makefile include/openssl/opensslconf.h and are now
5502   produced through general templates, such as Makefile.in and
5503   crypto/opensslconf.h.in and some help from the perl module
5504   Text::Template.
5505
5506   Also, the center of configuration information is no longer
5507   Makefile.  Instead, Configure produces a perl module in
5508   configdata.pm which holds most of the config data (in the hash
5509   table %config), the target data that comes from the target
5510   configuration in one of the `Configurations/*.conf` files (in
5511   %target).
5512
5513   *Richard Levitte*
5514
5515 * To clarify their intended purposes, the Configure options
5516   --prefix and --openssldir change their semantics, and become more
5517   straightforward and less interdependent.
5518
5519   --prefix shall be used exclusively to give the location INSTALLTOP
5520   where programs, scripts, libraries, include files and manuals are
5521   going to be installed.  The default is now /usr/local.
5522
5523   --openssldir shall be used exclusively to give the default
5524   location OPENSSLDIR where certificates, private keys, CRLs are
5525   managed.  This is also where the default openssl.cnf gets
5526   installed.
5527   If the directory given with this option is a relative path, the
5528   values of both the --prefix value and the --openssldir value will
5529   be combined to become OPENSSLDIR.
5530   The default for --openssldir is INSTALLTOP/ssl.
5531
5532   Anyone who uses --openssldir to specify where OpenSSL is to be
5533   installed MUST change to use --prefix instead.
5534
5535   *Richard Levitte*
5536
5537 * The GOST engine was out of date and therefore it has been removed. An up
5538   to date GOST engine is now being maintained in an external repository.
5539   See: <https://wiki.openssl.org/index.php/Binaries>. Libssl still retains
5540   support for GOST ciphersuites (these are only activated if a GOST engine
5541   is present).
5542
5543   *Matt Caswell*
5544
5545 * EGD is no longer supported by default; use enable-egd when
5546   configuring.
5547
5548   *Ben Kaduk and Rich Salz*
5549
5550 * The distribution now has Makefile.in files, which are used to
5551   create Makefile's when Configure is run.  *Configure must be run
5552   before trying to build now.*
5553
5554   *Rich Salz*
5555
5556 * The return value for SSL_CIPHER_description() for error conditions
5557   has changed.
5558
5559   *Rich Salz*
5560
5561 * Support for RFC6698/RFC7671 DANE TLSA peer authentication.
5562
5563   Obtaining and performing DNSSEC validation of TLSA records is
5564   the application's responsibility.  The application provides
5565   the TLSA records of its choice to OpenSSL, and these are then
5566   used to authenticate the peer.
5567
5568   The TLSA records need not even come from DNS.  They can, for
5569   example, be used to implement local end-entity certificate or
5570   trust-anchor "pinning", where the "pin" data takes the form
5571   of TLSA records, which can augment or replace verification
5572   based on the usual WebPKI public certification authorities.
5573
5574   *Viktor Dukhovni*
5575
5576 * Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
5577   continues to support deprecated interfaces in default builds.
5578   However, applications are strongly advised to compile their
5579   source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
5580   the declarations of all interfaces deprecated in 0.9.8, 1.0.0
5581   or the 1.1.0 releases.
5582
5583   In environments in which all applications have been ported to
5584   not use any deprecated interfaces OpenSSL's Configure script
5585   should be used with the --api=1.1.0 option to entirely remove
5586   support for the deprecated features from the library and
5587   unconditionally disable them in the installed headers.
5588   Essentially the same effect can be achieved with the "no-deprecated"
5589   argument to Configure, except that this will always restrict
5590   the build to just the latest API, rather than a fixed API
5591   version.
5592
5593   As applications are ported to future revisions of the API,
5594   they should update their compile-time OPENSSL_API_COMPAT define
5595   accordingly, but in most cases should be able to continue to
5596   compile with later releases.
5597
5598   The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
5599   0x10000000L and 0x00908000L, respectively.  However those
5600   versions did not support the OPENSSL_API_COMPAT feature, and
5601   so applications are not typically tested for explicit support
5602   of just the undeprecated features of either release.
5603
5604   *Viktor Dukhovni*
5605
5606 * Add support for setting the minimum and maximum supported protocol.
5607   It can bet set via the SSL_set_min_proto_version() and
5608   SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
5609   MaxProtocol.  It's recommended to use the new APIs to disable
5610   protocols instead of disabling individual protocols using
5611   SSL_set_options() or SSL_CONF's Protocol.  This change also
5612   removes support for disabling TLS 1.2 in the OpenSSL TLS
5613   client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
5614
5615   *Kurt Roeckx*
5616
5617 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
5618
5619   *Andy Polyakov*
5620
5621 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
5622   and integrates ECDSA and ECDH functionality into EC. Implementations can
5623   now redirect key generation and no longer need to convert to or from
5624   ECDSA_SIG format.
5625
5626   Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
5627   include the ec.h header file instead.
5628
5629   *Steve Henson*
5630
5631 * Remove support for all 40 and 56 bit ciphers.  This includes all the export
5632   ciphers who are no longer supported and drops support the ephemeral RSA key
5633   exchange. The LOW ciphers currently doesn't have any ciphers in it.
5634
5635   *Kurt Roeckx*
5636
5637 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
5638   opaque.  For HMAC_CTX, the following constructors and destructors
5639   were added:
5640
5641       HMAC_CTX *HMAC_CTX_new(void);
5642       void HMAC_CTX_free(HMAC_CTX *ctx);
5643
5644   For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
5645   destroy such methods has been added.  See EVP_MD_meth_new(3) and
5646   EVP_CIPHER_meth_new(3) for documentation.
5647
5648   Additional changes:
5649   1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and
5650      `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and
5651      `EVP_MD_CTX_reset()` should be called instead to reinitialise
5652      an already created structure.
5653   2) For consistency with the majority of our object creators and
5654      destructors, `EVP_MD_CTX_(create|destroy)` were renamed to
5655      `EVP_MD_CTX_(new|free)`.  The old names are retained as macros
5656      for deprecated builds.
5657
5658   *Richard Levitte*
5659
5660 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
5661   cryptographic operations to be performed asynchronously as long as an
5662   asynchronous capable engine is used. See the ASYNC_start_job() man page for
5663   further details. Libssl has also had this capability integrated with the
5664   introduction of the new mode SSL_MODE_ASYNC and associated error
5665   SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
5666   pages. This work was developed in partnership with Intel Corp.
5667
5668   *Matt Caswell*
5669
5670 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
5671   always enabled now.  If you want to disable the support you should
5672   exclude it using the list of supported ciphers. This also means that the
5673   "-no_ecdhe" option has been removed from s_server.
5674
5675   *Kurt Roeckx*
5676
5677 * SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
5678   SSL_{CTX_}set1_curves() which can set a list.
5679
5680   *Kurt Roeckx*
5681
5682 * Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the
5683   curve you want to support using SSL_{CTX_}set1_curves().
5684
5685   *Kurt Roeckx*
5686
5687 * State machine rewrite. The state machine code has been significantly
5688   refactored in order to remove much duplication of code and solve issues
5689   with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for
5690   further details). This change does have some associated API changes.
5691   Notably the SSL_state() function has been removed and replaced by
5692   SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int.
5693   SSL_set_state() has been removed altogether. The previous handshake states
5694   defined in ssl.h and ssl3.h have also been removed.
5695
5696   *Matt Caswell*
5697
5698 * All instances of the string "ssleay" in the public API were replaced
5699   with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
5700   Some error codes related to internal RSA_eay API's were renamed.
5701
5702   *Rich Salz*
5703
5704 * The demo files in crypto/threads were moved to demo/threads.
5705
5706   *Rich Salz*
5707
5708 * Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
5709   sureware and ubsec.
5710
5711   *Matt Caswell, Rich Salz*
5712
5713 * New ASN.1 embed macro.
5714
5715   New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
5716   structure is not allocated: it is part of the parent. That is instead of
5717
5718           FOO *x;
5719
5720   it must be:
5721
5722           FOO x;
5723
5724   This reduces memory fragmentation and make it impossible to accidentally
5725   set a mandatory field to NULL.
5726
5727   This currently only works for some fields specifically a SEQUENCE, CHOICE,
5728   or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
5729   equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
5730   SEQUENCE OF.
5731
5732   *Steve Henson*
5733
5734 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
5735
5736   *Emilia Käsper*
5737
5738 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
5739   in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
5740   an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
5741   DES and RC4 ciphersuites.
5742
5743   *Matt Caswell*
5744
5745 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
5746   This changes the decoding behaviour for some invalid messages,
5747   though the change is mostly in the more lenient direction, and
5748   legacy behaviour is preserved as much as possible.
5749
5750   *Emilia Käsper*
5751
5752 * Fix no-stdio build.
5753   *David Woodhouse <David.Woodhouse@intel.com> and also*
5754   *Ivan Nestlerode <ivan.nestlerode@sonos.com>*
5755
5756 * New testing framework
5757   The testing framework has been largely rewritten and is now using
5758   perl and the perl modules Test::Harness and an extended variant of
5759   Test::More called OpenSSL::Test to do its work.  All test scripts in
5760   test/ have been rewritten into test recipes, and all direct calls to
5761   executables in test/Makefile have become individual recipes using the
5762   simplified testing OpenSSL::Test::Simple.
5763
5764   For documentation on our testing modules, do:
5765
5766           perldoc test/testlib/OpenSSL/Test/Simple.pm
5767           perldoc test/testlib/OpenSSL/Test.pm
5768
5769   *Richard Levitte*
5770
5771 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
5772   are used; the latter aborts on memory leaks (usually checked on exit).
5773   Some undocumented "set malloc, etc., hooks" functions were removed
5774   and others were changed.  All are now documented.
5775
5776   *Rich Salz*
5777
5778 * In DSA_generate_parameters_ex, if the provided seed is too short,
5779   return an error
5780
5781   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
5782
5783 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
5784   from RFC4279, RFC4785, RFC5487, RFC5489.
5785
5786   Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
5787   original RSA_PSK patch.
5788
5789   *Steve Henson*
5790
5791 * Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
5792   era flag was never set throughout the codebase (only read). Also removed
5793   SSL3_FLAGS_POP_BUFFER which was only used if
5794   SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
5795
5796   *Matt Caswell*
5797
5798 * Changed the default name options in the "ca", "crl", "req" and "x509"
5799   to be "oneline" instead of "compat".
5800
5801   *Richard Levitte*
5802
5803 * Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
5804   not aware of clients that still exhibit this bug, and the workaround
5805   hasn't been working properly for a while.
5806
5807   *Emilia Käsper*
5808
5809 * The return type of BIO_number_read() and BIO_number_written() as well as
5810   the corresponding num_read and num_write members in the BIO structure has
5811   changed from unsigned long to uint64_t. On platforms where an unsigned
5812   long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
5813   transferred.
5814
5815   *Matt Caswell*
5816
5817 * Given the pervasive nature of TLS extensions it is inadvisable to run
5818   OpenSSL without support for them. It also means that maintaining
5819   the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
5820   not well tested). Therefore, the OPENSSL_NO_TLSEXT option has been removed.
5821
5822   *Matt Caswell*
5823
5824 * Removed support for the two export grade static DH ciphersuites
5825   EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
5826   were newly added (along with a number of other static DH ciphersuites) to
5827   1.0.2. However the two export ones have *never* worked since they were
5828   introduced. It seems strange in any case to be adding new export
5829   ciphersuites, and given "logjam" it also does not seem correct to fix them.
5830
5831   *Matt Caswell*
5832
5833 * Version negotiation has been rewritten. In particular SSLv23_method(),
5834   SSLv23_client_method() and SSLv23_server_method() have been deprecated,
5835   and turned into macros which simply call the new preferred function names
5836   TLS_method(), TLS_client_method() and TLS_server_method(). All new code
5837   should use the new names instead. Also as part of this change the ssl23.h
5838   header file has been removed.
5839
5840   *Matt Caswell*
5841
5842 * Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
5843   code and the associated standard is no longer considered fit-for-purpose.
5844
5845   *Matt Caswell*
5846
5847 * RT2547 was closed.  When generating a private key, try to make the
5848   output file readable only by the owner.  This behavior change might
5849   be noticeable when interacting with other software.
5850
5851 * Documented all exdata functions.  Added CRYPTO_free_ex_index.
5852   Added a test.
5853
5854   *Rich Salz*
5855
5856 * Added HTTP GET support to the ocsp command.
5857
5858   *Rich Salz*
5859
5860 * Changed default digest for the dgst and enc commands from MD5 to
5861   sha256
5862
5863   *Rich Salz*
5864
5865 * RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
5866
5867   *Matt Caswell*
5868
5869 * Added support for TLS extended master secret from
5870   draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
5871   initial patch which was a great help during development.
5872
5873   *Steve Henson*
5874
5875 * All libssl internal structures have been removed from the public header
5876   files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
5877   now redundant). Users should not attempt to access internal structures
5878   directly. Instead they should use the provided API functions.
5879
5880   *Matt Caswell*
5881
5882 * config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
5883   Access to deprecated functions can be re-enabled by running config with
5884   "enable-deprecated". In addition applications wishing to use deprecated
5885   functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
5886   will, by default, disable some transitive includes that previously existed
5887   in the header files (e.g. ec.h will no longer, by default, include bn.h)
5888
5889   *Matt Caswell*
5890
5891 * Added support for OCB mode. OpenSSL has been granted a patent license
5892   compatible with the OpenSSL license for use of OCB. Details are available
5893   at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
5894   for OCB can be removed by calling config with no-ocb.
5895
5896   *Matt Caswell*
5897
5898 * SSLv2 support has been removed.  It still supports receiving an SSLv2
5899   compatible client hello.
5900
5901   *Kurt Roeckx*
5902
5903 * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
5904   done while fixing the error code for the key-too-small case.
5905
5906   *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
5907
5908 * CA.sh has been removed; use CA.pl instead.
5909
5910   *Rich Salz*
5911
5912 * Removed old DES API.
5913
5914   *Rich Salz*
5915
5916 * Remove various unsupported platforms:
5917      Sony NEWS4
5918      BEOS and BEOS_R5
5919      NeXT
5920      SUNOS
5921      MPE/iX
5922      Sinix/ReliantUNIX RM400
5923      DGUX
5924      NCR
5925      Tandem
5926      Cray
5927      16-bit platforms such as WIN16
5928
5929   *Rich Salz*
5930
5931 * Clean up OPENSSL_NO_xxx #define's
5932   - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
5933   - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
5934   - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
5935   - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
5936   - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
5937   - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
5938     OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
5939     OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
5940     OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
5941   - Remove MS_STATIC; it's a relic from platforms <32 bits.
5942
5943   *Rich Salz*
5944
5945 * Cleaned up dead code
5946     Remove all but one '#ifdef undef' which is to be looked at.
5947
5948   *Rich Salz*
5949
5950 * Clean up calling of xxx_free routines.
5951      Just like free(), fix most of the xxx_free routines to accept
5952      NULL.  Remove the non-null checks from callers.  Save much code.
5953
5954   *Rich Salz*
5955
5956 * Add secure heap for storage of private keys (when possible).
5957   Add BIO_s_secmem(), CBIGNUM, etc.
5958   Contributed by Akamai Technologies under our Corporate CLA.
5959
5960   *Rich Salz*
5961
5962 * Experimental support for a new, fast, unbiased prime candidate generator,
5963   bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
5964
5965   *Felix Laurie von Massenbach <felix@erbridge.co.uk>*
5966
5967 * New output format NSS in the sess_id command line tool. This allows
5968   exporting the session id and the master key in NSS keylog format.
5969
5970   *Martin Kaiser <martin@kaiser.cx>*
5971
5972 * Harmonize version and its documentation. -f flag is used to display
5973   compilation flags.
5974
5975   *mancha <mancha1@zoho.com>*
5976
5977 * Fix eckey_priv_encode so it immediately returns an error upon a failure
5978   in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
5979
5980   *mancha <mancha1@zoho.com>*
5981
5982 * Fix some double frees. These are not thought to be exploitable.
5983
5984   *mancha <mancha1@zoho.com>*
5985
5986 * A missing bounds check in the handling of the TLS heartbeat extension
5987   can be used to reveal up to 64k of memory to a connected client or
5988   server.
5989
5990   Thanks for Neel Mehta of Google Security for discovering this bug and to
5991   Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
5992   preparing the fix ([CVE-2014-0160])
5993
5994   *Adam Langley, Bodo Moeller*
5995
5996 * Fix for the attack described in the paper "Recovering OpenSSL
5997   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
5998   by Yuval Yarom and Naomi Benger. Details can be obtained from:
5999   <http://eprint.iacr.org/2014/140>
6000
6001   Thanks to Yuval Yarom and Naomi Benger for discovering this
6002   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
6003
6004   *Yuval Yarom and Naomi Benger*
6005
6006 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
6007   this fixes a limitation in previous versions of OpenSSL.
6008
6009   *Steve Henson*
6010
6011 * Experimental encrypt-then-mac support.
6012
6013   Experimental support for encrypt then mac from
6014   draft-gutmann-tls-encrypt-then-mac-02.txt
6015
6016   To enable it set the appropriate extension number (0x42 for the test
6017   server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
6018
6019   For non-compliant peers (i.e. just about everything) this should have no
6020   effect.
6021
6022   WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
6023
6024   *Steve Henson*
6025
6026 * Add EVP support for key wrapping algorithms, to avoid problems with
6027   existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
6028   the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
6029   algorithms and include tests cases.
6030
6031   *Steve Henson*
6032
6033 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
6034   enveloped data.
6035
6036   *Steve Henson*
6037
6038 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
6039   MGF1 digest and OAEP label.
6040
6041   *Steve Henson*
6042
6043 * Make openssl verify return errors.
6044
6045   *Chris Palmer <palmer@google.com> and Ben Laurie*
6046
6047 * New function ASN1_TIME_diff to calculate the difference between two
6048   ASN1_TIME structures or one structure and the current time.
6049
6050   *Steve Henson*
6051
6052 * Update fips_test_suite to support multiple command line options. New
6053   test to induce all self test errors in sequence and check expected
6054   failures.
6055
6056   *Steve Henson*
6057
6058 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
6059   sign or verify all in one operation.
6060
6061   *Steve Henson*
6062
6063 * Add fips_algvs: a multicall fips utility incorporating all the algorithm
6064   test programs and fips_test_suite. Includes functionality to parse
6065   the minimal script output of fipsalgest.pl directly.
6066
6067   *Steve Henson*
6068
6069 * Add authorisation parameter to FIPS_module_mode_set().
6070
6071   *Steve Henson*
6072
6073 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
6074
6075   *Steve Henson*
6076
6077 * Use separate DRBG fields for internal and external flags. New function
6078   FIPS_drbg_health_check() to perform on demand health checking. Add
6079   generation tests to fips_test_suite with reduced health check interval to
6080   demonstrate periodic health checking. Add "nodh" option to
6081   fips_test_suite to skip very slow DH test.
6082
6083   *Steve Henson*
6084
6085 * New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
6086   based on NID.
6087
6088   *Steve Henson*
6089
6090 * More extensive health check for DRBG checking many more failure modes.
6091   New function FIPS_selftest_drbg_all() to handle every possible DRBG
6092   combination: call this in fips_test_suite.
6093
6094   *Steve Henson*
6095
6096 * Add support for canonical generation of DSA parameter 'g'. See
6097   FIPS 186-3 A.2.3.
6098
6099 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
6100   POST to handle HMAC cases.
6101
6102   *Steve Henson*
6103
6104 * Add functions FIPS_module_version() and FIPS_module_version_text()
6105   to return numerical and string versions of the FIPS module number.
6106
6107   *Steve Henson*
6108
6109 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
6110   FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
6111   outside the validated module in the FIPS capable OpenSSL.
6112
6113   *Steve Henson*
6114
6115 * Minor change to DRBG entropy callback semantics. In some cases
6116   there is no multiple of the block length between min_len and
6117   max_len. Allow the callback to return more than max_len bytes
6118   of entropy but discard any extra: it is the callback's responsibility
6119   to ensure that the extra data discarded does not impact the
6120   requested amount of entropy.
6121
6122   *Steve Henson*
6123
6124 * Add PRNG security strength checks to RSA, DSA and ECDSA using
6125   information in FIPS186-3, SP800-57 and SP800-131A.
6126
6127   *Steve Henson*
6128
6129 * CCM support via EVP. Interface is very similar to GCM case except we
6130   must supply all data in one chunk (i.e. no update, final) and the
6131   message length must be supplied if AAD is used. Add algorithm test
6132   support.
6133
6134   *Steve Henson*
6135
6136 * Initial version of POST overhaul. Add POST callback to allow the status
6137   of POST to be monitored and/or failures induced. Modify fips_test_suite
6138   to use callback. Always run all selftests even if one fails.
6139
6140   *Steve Henson*
6141
6142 * XTS support including algorithm test driver in the fips_gcmtest program.
6143   Note: this does increase the maximum key length from 32 to 64 bytes but
6144   there should be no binary compatibility issues as existing applications
6145   will never use XTS mode.
6146
6147   *Steve Henson*
6148
6149 * Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
6150   to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
6151   performs algorithm blocking for unapproved PRNG types. Also do not
6152   set PRNG type in FIPS_mode_set(): leave this to the application.
6153   Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
6154   the standard OpenSSL PRNG: set additional data to a date time vector.
6155
6156   *Steve Henson*
6157
6158 * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`.
6159   This shouldn't present any incompatibility problems because applications
6160   shouldn't be using these directly and any that are will need to rethink
6161   anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
6162
6163   *Steve Henson*
6164
6165 * Extensive self tests and health checking required by SP800-90 DRBG.
6166   Remove strength parameter from FIPS_drbg_instantiate and always
6167   instantiate at maximum supported strength.
6168
6169   *Steve Henson*
6170
6171 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
6172
6173   *Steve Henson*
6174
6175 * New algorithm test program fips_dhvs to handle DH primitives only testing.
6176
6177   *Steve Henson*
6178
6179 * New function DH_compute_key_padded() to compute a DH key and pad with
6180   leading zeroes if needed: this complies with SP800-56A et al.
6181
6182   *Steve Henson*
6183
6184 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
6185   anything, incomplete, subject to change and largely untested at present.
6186
6187   *Steve Henson*
6188
6189 * Modify fipscanisteronly build option to only build the necessary object
6190   files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
6191
6192   *Steve Henson*
6193
6194 * Add experimental option FIPSSYMS to give all symbols in
6195   fipscanister.o and FIPS or fips prefix. This will avoid
6196   conflicts with future versions of OpenSSL. Add perl script
6197   util/fipsas.pl to preprocess assembly language source files
6198   and rename any affected symbols.
6199
6200   *Steve Henson*
6201
6202 * Add selftest checks and algorithm block of non-fips algorithms in
6203   FIPS mode. Remove DES2 from selftests.
6204
6205   *Steve Henson*
6206
6207 * Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
6208   return internal method without any ENGINE dependencies. Add new
6209   tiny fips sign and verify functions.
6210
6211   *Steve Henson*
6212
6213 * New build option no-ec2m to disable characteristic 2 code.
6214
6215   *Steve Henson*
6216
6217 * New build option "fipscanisteronly". This only builds fipscanister.o
6218   and (currently) associated fips utilities. Uses the file Makefile.fips
6219   instead of Makefile.org as the prototype.
6220
6221   *Steve Henson*
6222
6223 * Add some FIPS mode restrictions to GCM. Add internal IV generator.
6224   Update fips_gcmtest to use IV generator.
6225
6226   *Steve Henson*
6227
6228 * Initial, experimental EVP support for AES-GCM. AAD can be input by
6229   setting output buffer to NULL. The `*Final` function must be
6230   called although it will not retrieve any additional data. The tag
6231   can be set or retrieved with a ctrl. The IV length is by default 12
6232   bytes (96 bits) but can be set to an alternative value. If the IV
6233   length exceeds the maximum IV length (currently 16 bytes) it cannot be
6234   set before the key.
6235
6236   *Steve Henson*
6237
6238 * New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
6239   underlying do_cipher function handles all cipher semantics itself
6240   including padding and finalisation. This is useful if (for example)
6241   an ENGINE cipher handles block padding itself. The behaviour of
6242   do_cipher is subtly changed if this flag is set: the return value
6243   is the number of characters written to the output buffer (zero is
6244   no longer an error code) or a negative error code. Also if the
6245   input buffer is NULL and length 0 finalisation should be performed.
6246
6247   *Steve Henson*
6248
6249 * If a candidate issuer certificate is already part of the constructed
6250   path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
6251
6252   *Steve Henson*
6253
6254 * Improve forward-security support: add functions
6255
6256           void SSL_CTX_set_not_resumable_session_callback(
6257                    SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
6258           void SSL_set_not_resumable_session_callback(
6259                    SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
6260
6261   for use by SSL/TLS servers; the callback function will be called whenever a
6262   new session is created, and gets to decide whether the session may be
6263   cached to make it resumable (return 0) or not (return 1).  (As by the
6264   SSL/TLS protocol specifications, the session_id sent by the server will be
6265   empty to indicate that the session is not resumable; also, the server will
6266   not generate RFC 4507 (RFC 5077) session tickets.)
6267
6268   A simple reasonable callback implementation is to return is_forward_secure.
6269   This parameter will be set to 1 or 0 depending on the ciphersuite selected
6270   by the SSL/TLS server library, indicating whether it can provide forward
6271   security.
6272
6273   *Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)*
6274
6275 * New -verify_name option in command line utilities to set verification
6276   parameters by name.
6277
6278   *Steve Henson*
6279
6280 * Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
6281   Add CMAC pkey methods.
6282
6283   *Steve Henson*
6284
6285 * Experimental renegotiation in s_server -www mode. If the client
6286   browses /reneg connection is renegotiated. If /renegcert it is
6287   renegotiated requesting a certificate.
6288
6289   *Steve Henson*
6290
6291 * Add an "external" session cache for debugging purposes to s_server. This
6292   should help trace issues which normally are only apparent in deployed
6293   multi-process servers.
6294
6295   *Steve Henson*
6296
6297 * Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
6298   return value is ignored. NB. The functions RAND_add(), RAND_seed(),
6299   BIO_set_cipher() and some obscure PEM functions were changed so they
6300   can now return an error. The RAND changes required a change to the
6301   RAND_METHOD structure.
6302
6303   *Steve Henson*
6304
6305 * New macro `__owur` for "OpenSSL Warn Unused Result". This makes use of
6306   a gcc attribute to warn if the result of a function is ignored. This
6307   is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
6308   whose return value is often ignored.
6309
6310   *Steve Henson*
6311
6312 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
6313   These allow SCTs (signed certificate timestamps) to be requested and
6314   validated when establishing a connection.
6315
6316   *Rob Percival <robpercival@google.com>*
6317
6318OpenSSL 1.0.2
6319-------------
6320
6321### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
6322
6323 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
6324   used even when parsing explicit parameters, when loading a encoded key
6325   or calling `EC_GROUP_new_from_ecpkparameters()`/
6326   `EC_GROUP_new_from_ecparameters()`.
6327   This prevents bypass of security hardening and performance gains,
6328   especially for curves with specialized EC_METHODs.
6329   By default, if a key encoded with explicit parameters is loaded and later
6330   encoded, the output is still encoded with explicit parameters, even if
6331   internally a "named" EC_GROUP is used for computation.
6332
6333   *Nicola Tuveri*
6334
6335 * Compute ECC cofactors if not provided during EC_GROUP construction. Before
6336   this change, EC_GROUP_set_generator would accept order and/or cofactor as
6337   NULL. After this change, only the cofactor parameter can be NULL. It also
6338   does some minimal sanity checks on the passed order.
6339   ([CVE-2019-1547])
6340
6341   *Billy Bob Brumley*
6342
6343 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
6344   An attack is simple, if the first CMS_recipientInfo is valid but the
6345   second CMS_recipientInfo is chosen ciphertext. If the second
6346   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
6347   encryption key will be replaced by garbage, and the message cannot be
6348   decoded, but if the RSA decryption fails, the correct encryption key is
6349   used and the recipient will not notice the attack.
6350   As a work around for this potential attack the length of the decrypted
6351   key must be equal to the cipher default key length, in case the
6352   certificate is not given and all recipientInfo are tried out.
6353   The old behaviour can be re-enabled in the CMS code by setting the
6354   CMS_DEBUG_DECRYPT flag.
6355   ([CVE-2019-1563])
6356
6357   *Bernd Edlinger*
6358
6359 * Document issue with installation paths in diverse Windows builds
6360
6361   '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL
6362   binaries and run-time config file.
6363   ([CVE-2019-1552])
6364
6365   *Richard Levitte*
6366
6367### Changes between 1.0.2r and 1.0.2s [28 May 2019]
6368
6369 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
6370   This changes the size when using the `genpkey` command when no size is given.
6371   It fixes an omission in earlier changes that changed all RSA, DSA and DH
6372   generation commands to use 2048 bits by default.
6373
6374   *Kurt Roeckx*
6375
6376 * Add FIPS support for Android Arm 64-bit
6377
6378   Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
6379   Module in Version 2.0.10. For some reason, the corresponding target
6380   'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
6381   built with FIPS support on Android Arm 64-bit. This omission has been
6382   fixed.
6383
6384   *Matthias St. Pierre*
6385
6386### Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
6387
6388 * 0-byte record padding oracle
6389
6390   If an application encounters a fatal protocol error and then calls
6391   SSL_shutdown() twice (once to send a close_notify, and once to receive one)
6392   then OpenSSL can respond differently to the calling application if a 0 byte
6393   record is received with invalid padding compared to if a 0 byte record is
6394   received with an invalid MAC. If the application then behaves differently
6395   based on that in a way that is detectable to the remote peer, then this
6396   amounts to a padding oracle that could be used to decrypt data.
6397
6398   In order for this to be exploitable "non-stitched" ciphersuites must be in
6399   use. Stitched ciphersuites are optimised implementations of certain
6400   commonly used ciphersuites. Also the application must call SSL_shutdown()
6401   twice even if a protocol error has occurred (applications should not do
6402   this but some do anyway).
6403
6404   This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
6405   Aviram, with additional investigation by Steven Collison and Andrew
6406   Hourselt. It was reported to OpenSSL on 10th December 2018.
6407   ([CVE-2019-1559])
6408
6409   *Matt Caswell*
6410
6411 * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
6412
6413   *Richard Levitte*
6414
6415### Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
6416
6417 * Microarchitecture timing vulnerability in ECC scalar multiplication
6418
6419   OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
6420   shown to be vulnerable to a microarchitecture timing side channel attack.
6421   An attacker with sufficient access to mount local timing attacks during
6422   ECDSA signature generation could recover the private key.
6423
6424   This issue was reported to OpenSSL on 26th October 2018 by Alejandro
6425   Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
6426   Nicola Tuveri.
6427   ([CVE-2018-5407])
6428
6429   *Billy Brumley*
6430
6431 * Timing vulnerability in DSA signature generation
6432
6433   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
6434   timing side channel attack. An attacker could use variations in the signing
6435   algorithm to recover the private key.
6436
6437   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
6438   ([CVE-2018-0734])
6439
6440   *Paul Dale*
6441
6442 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
6443   Module, accidentally introduced while backporting security fixes from the
6444   development branch and hindering the use of ECC in FIPS mode.
6445
6446   *Nicola Tuveri*
6447
6448### Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
6449
6450 * Client DoS due to large DH parameter
6451
6452   During key agreement in a TLS handshake using a DH(E) based ciphersuite a
6453   malicious server can send a very large prime value to the client. This will
6454   cause the client to spend an unreasonably long period of time generating a
6455   key for this prime resulting in a hang until the client has finished. This
6456   could be exploited in a Denial Of Service attack.
6457
6458   This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
6459   ([CVE-2018-0732])
6460
6461   *Guido Vranken*
6462
6463 * Cache timing vulnerability in RSA Key Generation
6464
6465   The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
6466   a cache timing side channel attack. An attacker with sufficient access to
6467   mount cache timing attacks during the RSA key generation process could
6468   recover the private key.
6469
6470   This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
6471   Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
6472   ([CVE-2018-0737])
6473
6474   *Billy Brumley*
6475
6476 * Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
6477   parameter is no longer accepted, as it leads to a corrupt table.  NULL
6478   pem_str is reserved for alias entries only.
6479
6480   *Richard Levitte*
6481
6482 * Revert blinding in ECDSA sign and instead make problematic addition
6483   length-invariant. Switch even to fixed-length Montgomery multiplication.
6484
6485   *Andy Polyakov*
6486
6487 * Change generating and checking of primes so that the error rate of not
6488   being prime depends on the intended use based on the size of the input.
6489   For larger primes this will result in more rounds of Miller-Rabin.
6490   The maximal error rate for primes with more than 1080 bits is lowered
6491   to 2^-128.
6492
6493   *Kurt Roeckx, Annie Yousar*
6494
6495 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
6496
6497   *Kurt Roeckx*
6498
6499 * Add blinding to ECDSA and DSA signatures to protect against side channel
6500   attacks discovered by Keegan Ryan (NCC Group).
6501
6502   *Matt Caswell*
6503
6504 * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
6505   now allow empty (zero character) pass phrases.
6506
6507   *Richard Levitte*
6508
6509 * Certificate time validation (X509_cmp_time) enforces stricter
6510   compliance with RFC 5280. Fractional seconds and timezone offsets
6511   are no longer allowed.
6512
6513   *Emilia Käsper*
6514
6515### Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
6516
6517 * Constructed ASN.1 types with a recursive definition could exceed the stack
6518
6519   Constructed ASN.1 types with a recursive definition (such as can be found
6520   in PKCS7) could eventually exceed the stack given malicious input with
6521   excessive recursion. This could result in a Denial Of Service attack. There
6522   are no such structures used within SSL/TLS that come from untrusted sources
6523   so this is considered safe.
6524
6525   This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
6526   project.
6527   ([CVE-2018-0739])
6528
6529   *Matt Caswell*
6530
6531### Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
6532
6533 * Read/write after SSL object in error state
6534
6535   OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
6536   mechanism. The intent was that if a fatal error occurred during a handshake
6537   then OpenSSL would move into the error state and would immediately fail if
6538   you attempted to continue the handshake. This works as designed for the
6539   explicit handshake functions (SSL_do_handshake(), SSL_accept() and
6540   SSL_connect()), however due to a bug it does not work correctly if
6541   SSL_read() or SSL_write() is called directly. In that scenario, if the
6542   handshake fails then a fatal error will be returned in the initial function
6543   call. If SSL_read()/SSL_write() is subsequently called by the application
6544   for the same SSL object then it will succeed and the data is passed without
6545   being decrypted/encrypted directly from the SSL/TLS record layer.
6546
6547   In order to exploit this issue an application bug would have to be present
6548   that resulted in a call to SSL_read()/SSL_write() being issued after having
6549   already received a fatal error.
6550
6551   This issue was reported to OpenSSL by David Benjamin (Google).
6552   ([CVE-2017-3737])
6553
6554   *Matt Caswell*
6555
6556 * rsaz_1024_mul_avx2 overflow bug on x86_64
6557
6558   There is an overflow bug in the AVX2 Montgomery multiplication procedure
6559   used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
6560   Analysis suggests that attacks against RSA and DSA as a result of this
6561   defect would be very difficult to perform and are not believed likely.
6562   Attacks against DH1024 are considered just feasible, because most of the
6563   work necessary to deduce information about a private key may be performed
6564   offline. The amount of resources required for such an attack would be
6565   significant. However, for an attack on TLS to be meaningful, the server
6566   would have to share the DH1024 private key among multiple clients, which is
6567   no longer an option since CVE-2016-0701.
6568
6569   This only affects processors that support the AVX2 but not ADX extensions
6570   like Intel Haswell (4th generation).
6571
6572   This issue was reported to OpenSSL by David Benjamin (Google). The issue
6573   was originally found via the OSS-Fuzz project.
6574   ([CVE-2017-3738])
6575
6576   *Andy Polyakov*
6577
6578### Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
6579
6580 * bn_sqrx8x_internal carry bug on x86_64
6581
6582   There is a carry propagating bug in the x86_64 Montgomery squaring
6583   procedure. No EC algorithms are affected. Analysis suggests that attacks
6584   against RSA and DSA as a result of this defect would be very difficult to
6585   perform and are not believed likely. Attacks against DH are considered just
6586   feasible (although very difficult) because most of the work necessary to
6587   deduce information about a private key may be performed offline. The amount
6588   of resources required for such an attack would be very significant and
6589   likely only accessible to a limited number of attackers. An attacker would
6590   additionally need online access to an unpatched system using the target
6591   private key in a scenario with persistent DH parameters and a private
6592   key that is shared between multiple clients.
6593
6594   This only affects processors that support the BMI1, BMI2 and ADX extensions
6595   like Intel Broadwell (5th generation) and later or AMD Ryzen.
6596
6597   This issue was reported to OpenSSL by the OSS-Fuzz project.
6598   ([CVE-2017-3736])
6599
6600   *Andy Polyakov*
6601
6602 * Malformed X.509 IPAddressFamily could cause OOB read
6603
6604   If an X.509 certificate has a malformed IPAddressFamily extension,
6605   OpenSSL could do a one-byte buffer overread. The most likely result
6606   would be an erroneous display of the certificate in text format.
6607
6608   This issue was reported to OpenSSL by the OSS-Fuzz project.
6609
6610   *Rich Salz*
6611
6612### Changes between 1.0.2k and 1.0.2l [25 May 2017]
6613
6614 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
6615   platform rather than 'mingw'.
6616
6617   *Richard Levitte*
6618
6619### Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
6620
6621 * Truncated packet could crash via OOB read
6622
6623   If one side of an SSL/TLS path is running on a 32-bit host and a specific
6624   cipher is being used, then a truncated packet can cause that host to
6625   perform an out-of-bounds read, usually resulting in a crash.
6626
6627   This issue was reported to OpenSSL by Robert Święcki of Google.
6628   ([CVE-2017-3731])
6629
6630   *Andy Polyakov*
6631
6632 * BN_mod_exp may produce incorrect results on x86_64
6633
6634   There is a carry propagating bug in the x86_64 Montgomery squaring
6635   procedure. No EC algorithms are affected. Analysis suggests that attacks
6636   against RSA and DSA as a result of this defect would be very difficult to
6637   perform and are not believed likely. Attacks against DH are considered just
6638   feasible (although very difficult) because most of the work necessary to
6639   deduce information about a private key may be performed offline. The amount
6640   of resources required for such an attack would be very significant and
6641   likely only accessible to a limited number of attackers. An attacker would
6642   additionally need online access to an unpatched system using the target
6643   private key in a scenario with persistent DH parameters and a private
6644   key that is shared between multiple clients. For example this can occur by
6645   default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
6646   similar to CVE-2015-3193 but must be treated as a separate problem.
6647
6648   This issue was reported to OpenSSL by the OSS-Fuzz project.
6649   ([CVE-2017-3732])
6650
6651   *Andy Polyakov*
6652
6653 * Montgomery multiplication may produce incorrect results
6654
6655   There is a carry propagating bug in the Broadwell-specific Montgomery
6656   multiplication procedure that handles input lengths divisible by, but
6657   longer than 256 bits. Analysis suggests that attacks against RSA, DSA
6658   and DH private keys are impossible. This is because the subroutine in
6659   question is not used in operations with the private key itself and an input
6660   of the attacker's direct choice. Otherwise the bug can manifest itself as
6661   transient authentication and key negotiation failures or reproducible
6662   erroneous outcome of public-key operations with specially crafted input.
6663   Among EC algorithms only Brainpool P-512 curves are affected and one
6664   presumably can attack ECDH key negotiation. Impact was not analyzed in
6665   detail, because pre-requisites for attack are considered unlikely. Namely
6666   multiple clients have to choose the curve in question and the server has to
6667   share the private key among them, neither of which is default behaviour.
6668   Even then only clients that chose the curve will be affected.
6669
6670   This issue was publicly reported as transient failures and was not
6671   initially recognized as a security issue. Thanks to Richard Morgan for
6672   providing reproducible case.
6673   ([CVE-2016-7055])
6674
6675   *Andy Polyakov*
6676
6677 * OpenSSL now fails if it receives an unrecognised record type in TLS1.0
6678   or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
6679   prevent issues where no progress is being made and the peer continually
6680   sends unrecognised record types, using up resources processing them.
6681
6682   *Matt Caswell*
6683
6684### Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
6685
6686 * Missing CRL sanity check
6687
6688   A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
6689   but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
6690   CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
6691
6692   This issue only affects the OpenSSL 1.0.2i
6693   ([CVE-2016-7052])
6694
6695   *Matt Caswell*
6696
6697### Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
6698
6699 * OCSP Status Request extension unbounded memory growth
6700
6701   A malicious client can send an excessively large OCSP Status Request
6702   extension. If that client continually requests renegotiation, sending a
6703   large OCSP Status Request extension each time, then there will be unbounded
6704   memory growth on the server. This will eventually lead to a Denial Of
6705   Service attack through memory exhaustion. Servers with a default
6706   configuration are vulnerable even if they do not support OCSP. Builds using
6707   the "no-ocsp" build time option are not affected.
6708
6709   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6710   ([CVE-2016-6304])
6711
6712   *Matt Caswell*
6713
6714 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
6715   HIGH to MEDIUM.
6716
6717   This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
6718   Leurent (INRIA)
6719   ([CVE-2016-2183])
6720
6721   *Rich Salz*
6722
6723 * OOB write in MDC2_Update()
6724
6725   An overflow can occur in MDC2_Update() either if called directly or
6726   through the EVP_DigestUpdate() function using MDC2. If an attacker
6727   is able to supply very large amounts of input data after a previous
6728   call to EVP_EncryptUpdate() with a partial block then a length check
6729   can overflow resulting in a heap corruption.
6730
6731   The amount of data needed is comparable to SIZE_MAX which is impractical
6732   on most platforms.
6733
6734   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6735   ([CVE-2016-6303])
6736
6737   *Stephen Henson*
6738
6739 * Malformed SHA512 ticket DoS
6740
6741   If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
6742   DoS attack where a malformed ticket will result in an OOB read which will
6743   ultimately crash.
6744
6745   The use of SHA512 in TLS session tickets is comparatively rare as it requires
6746   a custom server callback and ticket lookup mechanism.
6747
6748   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6749   ([CVE-2016-6302])
6750
6751   *Stephen Henson*
6752
6753 * OOB write in BN_bn2dec()
6754
6755   The function BN_bn2dec() does not check the return value of BN_div_word().
6756   This can cause an OOB write if an application uses this function with an
6757   overly large BIGNUM. This could be a problem if an overly large certificate
6758   or CRL is printed out from an untrusted source. TLS is not affected because
6759   record limits will reject an oversized certificate before it is parsed.
6760
6761   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6762   ([CVE-2016-2182])
6763
6764   *Stephen Henson*
6765
6766 * OOB read in TS_OBJ_print_bio()
6767
6768   The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
6769   the total length the OID text representation would use and not the amount
6770   of data written. This will result in OOB reads when large OIDs are
6771   presented.
6772
6773   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6774   ([CVE-2016-2180])
6775
6776   *Stephen Henson*
6777
6778 * Pointer arithmetic undefined behaviour
6779
6780   Avoid some undefined pointer arithmetic
6781
6782   A common idiom in the codebase is to check limits in the following manner:
6783   "p + len > limit"
6784
6785   Where "p" points to some malloc'd data of SIZE bytes and
6786   limit == p + SIZE
6787
6788   "len" here could be from some externally supplied data (e.g. from a TLS
6789   message).
6790
6791   The rules of C pointer arithmetic are such that "p + len" is only well
6792   defined where len <= SIZE. Therefore the above idiom is actually
6793   undefined behaviour.
6794
6795   For example this could cause problems if some malloc implementation
6796   provides an address for "p" such that "p + len" actually overflows for
6797   values of len that are too big and therefore p + len < limit.
6798
6799   This issue was reported to OpenSSL by Guido Vranken
6800   ([CVE-2016-2177])
6801
6802   *Matt Caswell*
6803
6804 * Constant time flag not preserved in DSA signing
6805
6806   Operations in the DSA signing algorithm should run in constant time in
6807   order to avoid side channel attacks. A flaw in the OpenSSL DSA
6808   implementation means that a non-constant time codepath is followed for
6809   certain operations. This has been demonstrated through a cache-timing
6810   attack to be sufficient for an attacker to recover the private DSA key.
6811
6812   This issue was reported by César Pereida (Aalto University), Billy Brumley
6813   (Tampere University of Technology), and Yuval Yarom (The University of
6814   Adelaide and NICTA).
6815   ([CVE-2016-2178])
6816
6817   *César Pereida*
6818
6819 * DTLS buffered message DoS
6820
6821   In a DTLS connection where handshake messages are delivered out-of-order
6822   those messages that OpenSSL is not yet ready to process will be buffered
6823   for later use. Under certain circumstances, a flaw in the logic means that
6824   those messages do not get removed from the buffer even though the handshake
6825   has been completed. An attacker could force up to approx. 15 messages to
6826   remain in the buffer when they are no longer required. These messages will
6827   be cleared when the DTLS connection is closed. The default maximum size for
6828   a message is 100k. Therefore, the attacker could force an additional 1500k
6829   to be consumed per connection. By opening many simultaneous connections an
6830   attacker could cause a DoS attack through memory exhaustion.
6831
6832   This issue was reported to OpenSSL by Quan Luo.
6833   ([CVE-2016-2179])
6834
6835   *Matt Caswell*
6836
6837 * DTLS replay protection DoS
6838
6839   A flaw in the DTLS replay attack protection mechanism means that records
6840   that arrive for future epochs update the replay protection "window" before
6841   the MAC for the record has been validated. This could be exploited by an
6842   attacker by sending a record for the next epoch (which does not have to
6843   decrypt or have a valid MAC), with a very large sequence number. This means
6844   that all subsequent legitimate packets are dropped causing a denial of
6845   service for a specific DTLS connection.
6846
6847   This issue was reported to OpenSSL by the OCAP audit team.
6848   ([CVE-2016-2181])
6849
6850   *Matt Caswell*
6851
6852 * Certificate message OOB reads
6853
6854   In OpenSSL 1.0.2 and earlier some missing message length checks can result
6855   in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
6856   theoretical DoS risk but this has not been observed in practice on common
6857   platforms.
6858
6859   The messages affected are client certificate, client certificate request
6860   and server certificate. As a result the attack can only be performed
6861   against a client or a server which enables client authentication.
6862
6863   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
6864   ([CVE-2016-6306])
6865
6866   *Stephen Henson*
6867
6868### Changes between 1.0.2g and 1.0.2h [3 May 2016]
6869
6870 * Prevent padding oracle in AES-NI CBC MAC check
6871
6872   A MITM attacker can use a padding oracle attack to decrypt traffic
6873   when the connection uses an AES CBC cipher and the server support
6874   AES-NI.
6875
6876   This issue was introduced as part of the fix for Lucky 13 padding
6877   attack ([CVE-2013-0169]). The padding check was rewritten to be in
6878   constant time by making sure that always the same bytes are read and
6879   compared against either the MAC or padding bytes. But it no longer
6880   checked that there was enough data to have both the MAC and padding
6881   bytes.
6882
6883   This issue was reported by Juraj Somorovsky using TLS-Attacker.
6884
6885   *Kurt Roeckx*
6886
6887 * Fix EVP_EncodeUpdate overflow
6888
6889   An overflow can occur in the EVP_EncodeUpdate() function which is used for
6890   Base64 encoding of binary data. If an attacker is able to supply very large
6891   amounts of input data then a length check can overflow resulting in a heap
6892   corruption.
6893
6894   Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
6895   the `PEM_write_bio*` family of functions. These are mainly used within the
6896   OpenSSL command line applications, so any application which processes data
6897   from an untrusted source and outputs it as a PEM file should be considered
6898   vulnerable to this issue. User applications that call these APIs directly
6899   with large amounts of untrusted data may also be vulnerable.
6900
6901   This issue was reported by Guido Vranken.
6902   ([CVE-2016-2105])
6903
6904   *Matt Caswell*
6905
6906 * Fix EVP_EncryptUpdate overflow
6907
6908   An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
6909   is able to supply very large amounts of input data after a previous call to
6910   EVP_EncryptUpdate() with a partial block then a length check can overflow
6911   resulting in a heap corruption. Following an analysis of all OpenSSL
6912   internal usage of the EVP_EncryptUpdate() function all usage is one of two
6913   forms. The first form is where the EVP_EncryptUpdate() call is known to be
6914   the first called function after an EVP_EncryptInit(), and therefore that
6915   specific call must be safe. The second form is where the length passed to
6916   EVP_EncryptUpdate() can be seen from the code to be some small value and
6917   therefore there is no possibility of an overflow. Since all instances are
6918   one of these two forms, it is believed that there can be no overflows in
6919   internal code due to this problem. It should be noted that
6920   EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
6921   Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
6922   of these calls have also been analysed too and it is believed there are no
6923   instances in internal usage where an overflow could occur.
6924
6925   This issue was reported by Guido Vranken.
6926   ([CVE-2016-2106])
6927
6928   *Matt Caswell*
6929
6930 * Prevent ASN.1 BIO excessive memory allocation
6931
6932   When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
6933   a short invalid encoding can cause allocation of large amounts of memory
6934   potentially consuming excessive resources or exhausting memory.
6935
6936   Any application parsing untrusted data through d2i BIO functions is
6937   affected. The memory based functions such as d2i_X509() are *not* affected.
6938   Since the memory based functions are used by the TLS library, TLS
6939   applications are not affected.
6940
6941   This issue was reported by Brian Carpenter.
6942   ([CVE-2016-2109])
6943
6944   *Stephen Henson*
6945
6946 * EBCDIC overread
6947
6948   ASN1 Strings that are over 1024 bytes can cause an overread in applications
6949   using the X509_NAME_oneline() function on EBCDIC systems. This could result
6950   in arbitrary stack data being returned in the buffer.
6951
6952   This issue was reported by Guido Vranken.
6953   ([CVE-2016-2176])
6954
6955   *Matt Caswell*
6956
6957 * Modify behavior of ALPN to invoke callback after SNI/servername
6958   callback, such that updates to the SSL_CTX affect ALPN.
6959
6960   *Todd Short*
6961
6962 * Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
6963   default.
6964
6965   *Kurt Roeckx*
6966
6967 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
6968   methods are enabled and ssl2 is disabled the methods return NULL.
6969
6970   *Kurt Roeckx*
6971
6972### Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
6973
6974* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
6975  Builds that are not configured with "enable-weak-ssl-ciphers" will not
6976  provide any "EXPORT" or "LOW" strength ciphers.
6977
6978  *Viktor Dukhovni*
6979
6980* Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
6981  is by default disabled at build-time.  Builds that are not configured with
6982  "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
6983  users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
6984  will need to explicitly call either of:
6985
6986      SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
6987  or
6988      SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
6989
6990  as appropriate.  Even if either of those is used, or the application
6991  explicitly uses the version-specific SSLv2_method() or its client and
6992  server variants, SSLv2 ciphers vulnerable to exhaustive search key
6993  recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
6994  ciphers, and SSLv2 56-bit DES are no longer available.
6995  ([CVE-2016-0800])
6996
6997   *Viktor Dukhovni*
6998
6999 * Fix a double-free in DSA code
7000
7001   A double free bug was discovered when OpenSSL parses malformed DSA private
7002   keys and could lead to a DoS attack or memory corruption for applications
7003   that receive DSA private keys from untrusted sources.  This scenario is
7004   considered rare.
7005
7006   This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
7007   libFuzzer.
7008   ([CVE-2016-0705])
7009
7010   *Stephen Henson*
7011
7012 * Disable SRP fake user seed to address a server memory leak.
7013
7014   Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
7015
7016   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
7017   In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
7018   was changed to ignore the "fake user" SRP seed, even if the seed
7019   is configured.
7020
7021   Users should use SRP_VBASE_get1_by_user instead. Note that in
7022   SRP_VBASE_get1_by_user, caller must free the returned value. Note
7023   also that even though configuring the SRP seed attempts to hide
7024   invalid usernames by continuing the handshake with fake
7025   credentials, this behaviour is not constant time and no strong
7026   guarantees are made that the handshake is indistinguishable from
7027   that of a valid user.
7028   ([CVE-2016-0798])
7029
7030   *Emilia Käsper*
7031
7032 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
7033
7034   In the BN_hex2bn function the number of hex digits is calculated using an
7035   int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
7036   large values of `i` this can result in `bn_expand` not allocating any
7037   memory because `i * 4` is negative. This can leave the internal BIGNUM data
7038   field as NULL leading to a subsequent NULL ptr deref. For very large values
7039   of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
7040   In this case memory is allocated to the internal BIGNUM data field, but it
7041   is insufficiently sized leading to heap corruption. A similar issue exists
7042   in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
7043   is ever called by user applications with very large untrusted hex/dec data.
7044   This is anticipated to be a rare occurrence.
7045
7046   All OpenSSL internal usage of these functions use data that is not expected
7047   to be untrusted, e.g. config file data or application command line
7048   arguments. If user developed applications generate config file data based
7049   on untrusted data then it is possible that this could also lead to security
7050   consequences. This is also anticipated to be rare.
7051
7052   This issue was reported to OpenSSL by Guido Vranken.
7053   ([CVE-2016-0797])
7054
7055   *Matt Caswell*
7056
7057 * Fix memory issues in `BIO_*printf` functions
7058
7059   The internal `fmtstr` function used in processing a "%s" format string in
7060   the `BIO_*printf` functions could overflow while calculating the length of a
7061   string and cause an OOB read when printing very long strings.
7062
7063   Additionally the internal `doapr_outch` function can attempt to write to an
7064   OOB memory location (at an offset from the NULL pointer) in the event of a
7065   memory allocation failure. In 1.0.2 and below this could be caused where
7066   the size of a buffer to be allocated is greater than INT_MAX. E.g. this
7067   could be in processing a very long "%s" format string. Memory leaks can
7068   also occur.
7069
7070   The first issue may mask the second issue dependent on compiler behaviour.
7071   These problems could enable attacks where large amounts of untrusted data
7072   is passed to the `BIO_*printf` functions. If applications use these functions
7073   in this way then they could be vulnerable. OpenSSL itself uses these
7074   functions when printing out human-readable dumps of ASN.1 data. Therefore
7075   applications that print this data could be vulnerable if the data is from
7076   untrusted sources. OpenSSL command line applications could also be
7077   vulnerable where they print out ASN.1 data, or if untrusted data is passed
7078   as command line arguments.
7079
7080   Libssl is not considered directly vulnerable. Additionally certificates etc
7081   received via remote connections via libssl are also unlikely to be able to
7082   trigger these issues because of message size limits enforced within libssl.
7083
7084   This issue was reported to OpenSSL Guido Vranken.
7085   ([CVE-2016-0799])
7086
7087   *Matt Caswell*
7088
7089 * Side channel attack on modular exponentiation
7090
7091   A side-channel attack was found which makes use of cache-bank conflicts on
7092   the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7093   of RSA keys.  The ability to exploit this issue is limited as it relies on
7094   an attacker who has control of code in a thread running on the same
7095   hyper-threaded core as the victim thread which is performing decryptions.
7096
7097   This issue was reported to OpenSSL by Yuval Yarom, The University of
7098   Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
7099   Nadia Heninger, University of Pennsylvania with more information at
7100   <http://cachebleed.info>.
7101   ([CVE-2016-0702])
7102
7103   *Andy Polyakov*
7104
7105 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
7106   if no keysize is specified with default_bits. This fixes an
7107   omission in an earlier change that changed all RSA/DSA key generation
7108   commands to use 2048 bits by default.
7109
7110   *Emilia Käsper*
7111
7112### Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
7113
7114 * DH small subgroups
7115
7116   Historically OpenSSL only ever generated DH parameters based on "safe"
7117   primes. More recently (in version 1.0.2) support was provided for
7118   generating X9.42 style parameter files such as those required for RFC 5114
7119   support. The primes used in such files may not be "safe". Where an
7120   application is using DH configured with parameters based on primes that are
7121   not "safe" then an attacker could use this fact to find a peer's private
7122   DH exponent. This attack requires that the attacker complete multiple
7123   handshakes in which the peer uses the same private DH exponent. For example
7124   this could be used to discover a TLS server's private DH exponent if it's
7125   reusing the private DH exponent or it's using a static DH ciphersuite.
7126
7127   OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
7128   TLS. It is not on by default. If the option is not set then the server
7129   reuses the same private DH exponent for the life of the server process and
7130   would be vulnerable to this attack. It is believed that many popular
7131   applications do set this option and would therefore not be at risk.
7132
7133   The fix for this issue adds an additional check where a "q" parameter is
7134   available (as is the case in X9.42 based parameters). This detects the
7135   only known attack, and is the only possible defense for static DH
7136   ciphersuites. This could have some performance impact.
7137
7138   Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
7139   default and cannot be disabled. This could have some performance impact.
7140
7141   This issue was reported to OpenSSL by Antonio Sanso (Adobe).
7142   ([CVE-2016-0701])
7143
7144   *Matt Caswell*
7145
7146 * SSLv2 doesn't block disabled ciphers
7147
7148   A malicious client can negotiate SSLv2 ciphers that have been disabled on
7149   the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
7150   been disabled, provided that the SSLv2 protocol was not also disabled via
7151   SSL_OP_NO_SSLv2.
7152
7153   This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
7154   and Sebastian Schinzel.
7155   ([CVE-2015-3197])
7156
7157   *Viktor Dukhovni*
7158
7159### Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
7160
7161 * BN_mod_exp may produce incorrect results on x86_64
7162
7163   There is a carry propagating bug in the x86_64 Montgomery squaring
7164   procedure. No EC algorithms are affected. Analysis suggests that attacks
7165   against RSA and DSA as a result of this defect would be very difficult to
7166   perform and are not believed likely. Attacks against DH are considered just
7167   feasible (although very difficult) because most of the work necessary to
7168   deduce information about a private key may be performed offline. The amount
7169   of resources required for such an attack would be very significant and
7170   likely only accessible to a limited number of attackers. An attacker would
7171   additionally need online access to an unpatched system using the target
7172   private key in a scenario with persistent DH parameters and a private
7173   key that is shared between multiple clients. For example this can occur by
7174   default in OpenSSL DHE based SSL/TLS ciphersuites.
7175
7176   This issue was reported to OpenSSL by Hanno Böck.
7177   ([CVE-2015-3193])
7178
7179   *Andy Polyakov*
7180
7181 * Certificate verify crash with missing PSS parameter
7182
7183   The signature verification routines will crash with a NULL pointer
7184   dereference if presented with an ASN.1 signature using the RSA PSS
7185   algorithm and absent mask generation function parameter. Since these
7186   routines are used to verify certificate signature algorithms this can be
7187   used to crash any certificate verification operation and exploited in a
7188   DoS attack. Any application which performs certificate verification is
7189   vulnerable including OpenSSL clients and servers which enable client
7190   authentication.
7191
7192   This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
7193   ([CVE-2015-3194])
7194
7195   *Stephen Henson*
7196
7197 * X509_ATTRIBUTE memory leak
7198
7199   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
7200   memory. This structure is used by the PKCS#7 and CMS routines so any
7201   application which reads PKCS#7 or CMS data from untrusted sources is
7202   affected. SSL/TLS is not affected.
7203
7204   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
7205   libFuzzer.
7206   ([CVE-2015-3195])
7207
7208   *Stephen Henson*
7209
7210 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
7211   This changes the decoding behaviour for some invalid messages,
7212   though the change is mostly in the more lenient direction, and
7213   legacy behaviour is preserved as much as possible.
7214
7215   *Emilia Käsper*
7216
7217 * In DSA_generate_parameters_ex, if the provided seed is too short,
7218   return an error
7219
7220   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
7221
7222### Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
7223
7224 * Alternate chains certificate forgery
7225
7226   During certificate verification, OpenSSL will attempt to find an
7227   alternative certificate chain if the first attempt to build such a chain
7228   fails. An error in the implementation of this logic can mean that an
7229   attacker could cause certain checks on untrusted certificates to be
7230   bypassed, such as the CA flag, enabling them to use a valid leaf
7231   certificate to act as a CA and "issue" an invalid certificate.
7232
7233   This issue was reported to OpenSSL by Adam Langley/David Benjamin
7234   (Google/BoringSSL).
7235
7236   *Matt Caswell*
7237
7238### Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
7239
7240 * Fix HMAC ABI incompatibility. The previous version introduced an ABI
7241   incompatibility in the handling of HMAC. The previous ABI has now been
7242   restored.
7243
7244   *Matt Caswell*
7245
7246### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
7247
7248 * Malformed ECParameters causes infinite loop
7249
7250   When processing an ECParameters structure OpenSSL enters an infinite loop
7251   if the curve specified is over a specially malformed binary polynomial
7252   field.
7253
7254   This can be used to perform denial of service against any
7255   system which processes public keys, certificate requests or
7256   certificates.  This includes TLS clients and TLS servers with
7257   client authentication enabled.
7258
7259   This issue was reported to OpenSSL by Joseph Barr-Pixton.
7260   ([CVE-2015-1788])
7261
7262   *Andy Polyakov*
7263
7264 * Exploitable out-of-bounds read in X509_cmp_time
7265
7266   X509_cmp_time does not properly check the length of the ASN1_TIME
7267   string and can read a few bytes out of bounds. In addition,
7268   X509_cmp_time accepts an arbitrary number of fractional seconds in the
7269   time string.
7270
7271   An attacker can use this to craft malformed certificates and CRLs of
7272   various sizes and potentially cause a segmentation fault, resulting in
7273   a DoS on applications that verify certificates or CRLs. TLS clients
7274   that verify CRLs are affected. TLS clients and servers with client
7275   authentication enabled may be affected if they use custom verification
7276   callbacks.
7277
7278   This issue was reported to OpenSSL by Robert Swiecki (Google), and
7279   independently by Hanno Böck.
7280   ([CVE-2015-1789])
7281
7282   *Emilia Käsper*
7283
7284 * PKCS7 crash with missing EnvelopedContent
7285
7286   The PKCS#7 parsing code does not handle missing inner EncryptedContent
7287   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7288   with missing content and trigger a NULL pointer dereference on parsing.
7289
7290   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
7291   structures from untrusted sources are affected. OpenSSL clients and
7292   servers are not affected.
7293
7294   This issue was reported to OpenSSL by Michal Zalewski (Google).
7295   ([CVE-2015-1790])
7296
7297   *Emilia Käsper*
7298
7299 * CMS verify infinite loop with unknown hash function
7300
7301   When verifying a signedData message the CMS code can enter an infinite loop
7302   if presented with an unknown hash function OID. This can be used to perform
7303   denial of service against any system which verifies signedData messages using
7304   the CMS code.
7305   This issue was reported to OpenSSL by Johannes Bauer.
7306   ([CVE-2015-1792])
7307
7308   *Stephen Henson*
7309
7310 * Race condition handling NewSessionTicket
7311
7312   If a NewSessionTicket is received by a multi-threaded client when attempting to
7313   reuse a previous ticket then a race condition can occur potentially leading to
7314   a double free of the ticket data.
7315   ([CVE-2015-1791])
7316
7317   *Matt Caswell*
7318
7319 * Only support 256-bit or stronger elliptic curves with the
7320   'ecdh_auto' setting (server) or by default (client). Of supported
7321   curves, prefer P-256 (both).
7322
7323   *Emilia Kasper*
7324
7325### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
7326
7327 * ClientHello sigalgs DoS fix
7328
7329   If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
7330   invalid signature algorithms extension a NULL pointer dereference will
7331   occur. This can be exploited in a DoS attack against the server.
7332
7333   This issue was was reported to OpenSSL by David Ramos of Stanford
7334   University.
7335   ([CVE-2015-0291])
7336
7337   *Stephen Henson and Matt Caswell*
7338
7339 * Multiblock corrupted pointer fix
7340
7341   OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
7342   feature only applies on 64 bit x86 architecture platforms that support AES
7343   NI instructions. A defect in the implementation of "multiblock" can cause
7344   OpenSSL's internal write buffer to become incorrectly set to NULL when
7345   using non-blocking IO. Typically, when the user application is using a
7346   socket BIO for writing, this will only result in a failed connection.
7347   However if some other BIO is used then it is likely that a segmentation
7348   fault will be triggered, thus enabling a potential DoS attack.
7349
7350   This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
7351   ([CVE-2015-0290])
7352
7353   *Matt Caswell*
7354
7355 * Segmentation fault in DTLSv1_listen fix
7356
7357   The DTLSv1_listen function is intended to be stateless and processes the
7358   initial ClientHello from many peers. It is common for user code to loop
7359   over the call to DTLSv1_listen until a valid ClientHello is received with
7360   an associated cookie. A defect in the implementation of DTLSv1_listen means
7361   that state is preserved in the SSL object from one invocation to the next
7362   that can lead to a segmentation fault. Errors processing the initial
7363   ClientHello can trigger this scenario. An example of such an error could be
7364   that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
7365   server.
7366
7367   This issue was reported to OpenSSL by Per Allansson.
7368   ([CVE-2015-0207])
7369
7370   *Matt Caswell*
7371
7372 * Segmentation fault in ASN1_TYPE_cmp fix
7373
7374   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
7375   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
7376   certificate signature algorithm consistency this can be used to crash any
7377   certificate verification operation and exploited in a DoS attack. Any
7378   application which performs certificate verification is vulnerable including
7379   OpenSSL clients and servers which enable client authentication.
7380   ([CVE-2015-0286])
7381
7382   *Stephen Henson*
7383
7384 * Segmentation fault for invalid PSS parameters fix
7385
7386   The signature verification routines will crash with a NULL pointer
7387   dereference if presented with an ASN.1 signature using the RSA PSS
7388   algorithm and invalid parameters. Since these routines are used to verify
7389   certificate signature algorithms this can be used to crash any
7390   certificate verification operation and exploited in a DoS attack. Any
7391   application which performs certificate verification is vulnerable including
7392   OpenSSL clients and servers which enable client authentication.
7393
7394   This issue was was reported to OpenSSL by Brian Carpenter.
7395   ([CVE-2015-0208])
7396
7397   *Stephen Henson*
7398
7399 * ASN.1 structure reuse memory corruption fix
7400
7401   Reusing a structure in ASN.1 parsing may allow an attacker to cause
7402   memory corruption via an invalid write. Such reuse is and has been
7403   strongly discouraged and is believed to be rare.
7404
7405   Applications that parse structures containing CHOICE or ANY DEFINED BY
7406   components may be affected. Certificate parsing (d2i_X509 and related
7407   functions) are however not affected. OpenSSL clients and servers are
7408   not affected.
7409   ([CVE-2015-0287])
7410
7411   *Stephen Henson*
7412
7413 * PKCS7 NULL pointer dereferences fix
7414
7415   The PKCS#7 parsing code does not handle missing outer ContentInfo
7416   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7417   missing content and trigger a NULL pointer dereference on parsing.
7418
7419   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
7420   otherwise parse PKCS#7 structures from untrusted sources are
7421   affected. OpenSSL clients and servers are not affected.
7422
7423   This issue was reported to OpenSSL by Michal Zalewski (Google).
7424   ([CVE-2015-0289])
7425
7426   *Emilia Käsper*
7427
7428 * DoS via reachable assert in SSLv2 servers fix
7429
7430   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
7431   servers that both support SSLv2 and enable export cipher suites by sending
7432   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7433
7434   This issue was discovered by Sean Burford (Google) and Emilia Käsper
7435   (OpenSSL development team).
7436   ([CVE-2015-0293])
7437
7438   *Emilia Käsper*
7439
7440 * Empty CKE with client auth and DHE fix
7441
7442   If client auth is used then a server can seg fault in the event of a DHE
7443   ciphersuite being selected and a zero length ClientKeyExchange message
7444   being sent by the client. This could be exploited in a DoS attack.
7445   ([CVE-2015-1787])
7446
7447   *Matt Caswell*
7448
7449 * Handshake with unseeded PRNG fix
7450
7451   Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
7452   with an unseeded PRNG. The conditions are:
7453   - The client is on a platform where the PRNG has not been seeded
7454   automatically, and the user has not seeded manually
7455   - A protocol specific client method version has been used (i.e. not
7456   SSL_client_methodv23)
7457   - A ciphersuite is used that does not require additional random data from
7458   the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
7459
7460   If the handshake succeeds then the client random that has been used will
7461   have been generated from a PRNG with insufficient entropy and therefore the
7462   output may be predictable.
7463
7464   For example using the following command with an unseeded openssl will
7465   succeed on an unpatched platform:
7466
7467   openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
7468   ([CVE-2015-0285])
7469
7470   *Matt Caswell*
7471
7472 * Use After Free following d2i_ECPrivatekey error fix
7473
7474   A malformed EC private key file consumed via the d2i_ECPrivateKey function
7475   could cause a use after free condition. This, in turn, could cause a double
7476   free in several private key parsing functions (such as d2i_PrivateKey
7477   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
7478   for applications that receive EC private keys from untrusted
7479   sources. This scenario is considered rare.
7480
7481   This issue was discovered by the BoringSSL project and fixed in their
7482   commit 517073cd4b.
7483   ([CVE-2015-0209])
7484
7485   *Matt Caswell*
7486
7487 * X509_to_X509_REQ NULL pointer deref fix
7488
7489   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
7490   the certificate key is invalid. This function is rarely used in practice.
7491
7492   This issue was discovered by Brian Carpenter.
7493   ([CVE-2015-0288])
7494
7495   *Stephen Henson*
7496
7497 * Removed the export ciphers from the DEFAULT ciphers
7498
7499   *Kurt Roeckx*
7500
7501### Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
7502
7503 * Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
7504   ARMv5 through ARMv8, as opposite to "locking" it to single one.
7505   So far those who have to target multiple platforms would compromise
7506   and argue that binary targeting say ARMv5 would still execute on
7507   ARMv8. "Universal" build resolves this compromise by providing
7508   near-optimal performance even on newer platforms.
7509
7510   *Andy Polyakov*
7511
7512 * Accelerated NIST P-256 elliptic curve implementation for x86_64
7513   (other platforms pending).
7514
7515   *Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov*
7516
7517 * Add support for the SignedCertificateTimestampList certificate and
7518   OCSP response extensions from RFC6962.
7519
7520   *Rob Stradling*
7521
7522 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
7523   for corner cases. (Certain input points at infinity could lead to
7524   bogus results, with non-infinity inputs mapped to infinity too.)
7525
7526   *Bodo Moeller*
7527
7528 * Initial support for PowerISA 2.0.7, first implemented in POWER8.
7529   This covers AES, SHA256/512 and GHASH. "Initial" means that most
7530   common cases are optimized and there still is room for further
7531   improvements. Vector Permutation AES for Altivec is also added.
7532
7533   *Andy Polyakov*
7534
7535 * Add support for little-endian ppc64 Linux target.
7536
7537   *Marcelo Cerri (IBM)*
7538
7539 * Initial support for AMRv8 ISA crypto extensions. This covers AES,
7540   SHA1, SHA256 and GHASH. "Initial" means that most common cases
7541   are optimized and there still is room for further improvements.
7542   Both 32- and 64-bit modes are supported.
7543
7544   *Andy Polyakov, Ard Biesheuvel (Linaro)*
7545
7546 * Improved ARMv7 NEON support.
7547
7548   *Andy Polyakov*
7549
7550 * Support for SPARC Architecture 2011 crypto extensions, first
7551   implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
7552   SHA256/512, MD5, GHASH and modular exponentiation.
7553
7554   *Andy Polyakov, David Miller*
7555
7556 * Accelerated modular exponentiation for Intel processors, a.k.a.
7557   RSAZ.
7558
7559   *Shay Gueron & Vlad Krasnov (Intel Corp)*
7560
7561 * Support for new and upcoming Intel processors, including AVX2,
7562   BMI and SHA ISA extensions. This includes additional "stitched"
7563   implementations, AESNI-SHA256 and GCM, and multi-buffer support
7564   for TLS encrypt.
7565
7566   This work was sponsored by Intel Corp.
7567
7568   *Andy Polyakov*
7569
7570 * Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
7571   supports both DTLS 1.2 and 1.0 and should use whatever version the peer
7572   supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
7573
7574   *Steve Henson*
7575
7576 * Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
7577   this fixes a limitation in previous versions of OpenSSL.
7578
7579   *Steve Henson*
7580
7581 * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
7582   MGF1 digest and OAEP label.
7583
7584   *Steve Henson*
7585
7586 * Add EVP support for key wrapping algorithms, to avoid problems with
7587   existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
7588   the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
7589   algorithms and include tests cases.
7590
7591   *Steve Henson*
7592
7593 * Add functions to allocate and set the fields of an ECDSA_METHOD
7594   structure.
7595
7596   *Douglas E. Engert, Steve Henson*
7597
7598 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
7599   difference in days and seconds between two tm or ASN1_TIME structures.
7600
7601   *Steve Henson*
7602
7603 * Add -rev test option to s_server to just reverse order of characters
7604   received by client and send back to server. Also prints an abbreviated
7605   summary of the connection parameters.
7606
7607   *Steve Henson*
7608
7609 * New option -brief for s_client and s_server to print out a brief summary
7610   of connection parameters.
7611
7612   *Steve Henson*
7613
7614 * Add callbacks for arbitrary TLS extensions.
7615
7616   *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
7617
7618 * New option -crl_download in several openssl utilities to download CRLs
7619   from CRLDP extension in certificates.
7620
7621   *Steve Henson*
7622
7623 * New options -CRL and -CRLform for s_client and s_server for CRLs.
7624
7625   *Steve Henson*
7626
7627 * New function X509_CRL_diff to generate a delta CRL from the difference
7628   of two full CRLs. Add support to "crl" utility.
7629
7630   *Steve Henson*
7631
7632 * New functions to set lookup_crls function and to retrieve
7633   X509_STORE from X509_STORE_CTX.
7634
7635   *Steve Henson*
7636
7637 * Print out deprecated issuer and subject unique ID fields in
7638   certificates.
7639
7640   *Steve Henson*
7641
7642 * Extend OCSP I/O functions so they can be used for simple general purpose
7643   HTTP as well as OCSP. New wrapper function which can be used to download
7644   CRLs using the OCSP API.
7645
7646   *Steve Henson*
7647
7648 * Delegate command line handling in s_client/s_server to SSL_CONF APIs.
7649
7650   *Steve Henson*
7651
7652 * `SSL_CONF*` functions. These provide a common framework for application
7653   configuration using configuration files or command lines.
7654
7655   *Steve Henson*
7656
7657 * SSL/TLS tracing code. This parses out SSL/TLS records using the
7658   message callback and prints the results. Needs compile time option
7659   "enable-ssl-trace". New options to s_client and s_server to enable
7660   tracing.
7661
7662   *Steve Henson*
7663
7664 * New ctrl and macro to retrieve supported points extensions.
7665   Print out extension in s_server and s_client.
7666
7667   *Steve Henson*
7668
7669 * New functions to retrieve certificate signature and signature
7670   OID NID.
7671
7672   *Steve Henson*
7673
7674 * Add functions to retrieve and manipulate the raw cipherlist sent by a
7675   client to OpenSSL.
7676
7677   *Steve Henson*
7678
7679 * New Suite B modes for TLS code. These use and enforce the requirements
7680   of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
7681   only use Suite B curves. The Suite B modes can be set by using the
7682   strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
7683
7684   *Steve Henson*
7685
7686 * New chain verification flags for Suite B levels of security. Check
7687   algorithms are acceptable when flags are set in X509_verify_cert.
7688
7689   *Steve Henson*
7690
7691 * Make tls1_check_chain return a set of flags indicating checks passed
7692   by a certificate chain. Add additional tests to handle client
7693   certificates: checks for matching certificate type and issuer name
7694   comparison.
7695
7696   *Steve Henson*
7697
7698 * If an attempt is made to use a signature algorithm not in the peer
7699   preference list abort the handshake. If client has no suitable
7700   signature algorithms in response to a certificate request do not
7701   use the certificate.
7702
7703   *Steve Henson*
7704
7705 * If server EC tmp key is not in client preference list abort handshake.
7706
7707   *Steve Henson*
7708
7709 * Add support for certificate stores in CERT structure. This makes it
7710   possible to have different stores per SSL structure or one store in
7711   the parent SSL_CTX. Include distinct stores for certificate chain
7712   verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
7713   to build and store a certificate chain in CERT structure: returning
7714   an error if the chain cannot be built: this will allow applications
7715   to test if a chain is correctly configured.
7716
7717   Note: if the CERT based stores are not set then the parent SSL_CTX
7718   store is used to retain compatibility with existing behaviour.
7719
7720   *Steve Henson*
7721
7722 * New function ssl_set_client_disabled to set a ciphersuite disabled
7723   mask based on the current session, check mask when sending client
7724   hello and checking the requested ciphersuite.
7725
7726   *Steve Henson*
7727
7728 * New ctrls to retrieve and set certificate types in a certificate
7729   request message. Print out received values in s_client. If certificate
7730   types is not set with custom values set sensible values based on
7731   supported signature algorithms.
7732
7733   *Steve Henson*
7734
7735 * Support for distinct client and server supported signature algorithms.
7736
7737   *Steve Henson*
7738
7739 * Add certificate callback. If set this is called whenever a certificate
7740   is required by client or server. An application can decide which
7741   certificate chain to present based on arbitrary criteria: for example
7742   supported signature algorithms. Add very simple example to s_server.
7743   This fixes many of the problems and restrictions of the existing client
7744   certificate callback: for example you can now clear an existing
7745   certificate and specify the whole chain.
7746
7747   *Steve Henson*
7748
7749 * Add new "valid_flags" field to CERT_PKEY structure which determines what
7750   the certificate can be used for (if anything). Set valid_flags field
7751   in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
7752   to have similar checks in it.
7753
7754   Add new "cert_flags" field to CERT structure and include a "strict mode".
7755   This enforces some TLS certificate requirements (such as only permitting
7756   certificate signature algorithms contained in the supported algorithms
7757   extension) which some implementations ignore: this option should be used
7758   with caution as it could cause interoperability issues.
7759
7760   *Steve Henson*
7761
7762 * Update and tidy signature algorithm extension processing. Work out
7763   shared signature algorithms based on preferences and peer algorithms
7764   and print them out in s_client and s_server. Abort handshake if no
7765   shared signature algorithms.
7766
7767   *Steve Henson*
7768
7769 * Add new functions to allow customised supported signature algorithms
7770   for SSL and SSL_CTX structures. Add options to s_client and s_server
7771   to support them.
7772
7773   *Steve Henson*
7774
7775 * New function SSL_certs_clear() to delete all references to certificates
7776   from an SSL structure. Before this once a certificate had been added
7777   it couldn't be removed.
7778
7779   *Steve Henson*
7780
7781 * Integrate hostname, email address and IP address checking with certificate
7782   verification. New verify options supporting checking in openssl utility.
7783
7784   *Steve Henson*
7785
7786 * Fixes and wildcard matching support to hostname and email checking
7787   functions. Add manual page.
7788
7789   *Florian Weimer (Red Hat Product Security Team)*
7790
7791 * New functions to check a hostname email or IP address against a
7792   certificate. Add options x509 utility to print results of checks against
7793   a certificate.
7794
7795   *Steve Henson*
7796
7797 * Fix OCSP checking.
7798
7799   *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
7800
7801 * Initial experimental support for explicitly trusted non-root CAs.
7802   OpenSSL still tries to build a complete chain to a root but if an
7803   intermediate CA has a trust setting included that is used. The first
7804   setting is used: whether to trust (e.g., -addtrust option to the x509
7805   utility) or reject.
7806
7807   *Steve Henson*
7808
7809 * Add -trusted_first option which attempts to find certificates in the
7810   trusted store even if an untrusted chain is also supplied.
7811
7812   *Steve Henson*
7813
7814 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
7815   platform support for Linux and Android.
7816
7817   *Andy Polyakov*
7818
7819 * Support for linux-x32, ILP32 environment in x86_64 framework.
7820
7821   *Andy Polyakov*
7822
7823 * Experimental multi-implementation support for FIPS capable OpenSSL.
7824   When in FIPS mode the approved implementations are used as normal,
7825   when not in FIPS mode the internal unapproved versions are used instead.
7826   This means that the FIPS capable OpenSSL isn't forced to use the
7827   (often lower performance) FIPS implementations outside FIPS mode.
7828
7829   *Steve Henson*
7830
7831 * Transparently support X9.42 DH parameters when calling
7832   PEM_read_bio_DHparameters. This means existing applications can handle
7833   the new parameter format automatically.
7834
7835   *Steve Henson*
7836
7837 * Initial experimental support for X9.42 DH parameter format: mainly
7838   to support use of 'q' parameter for RFC5114 parameters.
7839
7840   *Steve Henson*
7841
7842 * Add DH parameters from RFC5114 including test data to dhtest.
7843
7844   *Steve Henson*
7845
7846 * Support for automatic EC temporary key parameter selection. If enabled
7847   the most preferred EC parameters are automatically used instead of
7848   hardcoded fixed parameters. Now a server just has to call:
7849   SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
7850   support ECDH and use the most appropriate parameters.
7851
7852   *Steve Henson*
7853
7854 * Enhance and tidy EC curve and point format TLS extension code. Use
7855   static structures instead of allocation if default values are used.
7856   New ctrls to set curves we wish to support and to retrieve shared curves.
7857   Print out shared curves in s_server. New options to s_server and s_client
7858   to set list of supported curves.
7859
7860   *Steve Henson*
7861
7862 * New ctrls to retrieve supported signature algorithms and
7863   supported curve values as an array of NIDs. Extend openssl utility
7864   to print out received values.
7865
7866   *Steve Henson*
7867
7868 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
7869   between NIDs and the more common NIST names such as "P-256". Enhance
7870   ecparam utility and ECC method to recognise the NIST names for curves.
7871
7872   *Steve Henson*
7873
7874 * Enhance SSL/TLS certificate chain handling to support different
7875   chains for each certificate instead of one chain in the parent SSL_CTX.
7876
7877   *Steve Henson*
7878
7879 * Support for fixed DH ciphersuite client authentication: where both
7880   server and client use DH certificates with common parameters.
7881
7882   *Steve Henson*
7883
7884 * Support for fixed DH ciphersuites: those requiring DH server
7885   certificates.
7886
7887   *Steve Henson*
7888
7889 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
7890   the certificate.
7891   Note: Related 1.0.2-beta specific macros X509_get_cert_info,
7892   X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
7893   X509_CINF_get_signature were reverted post internal team review.
7894
7895OpenSSL 1.0.1
7896-------------
7897
7898### Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
7899
7900 * OCSP Status Request extension unbounded memory growth
7901
7902   A malicious client can send an excessively large OCSP Status Request
7903   extension. If that client continually requests renegotiation, sending a
7904   large OCSP Status Request extension each time, then there will be unbounded
7905   memory growth on the server. This will eventually lead to a Denial Of
7906   Service attack through memory exhaustion. Servers with a default
7907   configuration are vulnerable even if they do not support OCSP. Builds using
7908   the "no-ocsp" build time option are not affected.
7909
7910   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
7911   ([CVE-2016-6304])
7912
7913   *Matt Caswell*
7914
7915 * In order to mitigate the SWEET32 attack, the DES ciphers were moved from
7916   HIGH to MEDIUM.
7917
7918   This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
7919   Leurent (INRIA)
7920   ([CVE-2016-2183])
7921
7922   *Rich Salz*
7923
7924 * OOB write in MDC2_Update()
7925
7926   An overflow can occur in MDC2_Update() either if called directly or
7927   through the EVP_DigestUpdate() function using MDC2. If an attacker
7928   is able to supply very large amounts of input data after a previous
7929   call to EVP_EncryptUpdate() with a partial block then a length check
7930   can overflow resulting in a heap corruption.
7931
7932   The amount of data needed is comparable to SIZE_MAX which is impractical
7933   on most platforms.
7934
7935   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
7936   ([CVE-2016-6303])
7937
7938   *Stephen Henson*
7939
7940 * Malformed SHA512 ticket DoS
7941
7942   If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
7943   DoS attack where a malformed ticket will result in an OOB read which will
7944   ultimately crash.
7945
7946   The use of SHA512 in TLS session tickets is comparatively rare as it requires
7947   a custom server callback and ticket lookup mechanism.
7948
7949   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
7950   ([CVE-2016-6302])
7951
7952   *Stephen Henson*
7953
7954 * OOB write in BN_bn2dec()
7955
7956   The function BN_bn2dec() does not check the return value of BN_div_word().
7957   This can cause an OOB write if an application uses this function with an
7958   overly large BIGNUM. This could be a problem if an overly large certificate
7959   or CRL is printed out from an untrusted source. TLS is not affected because
7960   record limits will reject an oversized certificate before it is parsed.
7961
7962   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
7963   ([CVE-2016-2182])
7964
7965   *Stephen Henson*
7966
7967 * OOB read in TS_OBJ_print_bio()
7968
7969   The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
7970   the total length the OID text representation would use and not the amount
7971   of data written. This will result in OOB reads when large OIDs are
7972   presented.
7973
7974   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
7975   ([CVE-2016-2180])
7976
7977   *Stephen Henson*
7978
7979 * Pointer arithmetic undefined behaviour
7980
7981   Avoid some undefined pointer arithmetic
7982
7983   A common idiom in the codebase is to check limits in the following manner:
7984   "p + len > limit"
7985
7986   Where "p" points to some malloc'd data of SIZE bytes and
7987   limit == p + SIZE
7988
7989   "len" here could be from some externally supplied data (e.g. from a TLS
7990   message).
7991
7992   The rules of C pointer arithmetic are such that "p + len" is only well
7993   defined where len <= SIZE. Therefore, the above idiom is actually
7994   undefined behaviour.
7995
7996   For example this could cause problems if some malloc implementation
7997   provides an address for "p" such that "p + len" actually overflows for
7998   values of len that are too big and therefore p + len < limit.
7999
8000   This issue was reported to OpenSSL by Guido Vranken
8001   ([CVE-2016-2177])
8002
8003   *Matt Caswell*
8004
8005 * Constant time flag not preserved in DSA signing
8006
8007   Operations in the DSA signing algorithm should run in constant time in
8008   order to avoid side channel attacks. A flaw in the OpenSSL DSA
8009   implementation means that a non-constant time codepath is followed for
8010   certain operations. This has been demonstrated through a cache-timing
8011   attack to be sufficient for an attacker to recover the private DSA key.
8012
8013   This issue was reported by César Pereida (Aalto University), Billy Brumley
8014   (Tampere University of Technology), and Yuval Yarom (The University of
8015   Adelaide and NICTA).
8016   ([CVE-2016-2178])
8017
8018   *César Pereida*
8019
8020 * DTLS buffered message DoS
8021
8022   In a DTLS connection where handshake messages are delivered out-of-order
8023   those messages that OpenSSL is not yet ready to process will be buffered
8024   for later use. Under certain circumstances, a flaw in the logic means that
8025   those messages do not get removed from the buffer even though the handshake
8026   has been completed. An attacker could force up to approx. 15 messages to
8027   remain in the buffer when they are no longer required. These messages will
8028   be cleared when the DTLS connection is closed. The default maximum size for
8029   a message is 100k. Therefore, the attacker could force an additional 1500k
8030   to be consumed per connection. By opening many simultaneous connections an
8031   attacker could cause a DoS attack through memory exhaustion.
8032
8033   This issue was reported to OpenSSL by Quan Luo.
8034   ([CVE-2016-2179])
8035
8036   *Matt Caswell*
8037
8038 * DTLS replay protection DoS
8039
8040   A flaw in the DTLS replay attack protection mechanism means that records
8041   that arrive for future epochs update the replay protection "window" before
8042   the MAC for the record has been validated. This could be exploited by an
8043   attacker by sending a record for the next epoch (which does not have to
8044   decrypt or have a valid MAC), with a very large sequence number. This means
8045   that all subsequent legitimate packets are dropped causing a denial of
8046   service for a specific DTLS connection.
8047
8048   This issue was reported to OpenSSL by the OCAP audit team.
8049   ([CVE-2016-2181])
8050
8051   *Matt Caswell*
8052
8053 * Certificate message OOB reads
8054
8055   In OpenSSL 1.0.2 and earlier some missing message length checks can result
8056   in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
8057   theoretical DoS risk but this has not been observed in practice on common
8058   platforms.
8059
8060   The messages affected are client certificate, client certificate request
8061   and server certificate. As a result the attack can only be performed
8062   against a client or a server which enables client authentication.
8063
8064   This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
8065   ([CVE-2016-6306])
8066
8067   *Stephen Henson*
8068
8069### Changes between 1.0.1s and 1.0.1t [3 May 2016]
8070
8071 * Prevent padding oracle in AES-NI CBC MAC check
8072
8073   A MITM attacker can use a padding oracle attack to decrypt traffic
8074   when the connection uses an AES CBC cipher and the server support
8075   AES-NI.
8076
8077   This issue was introduced as part of the fix for Lucky 13 padding
8078   attack ([CVE-2013-0169]). The padding check was rewritten to be in
8079   constant time by making sure that always the same bytes are read and
8080   compared against either the MAC or padding bytes. But it no longer
8081   checked that there was enough data to have both the MAC and padding
8082   bytes.
8083
8084   This issue was reported by Juraj Somorovsky using TLS-Attacker.
8085   ([CVE-2016-2107])
8086
8087   *Kurt Roeckx*
8088
8089 * Fix EVP_EncodeUpdate overflow
8090
8091   An overflow can occur in the EVP_EncodeUpdate() function which is used for
8092   Base64 encoding of binary data. If an attacker is able to supply very large
8093   amounts of input data then a length check can overflow resulting in a heap
8094   corruption.
8095
8096   Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
8097   the `PEM_write_bio*` family of functions. These are mainly used within the
8098   OpenSSL command line applications, so any application which processes data
8099   from an untrusted source and outputs it as a PEM file should be considered
8100   vulnerable to this issue. User applications that call these APIs directly
8101   with large amounts of untrusted data may also be vulnerable.
8102
8103   This issue was reported by Guido Vranken.
8104   ([CVE-2016-2105])
8105
8106   *Matt Caswell*
8107
8108 * Fix EVP_EncryptUpdate overflow
8109
8110   An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
8111   is able to supply very large amounts of input data after a previous call to
8112   EVP_EncryptUpdate() with a partial block then a length check can overflow
8113   resulting in a heap corruption. Following an analysis of all OpenSSL
8114   internal usage of the EVP_EncryptUpdate() function all usage is one of two
8115   forms. The first form is where the EVP_EncryptUpdate() call is known to be
8116   the first called function after an EVP_EncryptInit(), and therefore that
8117   specific call must be safe. The second form is where the length passed to
8118   EVP_EncryptUpdate() can be seen from the code to be some small value and
8119   therefore there is no possibility of an overflow. Since all instances are
8120   one of these two forms, it is believed that there can be no overflows in
8121   internal code due to this problem. It should be noted that
8122   EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
8123   Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
8124   of these calls have also been analysed too and it is believed there are no
8125   instances in internal usage where an overflow could occur.
8126
8127   This issue was reported by Guido Vranken.
8128   ([CVE-2016-2106])
8129
8130   *Matt Caswell*
8131
8132 * Prevent ASN.1 BIO excessive memory allocation
8133
8134   When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
8135   a short invalid encoding can casuse allocation of large amounts of memory
8136   potentially consuming excessive resources or exhausting memory.
8137
8138   Any application parsing untrusted data through d2i BIO functions is
8139   affected. The memory based functions such as d2i_X509() are *not* affected.
8140   Since the memory based functions are used by the TLS library, TLS
8141   applications are not affected.
8142
8143   This issue was reported by Brian Carpenter.
8144   ([CVE-2016-2109])
8145
8146   *Stephen Henson*
8147
8148 * EBCDIC overread
8149
8150   ASN1 Strings that are over 1024 bytes can cause an overread in applications
8151   using the X509_NAME_oneline() function on EBCDIC systems. This could result
8152   in arbitrary stack data being returned in the buffer.
8153
8154   This issue was reported by Guido Vranken.
8155   ([CVE-2016-2176])
8156
8157   *Matt Caswell*
8158
8159 * Modify behavior of ALPN to invoke callback after SNI/servername
8160   callback, such that updates to the SSL_CTX affect ALPN.
8161
8162   *Todd Short*
8163
8164 * Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
8165   default.
8166
8167   *Kurt Roeckx*
8168
8169 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
8170   methods are enabled and ssl2 is disabled the methods return NULL.
8171
8172   *Kurt Roeckx*
8173
8174### Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
8175
8176* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
8177  Builds that are not configured with "enable-weak-ssl-ciphers" will not
8178  provide any "EXPORT" or "LOW" strength ciphers.
8179
8180  *Viktor Dukhovni*
8181
8182* Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
8183  is by default disabled at build-time.  Builds that are not configured with
8184  "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
8185  users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
8186  will need to explicitly call either of:
8187
8188      SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
8189  or
8190      SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
8191
8192  as appropriate.  Even if either of those is used, or the application
8193  explicitly uses the version-specific SSLv2_method() or its client and
8194  server variants, SSLv2 ciphers vulnerable to exhaustive search key
8195  recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
8196  ciphers, and SSLv2 56-bit DES are no longer available.
8197  ([CVE-2016-0800])
8198
8199  *Viktor Dukhovni*
8200
8201 * Fix a double-free in DSA code
8202
8203   A double free bug was discovered when OpenSSL parses malformed DSA private
8204   keys and could lead to a DoS attack or memory corruption for applications
8205   that receive DSA private keys from untrusted sources.  This scenario is
8206   considered rare.
8207
8208   This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
8209   libFuzzer.
8210   ([CVE-2016-0705])
8211
8212   *Stephen Henson*
8213
8214 * Disable SRP fake user seed to address a server memory leak.
8215
8216   Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
8217
8218   SRP_VBASE_get_by_user had inconsistent memory management behaviour.
8219   In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
8220   was changed to ignore the "fake user" SRP seed, even if the seed
8221   is configured.
8222
8223   Users should use SRP_VBASE_get1_by_user instead. Note that in
8224   SRP_VBASE_get1_by_user, caller must free the returned value. Note
8225   also that even though configuring the SRP seed attempts to hide
8226   invalid usernames by continuing the handshake with fake
8227   credentials, this behaviour is not constant time and no strong
8228   guarantees are made that the handshake is indistinguishable from
8229   that of a valid user.
8230   ([CVE-2016-0798])
8231
8232   *Emilia Käsper*
8233
8234 * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
8235
8236   In the BN_hex2bn function the number of hex digits is calculated using an
8237   int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
8238   large values of `i` this can result in `bn_expand` not allocating any
8239   memory because `i * 4` is negative. This can leave the internal BIGNUM data
8240   field as NULL leading to a subsequent NULL ptr deref. For very large values
8241   of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
8242   In this case memory is allocated to the internal BIGNUM data field, but it
8243   is insufficiently sized leading to heap corruption. A similar issue exists
8244   in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
8245   is ever called by user applications with very large untrusted hex/dec data.
8246   This is anticipated to be a rare occurrence.
8247
8248   All OpenSSL internal usage of these functions use data that is not expected
8249   to be untrusted, e.g. config file data or application command line
8250   arguments. If user developed applications generate config file data based
8251   on untrusted data then it is possible that this could also lead to security
8252   consequences. This is also anticipated to be rare.
8253
8254   This issue was reported to OpenSSL by Guido Vranken.
8255   ([CVE-2016-0797])
8256
8257   *Matt Caswell*
8258
8259 * Fix memory issues in `BIO_*printf` functions
8260
8261   The internal `fmtstr` function used in processing a "%s" format string in
8262   the `BIO_*printf` functions could overflow while calculating the length of a
8263   string and cause an OOB read when printing very long strings.
8264
8265   Additionally the internal `doapr_outch` function can attempt to write to an
8266   OOB memory location (at an offset from the NULL pointer) in the event of a
8267   memory allocation failure. In 1.0.2 and below this could be caused where
8268   the size of a buffer to be allocated is greater than INT_MAX. E.g. this
8269   could be in processing a very long "%s" format string. Memory leaks can
8270   also occur.
8271
8272   The first issue may mask the second issue dependent on compiler behaviour.
8273   These problems could enable attacks where large amounts of untrusted data
8274   is passed to the `BIO_*printf` functions. If applications use these functions
8275   in this way then they could be vulnerable. OpenSSL itself uses these
8276   functions when printing out human-readable dumps of ASN.1 data. Therefore
8277   applications that print this data could be vulnerable if the data is from
8278   untrusted sources. OpenSSL command line applications could also be
8279   vulnerable where they print out ASN.1 data, or if untrusted data is passed
8280   as command line arguments.
8281
8282   Libssl is not considered directly vulnerable. Additionally certificates etc
8283   received via remote connections via libssl are also unlikely to be able to
8284   trigger these issues because of message size limits enforced within libssl.
8285
8286   This issue was reported to OpenSSL Guido Vranken.
8287   ([CVE-2016-0799])
8288
8289   *Matt Caswell*
8290
8291 * Side channel attack on modular exponentiation
8292
8293   A side-channel attack was found which makes use of cache-bank conflicts on
8294   the Intel Sandy-Bridge microarchitecture which could lead to the recovery
8295   of RSA keys.  The ability to exploit this issue is limited as it relies on
8296   an attacker who has control of code in a thread running on the same
8297   hyper-threaded core as the victim thread which is performing decryptions.
8298
8299   This issue was reported to OpenSSL by Yuval Yarom, The University of
8300   Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
8301   Nadia Heninger, University of Pennsylvania with more information at
8302   <http://cachebleed.info>.
8303   ([CVE-2016-0702])
8304
8305   *Andy Polyakov*
8306
8307 * Change the req command to generate a 2048-bit RSA/DSA key by default,
8308   if no keysize is specified with default_bits. This fixes an
8309   omission in an earlier change that changed all RSA/DSA key generation
8310   commands to use 2048 bits by default.
8311
8312   *Emilia Käsper*
8313
8314### Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
8315
8316 * Protection for DH small subgroup attacks
8317
8318   As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
8319   switched on by default and cannot be disabled. This could have some
8320   performance impact.
8321
8322   *Matt Caswell*
8323
8324 * SSLv2 doesn't block disabled ciphers
8325
8326   A malicious client can negotiate SSLv2 ciphers that have been disabled on
8327   the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
8328   been disabled, provided that the SSLv2 protocol was not also disabled via
8329   SSL_OP_NO_SSLv2.
8330
8331   This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
8332   and Sebastian Schinzel.
8333   ([CVE-2015-3197])
8334
8335   *Viktor Dukhovni*
8336
8337 * Reject DH handshakes with parameters shorter than 1024 bits.
8338
8339   *Kurt Roeckx*
8340
8341### Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
8342
8343 * Certificate verify crash with missing PSS parameter
8344
8345   The signature verification routines will crash with a NULL pointer
8346   dereference if presented with an ASN.1 signature using the RSA PSS
8347   algorithm and absent mask generation function parameter. Since these
8348   routines are used to verify certificate signature algorithms this can be
8349   used to crash any certificate verification operation and exploited in a
8350   DoS attack. Any application which performs certificate verification is
8351   vulnerable including OpenSSL clients and servers which enable client
8352   authentication.
8353
8354   This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
8355   ([CVE-2015-3194])
8356
8357   *Stephen Henson*
8358
8359 * X509_ATTRIBUTE memory leak
8360
8361   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
8362   memory. This structure is used by the PKCS#7 and CMS routines so any
8363   application which reads PKCS#7 or CMS data from untrusted sources is
8364   affected. SSL/TLS is not affected.
8365
8366   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
8367   libFuzzer.
8368   ([CVE-2015-3195])
8369
8370   *Stephen Henson*
8371
8372 * Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
8373   This changes the decoding behaviour for some invalid messages,
8374   though the change is mostly in the more lenient direction, and
8375   legacy behaviour is preserved as much as possible.
8376
8377   *Emilia Käsper*
8378
8379 * In DSA_generate_parameters_ex, if the provided seed is too short,
8380   use a random seed, as already documented.
8381
8382   *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
8383
8384### Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
8385
8386 * Alternate chains certificate forgery
8387
8388   During certificate verification, OpenSSL will attempt to find an
8389   alternative certificate chain if the first attempt to build such a chain
8390   fails. An error in the implementation of this logic can mean that an
8391   attacker could cause certain checks on untrusted certificates to be
8392   bypassed, such as the CA flag, enabling them to use a valid leaf
8393   certificate to act as a CA and "issue" an invalid certificate.
8394
8395   This issue was reported to OpenSSL by Adam Langley/David Benjamin
8396   (Google/BoringSSL).
8397   ([CVE-2015-1793])
8398
8399   *Matt Caswell*
8400
8401 * Race condition handling PSK identify hint
8402
8403   If PSK identity hints are received by a multi-threaded client then
8404   the values are wrongly updated in the parent SSL_CTX structure. This can
8405   result in a race condition potentially leading to a double free of the
8406   identify hint data.
8407   ([CVE-2015-3196])
8408
8409   *Stephen Henson*
8410
8411### Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
8412
8413 * Fix HMAC ABI incompatibility. The previous version introduced an ABI
8414   incompatibility in the handling of HMAC. The previous ABI has now been
8415   restored.
8416
8417### Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
8418
8419 * Malformed ECParameters causes infinite loop
8420
8421   When processing an ECParameters structure OpenSSL enters an infinite loop
8422   if the curve specified is over a specially malformed binary polynomial
8423   field.
8424
8425   This can be used to perform denial of service against any
8426   system which processes public keys, certificate requests or
8427   certificates.  This includes TLS clients and TLS servers with
8428   client authentication enabled.
8429
8430   This issue was reported to OpenSSL by Joseph Barr-Pixton.
8431   ([CVE-2015-1788])
8432
8433   *Andy Polyakov*
8434
8435 * Exploitable out-of-bounds read in X509_cmp_time
8436
8437   X509_cmp_time does not properly check the length of the ASN1_TIME
8438   string and can read a few bytes out of bounds. In addition,
8439   X509_cmp_time accepts an arbitrary number of fractional seconds in the
8440   time string.
8441
8442   An attacker can use this to craft malformed certificates and CRLs of
8443   various sizes and potentially cause a segmentation fault, resulting in
8444   a DoS on applications that verify certificates or CRLs. TLS clients
8445   that verify CRLs are affected. TLS clients and servers with client
8446   authentication enabled may be affected if they use custom verification
8447   callbacks.
8448
8449   This issue was reported to OpenSSL by Robert Swiecki (Google), and
8450   independently by Hanno Böck.
8451   ([CVE-2015-1789])
8452
8453   *Emilia Käsper*
8454
8455 * PKCS7 crash with missing EnvelopedContent
8456
8457   The PKCS#7 parsing code does not handle missing inner EncryptedContent
8458   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8459   with missing content and trigger a NULL pointer dereference on parsing.
8460
8461   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
8462   structures from untrusted sources are affected. OpenSSL clients and
8463   servers are not affected.
8464
8465   This issue was reported to OpenSSL by Michal Zalewski (Google).
8466   ([CVE-2015-1790])
8467
8468   *Emilia Käsper*
8469
8470 * CMS verify infinite loop with unknown hash function
8471
8472   When verifying a signedData message the CMS code can enter an infinite loop
8473   if presented with an unknown hash function OID. This can be used to perform
8474   denial of service against any system which verifies signedData messages using
8475   the CMS code.
8476   This issue was reported to OpenSSL by Johannes Bauer.
8477   ([CVE-2015-1792])
8478
8479   *Stephen Henson*
8480
8481 * Race condition handling NewSessionTicket
8482
8483   If a NewSessionTicket is received by a multi-threaded client when attempting to
8484   reuse a previous ticket then a race condition can occur potentially leading to
8485   a double free of the ticket data.
8486   ([CVE-2015-1791])
8487
8488   *Matt Caswell*
8489
8490 * Reject DH handshakes with parameters shorter than 768 bits.
8491
8492   *Kurt Roeckx and Emilia Kasper*
8493
8494 * dhparam: generate 2048-bit parameters by default.
8495
8496   *Kurt Roeckx and Emilia Kasper*
8497
8498### Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
8499
8500 * Segmentation fault in ASN1_TYPE_cmp fix
8501
8502   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
8503   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
8504   certificate signature algorithm consistency this can be used to crash any
8505   certificate verification operation and exploited in a DoS attack. Any
8506   application which performs certificate verification is vulnerable including
8507   OpenSSL clients and servers which enable client authentication.
8508   ([CVE-2015-0286])
8509
8510   *Stephen Henson*
8511
8512 * ASN.1 structure reuse memory corruption fix
8513
8514   Reusing a structure in ASN.1 parsing may allow an attacker to cause
8515   memory corruption via an invalid write. Such reuse is and has been
8516   strongly discouraged and is believed to be rare.
8517
8518   Applications that parse structures containing CHOICE or ANY DEFINED BY
8519   components may be affected. Certificate parsing (d2i_X509 and related
8520   functions) are however not affected. OpenSSL clients and servers are
8521   not affected.
8522   ([CVE-2015-0287])
8523
8524   *Stephen Henson*
8525
8526 * PKCS7 NULL pointer dereferences fix
8527
8528   The PKCS#7 parsing code does not handle missing outer ContentInfo
8529   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8530   missing content and trigger a NULL pointer dereference on parsing.
8531
8532   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
8533   otherwise parse PKCS#7 structures from untrusted sources are
8534   affected. OpenSSL clients and servers are not affected.
8535
8536   This issue was reported to OpenSSL by Michal Zalewski (Google).
8537   ([CVE-2015-0289])
8538
8539   *Emilia Käsper*
8540
8541 * DoS via reachable assert in SSLv2 servers fix
8542
8543   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
8544   servers that both support SSLv2 and enable export cipher suites by sending
8545   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8546
8547   This issue was discovered by Sean Burford (Google) and Emilia Käsper
8548   (OpenSSL development team).
8549   ([CVE-2015-0293])
8550
8551   *Emilia Käsper*
8552
8553 * Use After Free following d2i_ECPrivatekey error fix
8554
8555   A malformed EC private key file consumed via the d2i_ECPrivateKey function
8556   could cause a use after free condition. This, in turn, could cause a double
8557   free in several private key parsing functions (such as d2i_PrivateKey
8558   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
8559   for applications that receive EC private keys from untrusted
8560   sources. This scenario is considered rare.
8561
8562   This issue was discovered by the BoringSSL project and fixed in their
8563   commit 517073cd4b.
8564   ([CVE-2015-0209])
8565
8566   *Matt Caswell*
8567
8568 * X509_to_X509_REQ NULL pointer deref fix
8569
8570   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
8571   the certificate key is invalid. This function is rarely used in practice.
8572
8573   This issue was discovered by Brian Carpenter.
8574   ([CVE-2015-0288])
8575
8576   *Stephen Henson*
8577
8578 * Removed the export ciphers from the DEFAULT ciphers
8579
8580   *Kurt Roeckx*
8581
8582### Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
8583
8584 * Build fixes for the Windows and OpenVMS platforms
8585
8586   *Matt Caswell and Richard Levitte*
8587
8588### Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
8589
8590 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
8591   message can cause a segmentation fault in OpenSSL due to a NULL pointer
8592   dereference. This could lead to a Denial Of Service attack. Thanks to
8593   Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
8594   ([CVE-2014-3571])
8595
8596   *Steve Henson*
8597
8598 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
8599   dtls1_buffer_record function under certain conditions. In particular this
8600   could occur if an attacker sent repeated DTLS records with the same
8601   sequence number but for the next epoch. The memory leak could be exploited
8602   by an attacker in a Denial of Service attack through memory exhaustion.
8603   Thanks to Chris Mueller for reporting this issue.
8604   ([CVE-2015-0206])
8605
8606   *Matt Caswell*
8607
8608 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8609   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
8610   method would be set to NULL which could later result in a NULL pointer
8611   dereference. Thanks to Frank Schmirler for reporting this issue.
8612   ([CVE-2014-3569])
8613
8614   *Kurt Roeckx*
8615
8616 * Abort handshake if server key exchange message is omitted for ephemeral
8617   ECDH ciphersuites.
8618
8619   Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
8620   reporting this issue.
8621   ([CVE-2014-3572])
8622
8623   *Steve Henson*
8624
8625 * Remove non-export ephemeral RSA code on client and server. This code
8626   violated the TLS standard by allowing the use of temporary RSA keys in
8627   non-export ciphersuites and could be used by a server to effectively
8628   downgrade the RSA key length used to a value smaller than the server
8629   certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
8630   INRIA or reporting this issue.
8631   ([CVE-2015-0204])
8632
8633   *Steve Henson*
8634
8635 * Fixed issue where DH client certificates are accepted without verification.
8636   An OpenSSL server will accept a DH certificate for client authentication
8637   without the certificate verify message. This effectively allows a client to
8638   authenticate without the use of a private key. This only affects servers
8639   which trust a client certificate authority which issues certificates
8640   containing DH keys: these are extremely rare and hardly ever encountered.
8641   Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
8642   this issue.
8643   ([CVE-2015-0205])
8644
8645   *Steve Henson*
8646
8647 * Ensure that the session ID context of an SSL is updated when its
8648   SSL_CTX is updated via SSL_set_SSL_CTX.
8649
8650   The session ID context is typically set from the parent SSL_CTX,
8651   and can vary with the CTX.
8652
8653   *Adam Langley*
8654
8655 * Fix various certificate fingerprint issues.
8656
8657   By using non-DER or invalid encodings outside the signed portion of a
8658   certificate the fingerprint can be changed without breaking the signature.
8659   Although no details of the signed portion of the certificate can be changed
8660   this can cause problems with some applications: e.g. those using the
8661   certificate fingerprint for blacklists.
8662
8663   1. Reject signatures with non zero unused bits.
8664
8665   If the BIT STRING containing the signature has non zero unused bits reject
8666   the signature. All current signature algorithms require zero unused bits.
8667
8668   2. Check certificate algorithm consistency.
8669
8670   Check the AlgorithmIdentifier inside TBS matches the one in the
8671   certificate signature. NB: this will result in signature failure
8672   errors for some broken certificates.
8673
8674   Thanks to Konrad Kraszewski from Google for reporting this issue.
8675
8676   3. Check DSA/ECDSA signatures use DER.
8677
8678   Re-encode DSA/ECDSA signatures and compare with the original received
8679   signature. Return an error if there is a mismatch.
8680
8681   This will reject various cases including garbage after signature
8682   (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
8683   program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
8684   (negative or with leading zeroes).
8685
8686   Further analysis was conducted and fixes were developed by Stephen Henson
8687   of the OpenSSL core team.
8688
8689   ([CVE-2014-8275])
8690
8691   *Steve Henson*
8692
8693 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
8694   results on some platforms, including x86_64. This bug occurs at random
8695   with a very low probability, and is not known to be exploitable in any
8696   way, though its exact impact is difficult to determine. Thanks to Pieter
8697   Wuille (Blockstream) who reported this issue and also suggested an initial
8698   fix. Further analysis was conducted by the OpenSSL development team and
8699   Adam Langley of Google. The final fix was developed by Andy Polyakov of
8700   the OpenSSL core team.
8701   ([CVE-2014-3570])
8702
8703   *Andy Polyakov*
8704
8705 * Do not resume sessions on the server if the negotiated protocol
8706   version does not match the session's version. Resuming with a different
8707   version, while not strictly forbidden by the RFC, is of questionable
8708   sanity and breaks all known clients.
8709
8710   *David Benjamin, Emilia Käsper*
8711
8712 * Tighten handling of the ChangeCipherSpec (CCS) message: reject
8713   early CCS messages during renegotiation. (Note that because
8714   renegotiation is encrypted, this early CCS was not exploitable.)
8715
8716   *Emilia Käsper*
8717
8718 * Tighten client-side session ticket handling during renegotiation:
8719   ensure that the client only accepts a session ticket if the server sends
8720   the extension anew in the ServerHello. Previously, a TLS client would
8721   reuse the old extension state and thus accept a session ticket if one was
8722   announced in the initial ServerHello.
8723
8724   Similarly, ensure that the client requires a session ticket if one
8725   was advertised in the ServerHello. Previously, a TLS client would
8726   ignore a missing NewSessionTicket message.
8727
8728   *Emilia Käsper*
8729
8730### Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
8731
8732 * SRTP Memory Leak.
8733
8734   A flaw in the DTLS SRTP extension parsing code allows an attacker, who
8735   sends a carefully crafted handshake message, to cause OpenSSL to fail
8736   to free up to 64k of memory causing a memory leak. This could be
8737   exploited in a Denial Of Service attack. This issue affects OpenSSL
8738   1.0.1 server implementations for both SSL/TLS and DTLS regardless of
8739   whether SRTP is used or configured. Implementations of OpenSSL that
8740   have been compiled with OPENSSL_NO_SRTP defined are not affected.
8741
8742   The fix was developed by the OpenSSL team.
8743   ([CVE-2014-3513])
8744
8745   *OpenSSL team*
8746
8747 * Session Ticket Memory Leak.
8748
8749   When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
8750   integrity of that ticket is first verified. In the event of a session
8751   ticket integrity check failing, OpenSSL will fail to free memory
8752   causing a memory leak. By sending a large number of invalid session
8753   tickets an attacker could exploit this issue in a Denial Of Service
8754   attack.
8755   ([CVE-2014-3567])
8756
8757   *Steve Henson*
8758
8759 * Build option no-ssl3 is incomplete.
8760
8761   When OpenSSL is configured with "no-ssl3" as a build option, servers
8762   could accept and complete an SSL 3.0 handshake, and clients could be
8763   configured to send them.
8764   ([CVE-2014-3568])
8765
8766   *Akamai and the OpenSSL team*
8767
8768 * Add support for TLS_FALLBACK_SCSV.
8769   Client applications doing fallback retries should call
8770   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
8771   ([CVE-2014-3566])
8772
8773   *Adam Langley, Bodo Moeller*
8774
8775 * Add additional DigestInfo checks.
8776
8777   Re-encode DigestInto in DER and check against the original when
8778   verifying RSA signature: this will reject any improperly encoded
8779   DigestInfo structures.
8780
8781   Note: this is a precautionary measure and no attacks are currently known.
8782
8783   *Steve Henson*
8784
8785### Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
8786
8787 * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
8788   SRP code can be overrun an internal buffer. Add sanity check that
8789   g, A, B < N to SRP code.
8790
8791   Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
8792   Group for discovering this issue.
8793   ([CVE-2014-3512])
8794
8795   *Steve Henson*
8796
8797 * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
8798   TLS 1.0 instead of higher protocol versions when the ClientHello message
8799   is badly fragmented. This allows a man-in-the-middle attacker to force a
8800   downgrade to TLS 1.0 even if both the server and the client support a
8801   higher protocol version, by modifying the client's TLS records.
8802
8803   Thanks to David Benjamin and Adam Langley (Google) for discovering and
8804   researching this issue.
8805   ([CVE-2014-3511])
8806
8807   *David Benjamin*
8808
8809 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
8810   to a denial of service attack. A malicious server can crash the client
8811   with a null pointer dereference (read) by specifying an anonymous (EC)DH
8812   ciphersuite and sending carefully crafted handshake messages.
8813
8814   Thanks to Felix Gröbert (Google) for discovering and researching this
8815   issue.
8816   ([CVE-2014-3510])
8817
8818   *Emilia Käsper*
8819
8820 * By sending carefully crafted DTLS packets an attacker could cause openssl
8821   to leak memory. This can be exploited through a Denial of Service attack.
8822   Thanks to Adam Langley for discovering and researching this issue.
8823   ([CVE-2014-3507])
8824
8825   *Adam Langley*
8826
8827 * An attacker can force openssl to consume large amounts of memory whilst
8828   processing DTLS handshake messages. This can be exploited through a
8829   Denial of Service attack.
8830   Thanks to Adam Langley for discovering and researching this issue.
8831   ([CVE-2014-3506])
8832
8833   *Adam Langley*
8834
8835 * An attacker can force an error condition which causes openssl to crash
8836   whilst processing DTLS packets due to memory being freed twice. This
8837   can be exploited through a Denial of Service attack.
8838   Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8839   this issue.
8840   ([CVE-2014-3505])
8841
8842   *Adam Langley*
8843
8844 * If a multithreaded client connects to a malicious server using a resumed
8845   session and the server sends an ec point format extension it could write
8846   up to 255 bytes to freed memory.
8847
8848   Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
8849   issue.
8850   ([CVE-2014-3509])
8851
8852   *Gabor Tyukasz*
8853
8854 * A malicious server can crash an OpenSSL client with a null pointer
8855   dereference (read) by specifying an SRP ciphersuite even though it was not
8856   properly negotiated with the client. This can be exploited through a
8857   Denial of Service attack.
8858
8859   Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
8860   discovering and researching this issue.
8861   ([CVE-2014-5139])
8862
8863   *Steve Henson*
8864
8865 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
8866   X509_name_oneline, X509_name_print_ex et al. to leak some information
8867   from the stack. Applications may be affected if they echo pretty printing
8868   output to the attacker.
8869
8870   Thanks to Ivan Fratric (Google) for discovering this issue.
8871   ([CVE-2014-3508])
8872
8873   *Emilia Käsper, and Steve Henson*
8874
8875 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
8876   for corner cases. (Certain input points at infinity could lead to
8877   bogus results, with non-infinity inputs mapped to infinity too.)
8878
8879   *Bodo Moeller*
8880
8881### Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
8882
8883 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
8884   handshake can force the use of weak keying material in OpenSSL
8885   SSL/TLS clients and servers.
8886
8887   Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
8888   researching this issue. ([CVE-2014-0224])
8889
8890   *KIKUCHI Masashi, Steve Henson*
8891
8892 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
8893   OpenSSL DTLS client the code can be made to recurse eventually crashing
8894   in a DoS attack.
8895
8896   Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8897   ([CVE-2014-0221])
8898
8899   *Imre Rad, Steve Henson*
8900
8901 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
8902   be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
8903   client or server. This is potentially exploitable to run arbitrary
8904   code on a vulnerable client or server.
8905
8906   Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8907
8908   *Jüri Aedla, Steve Henson*
8909
8910 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
8911   are subject to a denial of service attack.
8912
8913   Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
8914   this issue. ([CVE-2014-3470])
8915
8916   *Felix Gröbert, Ivan Fratric, Steve Henson*
8917
8918 * Harmonize version and its documentation. -f flag is used to display
8919   compilation flags.
8920
8921   *mancha <mancha1@zoho.com>*
8922
8923 * Fix eckey_priv_encode so it immediately returns an error upon a failure
8924   in i2d_ECPrivateKey.
8925
8926   *mancha <mancha1@zoho.com>*
8927
8928 * Fix some double frees. These are not thought to be exploitable.
8929
8930   *mancha <mancha1@zoho.com>*
8931
8932### Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
8933
8934 * A missing bounds check in the handling of the TLS heartbeat extension
8935   can be used to reveal up to 64k of memory to a connected client or
8936   server.
8937
8938   Thanks for Neel Mehta of Google Security for discovering this bug and to
8939   Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
8940   preparing the fix ([CVE-2014-0160])
8941
8942   *Adam Langley, Bodo Moeller*
8943
8944 * Fix for the attack described in the paper "Recovering OpenSSL
8945   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8946   by Yuval Yarom and Naomi Benger. Details can be obtained from:
8947   <http://eprint.iacr.org/2014/140>
8948
8949   Thanks to Yuval Yarom and Naomi Benger for discovering this
8950   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8951
8952   *Yuval Yarom and Naomi Benger*
8953
8954 * TLS pad extension: draft-agl-tls-padding-03
8955
8956   Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
8957   TLS client Hello record length value would otherwise be > 255 and
8958   less that 512 pad with a dummy extension containing zeroes so it
8959   is at least 512 bytes long.
8960
8961   *Adam Langley, Steve Henson*
8962
8963### Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
8964
8965 * Fix for TLS record tampering bug. A carefully crafted invalid
8966   handshake could crash OpenSSL with a NULL pointer exception.
8967   Thanks to Anton Johansson for reporting this issues.
8968   ([CVE-2013-4353])
8969
8970 * Keep original DTLS digest and encryption contexts in retransmission
8971   structures so we can use the previous session parameters if they need
8972   to be resent. ([CVE-2013-6450])
8973
8974   *Steve Henson*
8975
8976 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
8977   avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8978   Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
8979   several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
8980   is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
8981   10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
8982
8983   *Rob Stradling, Adam Langley*
8984
8985### Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
8986
8987 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
8988   supporting platforms or when small records were transferred.
8989
8990   *Andy Polyakov, Steve Henson*
8991
8992### Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
8993
8994 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
8995
8996   This addresses the flaw in CBC record processing discovered by
8997   Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
8998   at: <http://www.isg.rhul.ac.uk/tls/>
8999
9000   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
9001   Security Group at Royal Holloway, University of London
9002   (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
9003   Emilia Käsper for the initial patch.
9004   ([CVE-2013-0169])
9005
9006   *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
9007
9008 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
9009   ciphersuites which can be exploited in a denial of service attack.
9010   Thanks go to and to Adam Langley <agl@chromium.org> for discovering
9011   and detecting this bug and to Wolfgang Ettlinger
9012   <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
9013   ([CVE-2012-2686])
9014
9015   *Adam Langley*
9016
9017 * Return an error when checking OCSP signatures when key is NULL.
9018   This fixes a DoS attack. ([CVE-2013-0166])
9019
9020   *Steve Henson*
9021
9022 * Make openssl verify return errors.
9023
9024   *Chris Palmer <palmer@google.com> and Ben Laurie*
9025
9026 * Call OCSP Stapling callback after ciphersuite has been chosen, so
9027   the right response is stapled. Also change SSL_get_certificate()
9028   so it returns the certificate actually sent.
9029   See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
9030
9031   *Rob Stradling <rob.stradling@comodo.com>*
9032
9033 * Fix possible deadlock when decoding public keys.
9034
9035   *Steve Henson*
9036
9037 * Don't use TLS 1.0 record version number in initial client hello
9038   if renegotiating.
9039
9040   *Steve Henson*
9041
9042### Changes between 1.0.1b and 1.0.1c [10 May 2012]
9043
9044 * Sanity check record length before skipping explicit IV in TLS
9045   1.2, 1.1 and DTLS to fix DoS attack.
9046
9047   Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9048   fuzzing as a service testing platform.
9049   ([CVE-2012-2333])
9050
9051   *Steve Henson*
9052
9053 * Initialise tkeylen properly when encrypting CMS messages.
9054   Thanks to Solar Designer of Openwall for reporting this issue.
9055
9056   *Steve Henson*
9057
9058 * In FIPS mode don't try to use composite ciphers as they are not
9059   approved.
9060
9061   *Steve Henson*
9062
9063### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
9064
9065 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
9066   1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
9067   mean any application compiled against OpenSSL 1.0.0 headers setting
9068   SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
9069   TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
9070   0x10000000L Any application which was previously compiled against
9071   OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
9072   will need to be recompiled as a result. Letting be results in
9073   inability to disable specifically TLS 1.1 and in client context,
9074   in unlike event, limit maximum offered version to TLS 1.0 [see below].
9075
9076   *Steve Henson*
9077
9078 * In order to ensure interoperability SSL_OP_NO_protocolX does not
9079   disable just protocol X, but all protocols above X *if* there are
9080   protocols *below* X still enabled. In more practical terms it means
9081   that if application wants to disable TLS1.0 in favor of TLS1.1 and
9082   above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass
9083   `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to
9084   client side.
9085
9086   *Andy Polyakov*
9087
9088### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
9089
9090 * Check for potentially exploitable overflows in asn1_d2i_read_bio
9091   BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
9092   in CRYPTO_realloc_clean.
9093
9094   Thanks to Tavis Ormandy, Google Security Team, for discovering this
9095   issue and to Adam Langley <agl@chromium.org> for fixing it.
9096   ([CVE-2012-2110])
9097
9098   *Adam Langley (Google), Tavis Ormandy, Google Security Team*
9099
9100 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
9101
9102   *Adam Langley*
9103
9104 * Workarounds for some broken servers that "hang" if a client hello
9105   record length exceeds 255 bytes.
9106
9107   1. Do not use record version number > TLS 1.0 in initial client
9108      hello: some (but not all) hanging servers will now work.
9109   2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
9110      the number of ciphers sent in the client hello. This should be
9111      set to an even number, such as 50, for example by passing:
9112      -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
9113      Most broken servers should now work.
9114   3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
9115      TLS 1.2 client support entirely.
9116
9117   *Steve Henson*
9118
9119 * Fix SEGV in Vector Permutation AES module observed in OpenSSH.
9120
9121   *Andy Polyakov*
9122
9123### Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
9124
9125 * Add compatibility with old MDC2 signatures which use an ASN1 OCTET
9126   STRING form instead of a DigestInfo.
9127
9128   *Steve Henson*
9129
9130 * The format used for MDC2 RSA signatures is inconsistent between EVP
9131   and the RSA_sign/RSA_verify functions. This was made more apparent when
9132   OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
9133   those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
9134   the correct format in RSA_verify so both forms transparently work.
9135
9136   *Steve Henson*
9137
9138 * Some servers which support TLS 1.0 can choke if we initially indicate
9139   support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
9140   encrypted premaster secret. As a workaround use the maximum permitted
9141   client version in client hello, this should keep such servers happy
9142   and still work with previous versions of OpenSSL.
9143
9144   *Steve Henson*
9145
9146 * Add support for TLS/DTLS heartbeats.
9147
9148   *Robin Seggelmann <seggelmann@fh-muenster.de>*
9149
9150 * Add support for SCTP.
9151
9152   *Robin Seggelmann <seggelmann@fh-muenster.de>*
9153
9154 * Improved PRNG seeding for VOS.
9155
9156   *Paul Green <Paul.Green@stratus.com>*
9157
9158 * Extensive assembler packs updates, most notably:
9159
9160   - x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
9161   - x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
9162   - x86_64:       bit-sliced AES implementation;
9163   - ARM:          NEON support, contemporary platforms optimizations;
9164   - s390x:        z196 support;
9165   - `*`:            GHASH and GF(2^m) multiplication implementations;
9166
9167   *Andy Polyakov*
9168
9169 * Make TLS-SRP code conformant with RFC 5054 API cleanup
9170   (removal of unnecessary code)
9171
9172   *Peter Sylvester <peter.sylvester@edelweb.fr>*
9173
9174 * Add TLS key material exporter from RFC 5705.
9175
9176   *Eric Rescorla*
9177
9178 * Add DTLS-SRTP negotiation from RFC 5764.
9179
9180   *Eric Rescorla*
9181
9182 * Add Next Protocol Negotiation,
9183   <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
9184   disabled with a no-npn flag to config or Configure. Code donated
9185   by Google.
9186
9187   *Adam Langley <agl@google.com> and Ben Laurie*
9188
9189 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
9190   NIST-P256, NIST-P521, with constant-time single point multiplication on
9191   typical inputs. Compiler support for the nonstandard type `__uint128_t` is
9192   required to use this (present in gcc 4.4 and later, for 64-bit builds).
9193   Code made available under Apache License version 2.0.
9194
9195   Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
9196   line to include this in your build of OpenSSL, and run "make depend" (or
9197   "make update"). This enables the following EC_METHODs:
9198
9199           EC_GFp_nistp224_method()
9200           EC_GFp_nistp256_method()
9201           EC_GFp_nistp521_method()
9202
9203   EC_GROUP_new_by_curve_name() will automatically use these (while
9204   EC_GROUP_new_curve_GFp() currently prefers the more flexible
9205   implementations).
9206
9207   *Emilia Käsper, Adam Langley, Bodo Moeller (Google)*
9208
9209 * Use type ossl_ssize_t instead of ssize_t which isn't available on
9210   all platforms. Move ssize_t definition from e_os.h to the public
9211   header file e_os2.h as it now appears in public header file cms.h
9212
9213   *Steve Henson*
9214
9215 * New -sigopt option to the ca, req and x509 utilities. Additional
9216   signature parameters can be passed using this option and in
9217   particular PSS.
9218
9219   *Steve Henson*
9220
9221 * Add RSA PSS signing function. This will generate and set the
9222   appropriate AlgorithmIdentifiers for PSS based on those in the
9223   corresponding EVP_MD_CTX structure. No application support yet.
9224
9225   *Steve Henson*
9226
9227 * Support for companion algorithm specific ASN1 signing routines.
9228   New function ASN1_item_sign_ctx() signs a pre-initialised
9229   EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
9230   the appropriate parameters.
9231
9232   *Steve Henson*
9233
9234 * Add new algorithm specific ASN1 verification initialisation function
9235   to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
9236   handling will be the same no matter what EVP_PKEY_METHOD is used.
9237   Add a PSS handler to support verification of PSS signatures: checked
9238   against a number of sample certificates.
9239
9240   *Steve Henson*
9241
9242 * Add signature printing for PSS. Add PSS OIDs.
9243
9244   *Steve Henson, Martin Kaiser <lists@kaiser.cx>*
9245
9246 * Add algorithm specific signature printing. An individual ASN1 method
9247   can now print out signatures instead of the standard hex dump.
9248
9249   More complex signatures (e.g. PSS) can print out more meaningful
9250   information. Include DSA version that prints out the signature
9251   parameters r, s.
9252
9253   *Steve Henson*
9254
9255 * Password based recipient info support for CMS library: implementing
9256   RFC3211.
9257
9258   *Steve Henson*
9259
9260 * Split password based encryption into PBES2 and PBKDF2 functions. This
9261   neatly separates the code into cipher and PBE sections and is required
9262   for some algorithms that split PBES2 into separate pieces (such as
9263   password based CMS).
9264
9265   *Steve Henson*
9266
9267 * Session-handling fixes:
9268   - Fix handling of connections that are resuming with a session ID,
9269     but also support Session Tickets.
9270   - Fix a bug that suppressed issuing of a new ticket if the client
9271     presented a ticket with an expired session.
9272   - Try to set the ticket lifetime hint to something reasonable.
9273   - Make tickets shorter by excluding irrelevant information.
9274   - On the client side, don't ignore renewed tickets.
9275
9276   *Adam Langley, Bodo Moeller (Google)*
9277
9278 * Fix PSK session representation.
9279
9280   *Bodo Moeller*
9281
9282 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
9283
9284   This work was sponsored by Intel.
9285
9286   *Andy Polyakov*
9287
9288 * Add GCM support to TLS library. Some custom code is needed to split
9289   the IV between the fixed (from PRF) and explicit (from TLS record)
9290   portions. This adds all GCM ciphersuites supported by RFC5288 and
9291   RFC5289. Generalise some `AES*` cipherstrings to include GCM and
9292   add a special AESGCM string for GCM only.
9293
9294   *Steve Henson*
9295
9296 * Expand range of ctrls for AES GCM. Permit setting invocation
9297   field on decrypt and retrieval of invocation field only on encrypt.
9298
9299   *Steve Henson*
9300
9301 * Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
9302   As required by RFC5289 these ciphersuites cannot be used if for
9303   versions of TLS earlier than 1.2.
9304
9305   *Steve Henson*
9306
9307 * For FIPS capable OpenSSL interpret a NULL default public key method
9308   as unset and return the appropriate default but do *not* set the default.
9309   This means we can return the appropriate method in applications that
9310   switch between FIPS and non-FIPS modes.
9311
9312   *Steve Henson*
9313
9314 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
9315   ENGINE is used then we cannot handle that in the FIPS module so we
9316   keep original code iff non-FIPS operations are allowed.
9317
9318   *Steve Henson*
9319
9320 * Add -attime option to openssl utilities.
9321
9322   *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
9323
9324 * Redirect DSA and DH operations to FIPS module in FIPS mode.
9325
9326   *Steve Henson*
9327
9328 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
9329   FIPS EC methods unconditionally for now.
9330
9331   *Steve Henson*
9332
9333 * New build option no-ec2m to disable characteristic 2 code.
9334
9335   *Steve Henson*
9336
9337 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
9338   all cases can be covered as some introduce binary incompatibilities.
9339
9340   *Steve Henson*
9341
9342 * Redirect RSA operations to FIPS module including keygen,
9343   encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
9344
9345   *Steve Henson*
9346
9347 * Add similar low-level API blocking to ciphers.
9348
9349   *Steve Henson*
9350
9351 * low-level digest APIs are not approved in FIPS mode: any attempt
9352   to use these will cause a fatal error. Applications that *really* want
9353   to use them can use the `private_*` version instead.
9354
9355   *Steve Henson*
9356
9357 * Redirect cipher operations to FIPS module for FIPS builds.
9358
9359   *Steve Henson*
9360
9361 * Redirect digest operations to FIPS module for FIPS builds.
9362
9363   *Steve Henson*
9364
9365 * Update build system to add "fips" flag which will link in fipscanister.o
9366   for static and shared library builds embedding a signature if needed.
9367
9368   *Steve Henson*
9369
9370 * Output TLS supported curves in preference order instead of numerical
9371   order. This is currently hardcoded for the highest order curves first.
9372   This should be configurable so applications can judge speed vs strength.
9373
9374   *Steve Henson*
9375
9376 * Add TLS v1.2 server support for client authentication.
9377
9378   *Steve Henson*
9379
9380 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
9381   and enable MD5.
9382
9383   *Steve Henson*
9384
9385 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
9386   FIPS modules versions.
9387
9388   *Steve Henson*
9389
9390 * Add TLS v1.2 client side support for client authentication. Keep cache
9391   of handshake records longer as we don't know the hash algorithm to use
9392   until after the certificate request message is received.
9393
9394   *Steve Henson*
9395
9396 * Initial TLS v1.2 client support. Add a default signature algorithms
9397   extension including all the algorithms we support. Parse new signature
9398   format in client key exchange. Relax some ECC signing restrictions for
9399   TLS v1.2 as indicated in RFC5246.
9400
9401   *Steve Henson*
9402
9403 * Add server support for TLS v1.2 signature algorithms extension. Switch
9404   to new signature format when needed using client digest preference.
9405   All server ciphersuites should now work correctly in TLS v1.2. No client
9406   support yet and no support for client certificates.
9407
9408   *Steve Henson*
9409
9410 * Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
9411   to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
9412   ciphersuites. At present only RSA key exchange ciphersuites work with
9413   TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
9414   SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
9415   and version checking.
9416
9417   *Steve Henson*
9418
9419 * New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
9420   with this defined it will not be affected by any changes to ssl internal
9421   structures. Add several utility functions to allow openssl application
9422   to work with OPENSSL_NO_SSL_INTERN defined.
9423
9424   *Steve Henson*
9425
9426 * A long standing patch to add support for SRP from EdelWeb (Peter
9427   Sylvester and Christophe Renou) was integrated.
9428   *Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
9429   <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
9430   Ben Laurie*
9431
9432 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
9433
9434   *Steve Henson*
9435
9436 * Permit abbreviated handshakes when renegotiating using the function
9437   SSL_renegotiate_abbreviated().
9438
9439   *Robin Seggelmann <seggelmann@fh-muenster.de>*
9440
9441 * Add call to ENGINE_register_all_complete() to
9442   ENGINE_load_builtin_engines(), so some implementations get used
9443   automatically instead of needing explicit application support.
9444
9445   *Steve Henson*
9446
9447 * Add support for TLS key exporter as described in RFC5705.
9448
9449   *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
9450
9451 * Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
9452   a few changes are required:
9453
9454     Add SSL_OP_NO_TLSv1_1 flag.
9455     Add TLSv1_1 methods.
9456     Update version checking logic to handle version 1.1.
9457     Add explicit IV handling (ported from DTLS code).
9458     Add command line options to s_client/s_server.
9459
9460   *Steve Henson*
9461
9462OpenSSL 1.0.0
9463-------------
9464
9465### Changes between 1.0.0s and 1.0.0t [3 Dec 2015]
9466
9467 * X509_ATTRIBUTE memory leak
9468
9469   When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
9470   memory. This structure is used by the PKCS#7 and CMS routines so any
9471   application which reads PKCS#7 or CMS data from untrusted sources is
9472   affected. SSL/TLS is not affected.
9473
9474   This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
9475   libFuzzer.
9476   ([CVE-2015-3195])
9477
9478   *Stephen Henson*
9479
9480 * Race condition handling PSK identify hint
9481
9482   If PSK identity hints are received by a multi-threaded client then
9483   the values are wrongly updated in the parent SSL_CTX structure. This can
9484   result in a race condition potentially leading to a double free of the
9485   identify hint data.
9486   ([CVE-2015-3196])
9487
9488   *Stephen Henson*
9489
9490### Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
9491
9492 * Malformed ECParameters causes infinite loop
9493
9494   When processing an ECParameters structure OpenSSL enters an infinite loop
9495   if the curve specified is over a specially malformed binary polynomial
9496   field.
9497
9498   This can be used to perform denial of service against any
9499   system which processes public keys, certificate requests or
9500   certificates.  This includes TLS clients and TLS servers with
9501   client authentication enabled.
9502
9503   This issue was reported to OpenSSL by Joseph Barr-Pixton.
9504   ([CVE-2015-1788])
9505
9506   *Andy Polyakov*
9507
9508 * Exploitable out-of-bounds read in X509_cmp_time
9509
9510   X509_cmp_time does not properly check the length of the ASN1_TIME
9511   string and can read a few bytes out of bounds. In addition,
9512   X509_cmp_time accepts an arbitrary number of fractional seconds in the
9513   time string.
9514
9515   An attacker can use this to craft malformed certificates and CRLs of
9516   various sizes and potentially cause a segmentation fault, resulting in
9517   a DoS on applications that verify certificates or CRLs. TLS clients
9518   that verify CRLs are affected. TLS clients and servers with client
9519   authentication enabled may be affected if they use custom verification
9520   callbacks.
9521
9522   This issue was reported to OpenSSL by Robert Swiecki (Google), and
9523   independently by Hanno Böck.
9524   ([CVE-2015-1789])
9525
9526   *Emilia Käsper*
9527
9528 * PKCS7 crash with missing EnvelopedContent
9529
9530   The PKCS#7 parsing code does not handle missing inner EncryptedContent
9531   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
9532   with missing content and trigger a NULL pointer dereference on parsing.
9533
9534   Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
9535   structures from untrusted sources are affected. OpenSSL clients and
9536   servers are not affected.
9537
9538   This issue was reported to OpenSSL by Michal Zalewski (Google).
9539   ([CVE-2015-1790])
9540
9541   *Emilia Käsper*
9542
9543 * CMS verify infinite loop with unknown hash function
9544
9545   When verifying a signedData message the CMS code can enter an infinite loop
9546   if presented with an unknown hash function OID. This can be used to perform
9547   denial of service against any system which verifies signedData messages using
9548   the CMS code.
9549   This issue was reported to OpenSSL by Johannes Bauer.
9550   ([CVE-2015-1792])
9551
9552   *Stephen Henson*
9553
9554 * Race condition handling NewSessionTicket
9555
9556   If a NewSessionTicket is received by a multi-threaded client when attempting to
9557   reuse a previous ticket then a race condition can occur potentially leading to
9558   a double free of the ticket data.
9559   ([CVE-2015-1791])
9560
9561   *Matt Caswell*
9562
9563### Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
9564
9565 * Segmentation fault in ASN1_TYPE_cmp fix
9566
9567   The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
9568   made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
9569   certificate signature algorithm consistency this can be used to crash any
9570   certificate verification operation and exploited in a DoS attack. Any
9571   application which performs certificate verification is vulnerable including
9572   OpenSSL clients and servers which enable client authentication.
9573   ([CVE-2015-0286])
9574
9575   *Stephen Henson*
9576
9577 * ASN.1 structure reuse memory corruption fix
9578
9579   Reusing a structure in ASN.1 parsing may allow an attacker to cause
9580   memory corruption via an invalid write. Such reuse is and has been
9581   strongly discouraged and is believed to be rare.
9582
9583   Applications that parse structures containing CHOICE or ANY DEFINED BY
9584   components may be affected. Certificate parsing (d2i_X509 and related
9585   functions) are however not affected. OpenSSL clients and servers are
9586   not affected.
9587   ([CVE-2015-0287])
9588
9589   *Stephen Henson*
9590
9591 * PKCS7 NULL pointer dereferences fix
9592
9593   The PKCS#7 parsing code does not handle missing outer ContentInfo
9594   correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
9595   missing content and trigger a NULL pointer dereference on parsing.
9596
9597   Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
9598   otherwise parse PKCS#7 structures from untrusted sources are
9599   affected. OpenSSL clients and servers are not affected.
9600
9601   This issue was reported to OpenSSL by Michal Zalewski (Google).
9602   ([CVE-2015-0289])
9603
9604   *Emilia Käsper*
9605
9606 * DoS via reachable assert in SSLv2 servers fix
9607
9608   A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
9609   servers that both support SSLv2 and enable export cipher suites by sending
9610   a specially crafted SSLv2 CLIENT-MASTER-KEY message.
9611
9612   This issue was discovered by Sean Burford (Google) and Emilia Käsper
9613   (OpenSSL development team).
9614   ([CVE-2015-0293])
9615
9616   *Emilia Käsper*
9617
9618 * Use After Free following d2i_ECPrivatekey error fix
9619
9620   A malformed EC private key file consumed via the d2i_ECPrivateKey function
9621   could cause a use after free condition. This, in turn, could cause a double
9622   free in several private key parsing functions (such as d2i_PrivateKey
9623   or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
9624   for applications that receive EC private keys from untrusted
9625   sources. This scenario is considered rare.
9626
9627   This issue was discovered by the BoringSSL project and fixed in their
9628   commit 517073cd4b.
9629   ([CVE-2015-0209])
9630
9631   *Matt Caswell*
9632
9633 * X509_to_X509_REQ NULL pointer deref fix
9634
9635   The function X509_to_X509_REQ will crash with a NULL pointer dereference if
9636   the certificate key is invalid. This function is rarely used in practice.
9637
9638   This issue was discovered by Brian Carpenter.
9639   ([CVE-2015-0288])
9640
9641   *Stephen Henson*
9642
9643 * Removed the export ciphers from the DEFAULT ciphers
9644
9645   *Kurt Roeckx*
9646
9647### Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
9648
9649 * Build fixes for the Windows and OpenVMS platforms
9650
9651   *Matt Caswell and Richard Levitte*
9652
9653### Changes between 1.0.0o and 1.0.0p [8 Jan 2015]
9654
9655 * Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
9656   message can cause a segmentation fault in OpenSSL due to a NULL pointer
9657   dereference. This could lead to a Denial Of Service attack. Thanks to
9658   Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
9659   ([CVE-2014-3571])
9660
9661   *Steve Henson*
9662
9663 * Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
9664   dtls1_buffer_record function under certain conditions. In particular this
9665   could occur if an attacker sent repeated DTLS records with the same
9666   sequence number but for the next epoch. The memory leak could be exploited
9667   by an attacker in a Denial of Service attack through memory exhaustion.
9668   Thanks to Chris Mueller for reporting this issue.
9669   ([CVE-2015-0206])
9670
9671   *Matt Caswell*
9672
9673 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
9674   built with the no-ssl3 option and an SSL v3 ClientHello is received the ssl
9675   method would be set to NULL which could later result in a NULL pointer
9676   dereference. Thanks to Frank Schmirler for reporting this issue.
9677   ([CVE-2014-3569])
9678
9679   *Kurt Roeckx*
9680
9681 * Abort handshake if server key exchange message is omitted for ephemeral
9682   ECDH ciphersuites.
9683
9684   Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
9685   reporting this issue.
9686   ([CVE-2014-3572])
9687
9688   *Steve Henson*
9689
9690 * Remove non-export ephemeral RSA code on client and server. This code
9691   violated the TLS standard by allowing the use of temporary RSA keys in
9692   non-export ciphersuites and could be used by a server to effectively
9693   downgrade the RSA key length used to a value smaller than the server
9694   certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
9695   INRIA or reporting this issue.
9696   ([CVE-2015-0204])
9697
9698   *Steve Henson*
9699
9700 * Fixed issue where DH client certificates are accepted without verification.
9701   An OpenSSL server will accept a DH certificate for client authentication
9702   without the certificate verify message. This effectively allows a client to
9703   authenticate without the use of a private key. This only affects servers
9704   which trust a client certificate authority which issues certificates
9705   containing DH keys: these are extremely rare and hardly ever encountered.
9706   Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
9707   this issue.
9708   ([CVE-2015-0205])
9709
9710   *Steve Henson*
9711
9712 * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
9713   results on some platforms, including x86_64. This bug occurs at random
9714   with a very low probability, and is not known to be exploitable in any
9715   way, though its exact impact is difficult to determine. Thanks to Pieter
9716   Wuille (Blockstream) who reported this issue and also suggested an initial
9717   fix. Further analysis was conducted by the OpenSSL development team and
9718   Adam Langley of Google. The final fix was developed by Andy Polyakov of
9719   the OpenSSL core team.
9720   ([CVE-2014-3570])
9721
9722   *Andy Polyakov*
9723
9724 * Fix various certificate fingerprint issues.
9725
9726   By using non-DER or invalid encodings outside the signed portion of a
9727   certificate the fingerprint can be changed without breaking the signature.
9728   Although no details of the signed portion of the certificate can be changed
9729   this can cause problems with some applications: e.g. those using the
9730   certificate fingerprint for blacklists.
9731
9732   1. Reject signatures with non zero unused bits.
9733
9734   If the BIT STRING containing the signature has non zero unused bits reject
9735   the signature. All current signature algorithms require zero unused bits.
9736
9737   2. Check certificate algorithm consistency.
9738
9739   Check the AlgorithmIdentifier inside TBS matches the one in the
9740   certificate signature. NB: this will result in signature failure
9741   errors for some broken certificates.
9742
9743   Thanks to Konrad Kraszewski from Google for reporting this issue.
9744
9745   3. Check DSA/ECDSA signatures use DER.
9746
9747   Re-encode DSA/ECDSA signatures and compare with the original received
9748   signature. Return an error if there is a mismatch.
9749
9750   This will reject various cases including garbage after signature
9751   (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
9752   program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
9753   (negative or with leading zeroes).
9754
9755   Further analysis was conducted and fixes were developed by Stephen Henson
9756   of the OpenSSL core team.
9757
9758   ([CVE-2014-8275])
9759
9760   *Steve Henson*
9761
9762### Changes between 1.0.0n and 1.0.0o [15 Oct 2014]
9763
9764 * Session Ticket Memory Leak.
9765
9766   When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
9767   integrity of that ticket is first verified. In the event of a session
9768   ticket integrity check failing, OpenSSL will fail to free memory
9769   causing a memory leak. By sending a large number of invalid session
9770   tickets an attacker could exploit this issue in a Denial Of Service
9771   attack.
9772   ([CVE-2014-3567])
9773
9774   *Steve Henson*
9775
9776 * Build option no-ssl3 is incomplete.
9777
9778   When OpenSSL is configured with "no-ssl3" as a build option, servers
9779   could accept and complete an SSL 3.0 handshake, and clients could be
9780   configured to send them.
9781   ([CVE-2014-3568])
9782
9783   *Akamai and the OpenSSL team*
9784
9785 * Add support for TLS_FALLBACK_SCSV.
9786   Client applications doing fallback retries should call
9787   SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
9788   ([CVE-2014-3566])
9789
9790   *Adam Langley, Bodo Moeller*
9791
9792 * Add additional DigestInfo checks.
9793
9794   Re-encode DigestInto in DER and check against the original when
9795   verifying RSA signature: this will reject any improperly encoded
9796   DigestInfo structures.
9797
9798   Note: this is a precautionary measure and no attacks are currently known.
9799
9800   *Steve Henson*
9801
9802### Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
9803
9804 * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
9805   to a denial of service attack. A malicious server can crash the client
9806   with a null pointer dereference (read) by specifying an anonymous (EC)DH
9807   ciphersuite and sending carefully crafted handshake messages.
9808
9809   Thanks to Felix Gröbert (Google) for discovering and researching this
9810   issue.
9811   ([CVE-2014-3510])
9812
9813   *Emilia Käsper*
9814
9815 * By sending carefully crafted DTLS packets an attacker could cause openssl
9816   to leak memory. This can be exploited through a Denial of Service attack.
9817   Thanks to Adam Langley for discovering and researching this issue.
9818   ([CVE-2014-3507])
9819
9820   *Adam Langley*
9821
9822 * An attacker can force openssl to consume large amounts of memory whilst
9823   processing DTLS handshake messages. This can be exploited through a
9824   Denial of Service attack.
9825   Thanks to Adam Langley for discovering and researching this issue.
9826   ([CVE-2014-3506])
9827
9828   *Adam Langley*
9829
9830 * An attacker can force an error condition which causes openssl to crash
9831   whilst processing DTLS packets due to memory being freed twice. This
9832   can be exploited through a Denial of Service attack.
9833   Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
9834   this issue.
9835   ([CVE-2014-3505])
9836
9837   *Adam Langley*
9838
9839 * If a multithreaded client connects to a malicious server using a resumed
9840   session and the server sends an ec point format extension it could write
9841   up to 255 bytes to freed memory.
9842
9843   Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
9844   issue.
9845   ([CVE-2014-3509])
9846
9847   *Gabor Tyukasz*
9848
9849 * A flaw in OBJ_obj2txt may cause pretty printing functions such as
9850   X509_name_oneline, X509_name_print_ex et al. to leak some information
9851   from the stack. Applications may be affected if they echo pretty printing
9852   output to the attacker.
9853
9854   Thanks to Ivan Fratric (Google) for discovering this issue.
9855   ([CVE-2014-3508])
9856
9857   *Emilia Käsper, and Steve Henson*
9858
9859 * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
9860   for corner cases. (Certain input points at infinity could lead to
9861   bogus results, with non-infinity inputs mapped to infinity too.)
9862
9863   *Bodo Moeller*
9864
9865### Changes between 1.0.0l and 1.0.0m [5 Jun 2014]
9866
9867 * Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
9868   handshake can force the use of weak keying material in OpenSSL
9869   SSL/TLS clients and servers.
9870
9871   Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
9872   researching this issue. ([CVE-2014-0224])
9873
9874   *KIKUCHI Masashi, Steve Henson*
9875
9876 * Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
9877   OpenSSL DTLS client the code can be made to recurse eventually crashing
9878   in a DoS attack.
9879
9880   Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
9881   ([CVE-2014-0221])
9882
9883   *Imre Rad, Steve Henson*
9884
9885 * Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
9886   be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
9887   client or server. This is potentially exploitable to run arbitrary
9888   code on a vulnerable client or server.
9889
9890   Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
9891
9892   *Jüri Aedla, Steve Henson*
9893
9894 * Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
9895   are subject to a denial of service attack.
9896
9897   Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
9898   this issue. ([CVE-2014-3470])
9899
9900   *Felix Gröbert, Ivan Fratric, Steve Henson*
9901
9902 * Harmonize version and its documentation. -f flag is used to display
9903   compilation flags.
9904
9905   *mancha <mancha1@zoho.com>*
9906
9907 * Fix eckey_priv_encode so it immediately returns an error upon a failure
9908   in i2d_ECPrivateKey.
9909
9910   *mancha <mancha1@zoho.com>*
9911
9912 * Fix some double frees. These are not thought to be exploitable.
9913
9914   *mancha <mancha1@zoho.com>*
9915
9916 * Fix for the attack described in the paper "Recovering OpenSSL
9917   ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
9918   by Yuval Yarom and Naomi Benger. Details can be obtained from:
9919   <http://eprint.iacr.org/2014/140>
9920
9921   Thanks to Yuval Yarom and Naomi Benger for discovering this
9922   flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
9923
9924   *Yuval Yarom and Naomi Benger*
9925
9926### Changes between 1.0.0k and 1.0.0l [6 Jan 2014]
9927
9928 * Keep original DTLS digest and encryption contexts in retransmission
9929   structures so we can use the previous session parameters if they need
9930   to be resent. ([CVE-2013-6450])
9931
9932   *Steve Henson*
9933
9934 * Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
9935   avoids preferring ECDHE-ECDSA ciphers when the client appears to be
9936   Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
9937   several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
9938   is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
9939   10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
9940
9941   *Rob Stradling, Adam Langley*
9942
9943### Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
9944
9945 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
9946
9947   This addresses the flaw in CBC record processing discovered by
9948   Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
9949   at: <http://www.isg.rhul.ac.uk/tls/>
9950
9951   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
9952   Security Group at Royal Holloway, University of London
9953   (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
9954   Emilia Käsper for the initial patch.
9955   ([CVE-2013-0169])
9956
9957   *Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson*
9958
9959 * Return an error when checking OCSP signatures when key is NULL.
9960   This fixes a DoS attack. ([CVE-2013-0166])
9961
9962   *Steve Henson*
9963
9964 * Call OCSP Stapling callback after ciphersuite has been chosen, so
9965   the right response is stapled. Also change SSL_get_certificate()
9966   so it returns the certificate actually sent.
9967   See <http://rt.openssl.org/Ticket/Display.html?id=2836>.
9968   (This is a backport)
9969
9970   *Rob Stradling <rob.stradling@comodo.com>*
9971
9972 * Fix possible deadlock when decoding public keys.
9973
9974   *Steve Henson*
9975
9976### Changes between 1.0.0i and 1.0.0j [10 May 2012]
9977
9978[NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
9979OpenSSL 1.0.1.]
9980
9981 * Sanity check record length before skipping explicit IV in DTLS
9982   to fix DoS attack.
9983
9984   Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
9985   fuzzing as a service testing platform.
9986   ([CVE-2012-2333])
9987
9988   *Steve Henson*
9989
9990 * Initialise tkeylen properly when encrypting CMS messages.
9991   Thanks to Solar Designer of Openwall for reporting this issue.
9992
9993   *Steve Henson*
9994
9995### Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
9996
9997 * Check for potentially exploitable overflows in asn1_d2i_read_bio
9998   BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
9999   in CRYPTO_realloc_clean.
10000
10001   Thanks to Tavis Ormandy, Google Security Team, for discovering this
10002   issue and to Adam Langley <agl@chromium.org> for fixing it.
10003   ([CVE-2012-2110])
10004
10005   *Adam Langley (Google), Tavis Ormandy, Google Security Team*
10006
10007### Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
10008
10009 * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
10010   in CMS and PKCS7 code. When RSA decryption fails use a random key for
10011   content decryption and always return the same error. Note: this attack
10012   needs on average 2^20 messages so it only affects automated senders. The
10013   old behaviour can be re-enabled in the CMS code by setting the
10014   CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
10015   an MMA defence is not necessary.
10016   Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
10017   this issue. ([CVE-2012-0884])
10018
10019   *Steve Henson*
10020
10021 * Fix CVE-2011-4619: make sure we really are receiving a
10022   client hello before rejecting multiple SGC restarts. Thanks to
10023   Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
10024
10025   *Steve Henson*
10026
10027### Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
10028
10029 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
10030   Thanks to Antonio Martin, Enterprise Secure Access Research and
10031   Development, Cisco Systems, Inc. for discovering this bug and
10032   preparing a fix. ([CVE-2012-0050])
10033
10034   *Antonio Martin*
10035
10036### Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
10037
10038 * Nadhem Alfardan and Kenny Paterson have discovered an extension
10039   of the Vaudenay padding oracle attack on CBC mode encryption
10040   which enables an efficient plaintext recovery attack against
10041   the OpenSSL implementation of DTLS. Their attack exploits timing
10042   differences arising during decryption processing. A research
10043   paper describing this attack can be found at:
10044   <http://www.isg.rhul.ac.uk/~kp/dtls.pdf>
10045   Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
10046   Security Group at Royal Holloway, University of London
10047   (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
10048   <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
10049   for preparing the fix. ([CVE-2011-4108])
10050
10051   *Robin Seggelmann, Michael Tuexen*
10052
10053 * Clear bytes used for block padding of SSL 3.0 records.
10054   ([CVE-2011-4576])
10055
10056   *Adam Langley (Google)*
10057
10058 * Only allow one SGC handshake restart for SSL/TLS. Thanks to George
10059   Kadianakis <desnacked@gmail.com> for discovering this issue and
10060   Adam Langley for preparing the fix. ([CVE-2011-4619])
10061
10062   *Adam Langley (Google)*
10063
10064 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
10065
10066   *Andrey Kulikov <amdeich@gmail.com>*
10067
10068 * Prevent malformed RFC3779 data triggering an assertion failure.
10069   Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
10070   and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
10071
10072   *Rob Austein <sra@hactrn.net>*
10073
10074 * Improved PRNG seeding for VOS.
10075
10076   *Paul Green <Paul.Green@stratus.com>*
10077
10078 * Fix ssl_ciph.c set-up race.
10079
10080   *Adam Langley (Google)*
10081
10082 * Fix spurious failures in ecdsatest.c.
10083
10084   *Emilia Käsper (Google)*
10085
10086 * Fix the BIO_f_buffer() implementation (which was mixing different
10087   interpretations of the `..._len` fields).
10088
10089   *Adam Langley (Google)*
10090
10091 * Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
10092   BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
10093   threads won't reuse the same blinding coefficients.
10094
10095   This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
10096   lock to call BN_BLINDING_invert_ex, and avoids one use of
10097   BN_BLINDING_update for each BN_BLINDING structure (previously,
10098   the last update always remained unused).
10099
10100   *Emilia Käsper (Google)*
10101
10102 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
10103
10104   *Bob Buckholz (Google)*
10105
10106### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
10107
10108 * Fix bug where CRLs with nextUpdate in the past are sometimes accepted
10109   by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
10110
10111   *Kaspar Brand <ossl@velox.ch>*
10112
10113 * Fix SSL memory handling for (EC)DH ciphersuites, in particular
10114   for multi-threaded use of ECDH. ([CVE-2011-3210])
10115
10116   *Adam Langley (Google)*
10117
10118 * Fix x509_name_ex_d2i memory leak on bad inputs.
10119
10120   *Bodo Moeller*
10121
10122 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
10123   signature public key algorithm by using OID xref utilities instead.
10124   Before this you could only use some ECC ciphersuites with SHA1 only.
10125
10126   *Steve Henson*
10127
10128 * Add protection against ECDSA timing attacks as mentioned in the paper
10129   by Billy Bob Brumley and Nicola Tuveri, see:
10130   <http://eprint.iacr.org/2011/232.pdf>
10131
10132   *Billy Bob Brumley and Nicola Tuveri*
10133
10134### Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
10135
10136 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
10137
10138   *Neel Mehta, Adam Langley, Bodo Moeller (Google)*
10139
10140 * Fix bug in string printing code: if *any* escaping is enabled we must
10141   escape the escape character (backslash) or the resulting string is
10142   ambiguous.
10143
10144   *Steve Henson*
10145
10146### Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
10147
10148 * Disable code workaround for ancient and obsolete Netscape browsers
10149   and servers: an attacker can use it in a ciphersuite downgrade attack.
10150   Thanks to Martin Rex for discovering this bug. CVE-2010-4180
10151
10152   *Steve Henson*
10153
10154 * Fixed J-PAKE implementation error, originally discovered by
10155   Sebastien Martini, further info and confirmation from Stefan
10156   Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
10157
10158   *Ben Laurie*
10159
10160### Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
10161
10162 * Fix extension code to avoid race conditions which can result in a buffer
10163   overrun vulnerability: resumed sessions must not be modified as they can
10164   be shared by multiple threads. CVE-2010-3864
10165
10166   *Steve Henson*
10167
10168 * Fix WIN32 build system to correctly link an ENGINE directory into
10169   a DLL.
10170
10171   *Steve Henson*
10172
10173### Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
10174
10175 * Check return value of int_rsa_verify in pkey_rsa_verifyrecover
10176   ([CVE-2010-1633])
10177
10178   *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
10179
10180### Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
10181
10182 * Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
10183   context. The operation can be customised via the ctrl mechanism in
10184   case ENGINEs want to include additional functionality.
10185
10186   *Steve Henson*
10187
10188 * Tolerate yet another broken PKCS#8 key format: private key value negative.
10189
10190   *Steve Henson*
10191
10192 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
10193   output hashes compatible with older versions of OpenSSL.
10194
10195   *Willy Weisz <weisz@vcpc.univie.ac.at>*
10196
10197 * Fix compression algorithm handling: if resuming a session use the
10198   compression algorithm of the resumed session instead of determining
10199   it from client hello again. Don't allow server to change algorithm.
10200
10201   *Steve Henson*
10202
10203 * Add load_crls() function to commands tidying load_certs() too. Add option
10204   to verify utility to allow additional CRLs to be included.
10205
10206   *Steve Henson*
10207
10208 * Update OCSP request code to permit adding custom headers to the request:
10209   some responders need this.
10210
10211   *Steve Henson*
10212
10213 * The function EVP_PKEY_sign() returns <=0 on error: check return code
10214   correctly.
10215
10216   *Julia Lawall <julia@diku.dk>*
10217
10218 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it
10219   needlessly dereferenced structures, used obsolete functions and
10220   didn't handle all updated verify codes correctly.
10221
10222   *Steve Henson*
10223
10224 * Disable MD2 in the default configuration.
10225
10226   *Steve Henson*
10227
10228 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
10229   indicate the initial BIO being pushed or popped. This makes it possible
10230   to determine whether the BIO is the one explicitly called or as a result
10231   of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
10232   it handles reference counts correctly and doesn't zero out the I/O bio
10233   when it is not being explicitly popped. WARNING: applications which
10234   included workarounds for the old buggy behaviour will need to be modified
10235   or they could free up already freed BIOs.
10236
10237   *Steve Henson*
10238
10239 * Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
10240   renaming to all platforms (within the 0.9.8 branch, this was
10241   done conditionally on Netware platforms to avoid a name clash).
10242
10243   *Guenter <lists@gknw.net>*
10244
10245 * Add ECDHE and PSK support to DTLS.
10246
10247   *Michael Tuexen <tuexen@fh-muenster.de>*
10248
10249 * Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
10250   be used on C++.
10251
10252   *Steve Henson*
10253
10254 * Add "missing" function EVP_MD_flags() (without this the only way to
10255   retrieve a digest flags is by accessing the structure directly. Update
10256   `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
10257   or cipher is registered as in the "from" argument. Print out all
10258   registered digests in the dgst usage message instead of manually
10259   attempting to work them out.
10260
10261   *Steve Henson*
10262
10263 * If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
10264   this allows the use of compression and extensions. Change default cipher
10265   string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
10266   by default unless an application cipher string requests it.
10267
10268   *Steve Henson*
10269
10270 * Alter match criteria in PKCS12_parse(). It used to try to use local
10271   key ids to find matching certificates and keys but some PKCS#12 files
10272   don't follow the (somewhat unwritten) rules and this strategy fails.
10273   Now just gather all certificates together and the first private key
10274   then look for the first certificate that matches the key.
10275
10276   *Steve Henson*
10277
10278 * Support use of registered digest and cipher names for dgst and cipher
10279   commands instead of having to add each one as a special case. So now
10280   you can do:
10281
10282           openssl sha256 foo
10283
10284   as well as:
10285
10286           openssl dgst -sha256 foo
10287
10288   and this works for ENGINE based algorithms too.
10289
10290   *Steve Henson*
10291
10292 * Update Gost ENGINE to support parameter files.
10293
10294   *Victor B. Wagner <vitus@cryptocom.ru>*
10295
10296 * Support GeneralizedTime in ca utility.
10297
10298   *Oliver Martin <oliver@volatilevoid.net>, Steve Henson*
10299
10300 * Enhance the hash format used for certificate directory links. The new
10301   form uses the canonical encoding (meaning equivalent names will work
10302   even if they aren't identical) and uses SHA1 instead of MD5. This form
10303   is incompatible with the older format and as a result c_rehash should
10304   be used to rebuild symbolic links.
10305
10306   *Steve Henson*
10307
10308 * Make PKCS#8 the default write format for private keys, replacing the
10309   traditional format. This form is standardised, more secure and doesn't
10310   include an implicit MD5 dependency.
10311
10312   *Steve Henson*
10313
10314 * Add a $gcc_devteam_warn option to Configure. The idea is that any code
10315   committed to OpenSSL should pass this lot as a minimum.
10316
10317   *Steve Henson*
10318
10319 * Add session ticket override functionality for use by EAP-FAST.
10320
10321   *Jouni Malinen <j@w1.fi>*
10322
10323 * Modify HMAC functions to return a value. Since these can be implemented
10324   in an ENGINE errors can occur.
10325
10326   *Steve Henson*
10327
10328 * Type-checked OBJ_bsearch_ex.
10329
10330   *Ben Laurie*
10331
10332 * Type-checked OBJ_bsearch. Also some constification necessitated
10333   by type-checking.  Still to come: TXT_DB, bsearch(?),
10334   OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
10335   CONF_VALUE.
10336
10337   *Ben Laurie*
10338
10339 * New function OPENSSL_gmtime_adj() to add a specific number of days and
10340   seconds to a tm structure directly, instead of going through OS
10341   specific date routines. This avoids any issues with OS routines such
10342   as the year 2038 bug. New `*_adj()` functions for ASN1 time structures
10343   and X509_time_adj_ex() to cover the extended range. The existing
10344   X509_time_adj() is still usable and will no longer have any date issues.
10345
10346   *Steve Henson*
10347
10348 * Delta CRL support. New use deltas option which will attempt to locate
10349   and search any appropriate delta CRLs available.
10350
10351   This work was sponsored by Google.
10352
10353   *Steve Henson*
10354
10355 * Support for CRLs partitioned by reason code. Reorganise CRL processing
10356   code and add additional score elements. Validate alternate CRL paths
10357   as part of the CRL checking and indicate a new error "CRL path validation
10358   error" in this case. Applications wanting additional details can use
10359   the verify callback and check the new "parent" field. If this is not
10360   NULL CRL path validation is taking place. Existing applications won't
10361   see this because it requires extended CRL support which is off by
10362   default.
10363
10364   This work was sponsored by Google.
10365
10366   *Steve Henson*
10367
10368 * Support for freshest CRL extension.
10369
10370   This work was sponsored by Google.
10371
10372   *Steve Henson*
10373
10374 * Initial indirect CRL support. Currently only supported in the CRLs
10375   passed directly and not via lookup. Process certificate issuer
10376   CRL entry extension and lookup CRL entries by bother issuer name
10377   and serial number. Check and process CRL issuer entry in IDP extension.
10378
10379   This work was sponsored by Google.
10380
10381   *Steve Henson*
10382
10383 * Add support for distinct certificate and CRL paths. The CRL issuer
10384   certificate is validated separately in this case. Only enabled if
10385   an extended CRL support flag is set: this flag will enable additional
10386   CRL functionality in future.
10387
10388   This work was sponsored by Google.
10389
10390   *Steve Henson*
10391
10392 * Add support for policy mappings extension.
10393
10394   This work was sponsored by Google.
10395
10396   *Steve Henson*
10397
10398 * Fixes to pathlength constraint, self issued certificate handling,
10399   policy processing to align with RFC3280 and PKITS tests.
10400
10401   This work was sponsored by Google.
10402
10403   *Steve Henson*
10404
10405 * Support for name constraints certificate extension. DN, email, DNS
10406   and URI types are currently supported.
10407
10408   This work was sponsored by Google.
10409
10410   *Steve Henson*
10411
10412 * To cater for systems that provide a pointer-based thread ID rather
10413   than numeric, deprecate the current numeric thread ID mechanism and
10414   replace it with a structure and associated callback type. This
10415   mechanism allows a numeric "hash" to be extracted from a thread ID in
10416   either case, and on platforms where pointers are larger than 'long',
10417   mixing is done to help ensure the numeric 'hash' is usable even if it
10418   can't be guaranteed unique. The default mechanism is to use "&errno"
10419   as a pointer-based thread ID to distinguish between threads.
10420
10421   Applications that want to provide their own thread IDs should now use
10422   CRYPTO_THREADID_set_callback() to register a callback that will call
10423   either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
10424
10425   Note that ERR_remove_state() is now deprecated, because it is tied
10426   to the assumption that thread IDs are numeric.  ERR_remove_state(0)
10427   to free the current thread's error state should be replaced by
10428   ERR_remove_thread_state(NULL).
10429
10430   (This new approach replaces the functions CRYPTO_set_idptr_callback(),
10431   CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
10432   OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
10433   application was previously providing a numeric thread callback that
10434   was inappropriate for distinguishing threads, then uniqueness might
10435   have been obtained with &errno that happened immediately in the
10436   intermediate development versions of OpenSSL; this is no longer the
10437   case, the numeric thread callback will now override the automatic use
10438   of &errno.)
10439
10440   *Geoff Thorpe, with help from Bodo Moeller*
10441
10442 * Initial support for different CRL issuing certificates. This covers a
10443   simple case where the self issued certificates in the chain exist and
10444   the real CRL issuer is higher in the existing chain.
10445
10446   This work was sponsored by Google.
10447
10448   *Steve Henson*
10449
10450 * Removed effectively defunct crypto/store from the build.
10451
10452   *Ben Laurie*
10453
10454 * Revamp of STACK to provide stronger type-checking. Still to come:
10455   TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
10456   ASN1_STRING, CONF_VALUE.
10457
10458   *Ben Laurie*
10459
10460 * Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
10461   RAM on SSL connections.  This option can save about 34k per idle SSL.
10462
10463   *Nick Mathewson*
10464
10465 * Revamp of LHASH to provide stronger type-checking. Still to come:
10466   STACK, TXT_DB, bsearch, qsort.
10467
10468   *Ben Laurie*
10469
10470 * Initial support for Cryptographic Message Syntax (aka CMS) based
10471   on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
10472   support for data, signedData, compressedData, digestedData and
10473   encryptedData, envelopedData types included. Scripts to check against
10474   RFC4134 examples draft and interop and consistency checks of many
10475   content types and variants.
10476
10477   *Steve Henson*
10478
10479 * Add options to enc utility to support use of zlib compression BIO.
10480
10481   *Steve Henson*
10482
10483 * Extend mk1mf to support importing of options and assembly language
10484   files from Configure script, currently only included in VC-WIN32.
10485   The assembly language rules can now optionally generate the source
10486   files from the associated perl scripts.
10487
10488   *Steve Henson*
10489
10490 * Implement remaining functionality needed to support GOST ciphersuites.
10491   Interop testing has been performed using CryptoPro implementations.
10492
10493   *Victor B. Wagner <vitus@cryptocom.ru>*
10494
10495 * s390x assembler pack.
10496
10497   *Andy Polyakov*
10498
10499 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
10500   "family."
10501
10502   *Andy Polyakov*
10503
10504 * Implement Opaque PRF Input TLS extension as specified in
10505   draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
10506   official specification yet and no extension type assignment by
10507   IANA exists, this extension (for now) will have to be explicitly
10508   enabled when building OpenSSL by providing the extension number
10509   to use.  For example, specify an option
10510
10511           -DTLSEXT_TYPE_opaque_prf_input=0x9527
10512
10513   to the "config" or "Configure" script to enable the extension,
10514   assuming extension number 0x9527 (which is a completely arbitrary
10515   and unofficial assignment based on the MD5 hash of the Internet
10516   Draft).  Note that by doing so, you potentially lose
10517   interoperability with other TLS implementations since these might
10518   be using the same extension number for other purposes.
10519
10520   SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
10521   opaque PRF input value to use in the handshake.  This will create
10522   an internal copy of the length-'len' string at 'src', and will
10523   return non-zero for success.
10524
10525   To get more control and flexibility, provide a callback function
10526   by using
10527
10528           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
10529           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
10530
10531   where
10532
10533           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
10534           void *arg;
10535
10536   Callback function 'cb' will be called in handshakes, and is
10537   expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
10538   Argument 'arg' is for application purposes (the value as given to
10539   SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
10540   be provided to the callback function).  The callback function
10541   has to return non-zero to report success: usually 1 to use opaque
10542   PRF input just if possible, or 2 to enforce use of the opaque PRF
10543   input.  In the latter case, the library will abort the handshake
10544   if opaque PRF input is not successfully negotiated.
10545
10546   Arguments 'peerinput' and 'len' given to the callback function
10547   will always be NULL and 0 in the case of a client.  A server will
10548   see the client's opaque PRF input through these variables if
10549   available (NULL and 0 otherwise).  Note that if the server
10550   provides an opaque PRF input, the length must be the same as the
10551   length of the client's opaque PRF input.
10552
10553   Note that the callback function will only be called when creating
10554   a new session (session resumption can resume whatever was
10555   previously negotiated), and will not be called in SSL 2.0
10556   handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
10557   SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
10558   for applications that need to enforce opaque PRF input.
10559
10560   *Bodo Moeller*
10561
10562 * Update ssl code to support digests other than SHA1+MD5 for handshake
10563   MAC.
10564
10565   *Victor B. Wagner <vitus@cryptocom.ru>*
10566
10567 * Add RFC4507 support to OpenSSL. This includes the corrections in
10568   RFC4507bis. The encrypted ticket format is an encrypted encoded
10569   SSL_SESSION structure, that way new session features are automatically
10570   supported.
10571
10572   If a client application caches session in an SSL_SESSION structure
10573   support is transparent because tickets are now stored in the encoded
10574   SSL_SESSION.
10575
10576   The SSL_CTX structure automatically generates keys for ticket
10577   protection in servers so again support should be possible
10578   with no application modification.
10579
10580   If a client or server wishes to disable RFC4507 support then the option
10581   SSL_OP_NO_TICKET can be set.
10582
10583   Add a TLS extension debugging callback to allow the contents of any client
10584   or server extensions to be examined.
10585
10586   This work was sponsored by Google.
10587
10588   *Steve Henson*
10589
10590 * Final changes to avoid use of pointer pointer casts in OpenSSL.
10591   OpenSSL should now compile cleanly on gcc 4.2
10592
10593   *Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson*
10594
10595 * Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
10596   support including streaming MAC support: this is required for GOST
10597   ciphersuite support.
10598
10599   *Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson*
10600
10601 * Add option -stream to use PKCS#7 streaming in smime utility. New
10602   function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
10603   to output in BER and PEM format.
10604
10605   *Steve Henson*
10606
10607 * Experimental support for use of HMAC via EVP_PKEY interface. This
10608   allows HMAC to be handled via the `EVP_DigestSign*()` interface. The
10609   EVP_PKEY "key" in this case is the HMAC key, potentially allowing
10610   ENGINE support for HMAC keys which are unextractable. New -mac and
10611   -macopt options to dgst utility.
10612
10613   *Steve Henson*
10614
10615 * New option -sigopt to dgst utility. Update dgst to use
10616   `EVP_Digest{Sign,Verify}*`. These two changes make it possible to use
10617   alternative signing parameters such as X9.31 or PSS in the dgst
10618   utility.
10619
10620   *Steve Henson*
10621
10622 * Change ssl_cipher_apply_rule(), the internal function that does
10623   the work each time a ciphersuite string requests enabling
10624   ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
10625   removing ("!foo+bar") a class of ciphersuites: Now it maintains
10626   the order of disabled ciphersuites such that those ciphersuites
10627   that most recently went from enabled to disabled not only stay
10628   in order with respect to each other, but also have higher priority
10629   than other disabled ciphersuites the next time ciphersuites are
10630   enabled again.
10631
10632   This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
10633   the same ciphersuites as with "HIGH" alone, but in a specific
10634   order where the PSK ciphersuites come first (since they are the
10635   most recently disabled ciphersuites when "HIGH" is parsed).
10636
10637   Also, change ssl_create_cipher_list() (using this new
10638   functionality) such that between otherwise identical
10639   ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
10640   the default order.
10641
10642   *Bodo Moeller*
10643
10644 * Change ssl_create_cipher_list() so that it automatically
10645   arranges the ciphersuites in reasonable order before starting
10646   to process the rule string.  Thus, the definition for "DEFAULT"
10647   (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
10648   remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`.
10649   This makes it much easier to arrive at a reasonable default order
10650   in applications for which anonymous ciphers are OK (meaning
10651   that you can't actually use DEFAULT).
10652
10653   *Bodo Moeller; suggested by Victor Duchovni*
10654
10655 * Split the SSL/TLS algorithm mask (as used for ciphersuite string
10656   processing) into multiple integers instead of setting
10657   "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
10658   "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
10659   (These masks as well as the individual bit definitions are hidden
10660   away into the non-exported interface ssl/ssl_locl.h, so this
10661   change to the definition of the SSL_CIPHER structure shouldn't
10662   affect applications.)  This give us more bits for each of these
10663   categories, so there is no longer a need to coagulate AES128 and
10664   AES256 into a single algorithm bit, and to coagulate Camellia128
10665   and Camellia256 into a single algorithm bit, which has led to all
10666   kinds of kludges.
10667
10668   Thus, among other things, the kludge introduced in 0.9.7m and
10669   0.9.8e for masking out AES256 independently of AES128 or masking
10670   out Camellia256 independently of AES256 is not needed here in 0.9.9.
10671
10672   With the change, we also introduce new ciphersuite aliases that
10673   so far were missing: "AES128", "AES256", "CAMELLIA128", and
10674   "CAMELLIA256".
10675
10676   *Bodo Moeller*
10677
10678 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
10679   Use the leftmost N bytes of the signature input if the input is
10680   larger than the prime q (with N being the size in bytes of q).
10681
10682   *Nils Larsch*
10683
10684 * Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
10685   it yet and it is largely untested.
10686
10687   *Steve Henson*
10688
10689 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
10690
10691   *Nils Larsch*
10692
10693 * Initial incomplete changes to avoid need for function casts in OpenSSL
10694   some compilers (gcc 4.2 and later) reject their use. Safestack is
10695   reimplemented.  Update ASN1 to avoid use of legacy functions.
10696
10697   *Steve Henson*
10698
10699 * Win32/64 targets are linked with Winsock2.
10700
10701   *Andy Polyakov*
10702
10703 * Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
10704   to external functions. This can be used to increase CRL handling
10705   efficiency especially when CRLs are very large by (for example) storing
10706   the CRL revoked certificates in a database.
10707
10708   *Steve Henson*
10709
10710 * Overhaul of by_dir code. Add support for dynamic loading of CRLs so
10711   new CRLs added to a directory can be used. New command line option
10712   -verify_return_error to s_client and s_server. This causes real errors
10713   to be returned by the verify callback instead of carrying on no matter
10714   what. This reflects the way a "real world" verify callback would behave.
10715
10716   *Steve Henson*
10717
10718 * GOST engine, supporting several GOST algorithms and public key formats.
10719   Kindly donated by Cryptocom.
10720
10721   *Cryptocom*
10722
10723 * Partial support for Issuing Distribution Point CRL extension. CRLs
10724   partitioned by DP are handled but no indirect CRL or reason partitioning
10725   (yet). Complete overhaul of CRL handling: now the most suitable CRL is
10726   selected via a scoring technique which handles IDP and AKID in CRLs.
10727
10728   *Steve Henson*
10729
10730 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
10731   will ultimately be used for all verify operations: this will remove the
10732   X509_STORE dependency on certificate verification and allow alternative
10733   lookup methods.  X509_STORE based implementations of these two callbacks.
10734
10735   *Steve Henson*
10736
10737 * Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
10738   Modify get_crl() to find a valid (unexpired) CRL if possible.
10739
10740   *Steve Henson*
10741
10742 * New function X509_CRL_match() to check if two CRLs are identical. Normally
10743   this would be called X509_CRL_cmp() but that name is already used by
10744   a function that just compares CRL issuer names. Cache several CRL
10745   extensions in X509_CRL structure and cache CRLDP in X509.
10746
10747   *Steve Henson*
10748
10749 * Store a "canonical" representation of X509_NAME structure (ASN1 Name)
10750   this maps equivalent X509_NAME structures into a consistent structure.
10751   Name comparison can then be performed rapidly using memcmp().
10752
10753   *Steve Henson*
10754
10755 * Non-blocking OCSP request processing. Add -timeout option to ocsp
10756   utility.
10757
10758   *Steve Henson*
10759
10760 * Allow digests to supply their own micalg string for S/MIME type using
10761   the ctrl EVP_MD_CTRL_MICALG.
10762
10763   *Steve Henson*
10764
10765 * During PKCS7 signing pass the PKCS7 SignerInfo structure to the
10766   EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
10767   ctrl. It can then customise the structure before and/or after signing
10768   if necessary.
10769
10770   *Steve Henson*
10771
10772 * New function OBJ_add_sigid() to allow application defined signature OIDs
10773   to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
10774   to free up any added signature OIDs.
10775
10776   *Steve Henson*
10777
10778 * New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
10779   EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
10780   digest and cipher tables. New options added to openssl utility:
10781   list-message-digest-algorithms and list-cipher-algorithms.
10782
10783   *Steve Henson*
10784
10785 * Change the array representation of binary polynomials: the list
10786   of degrees of non-zero coefficients is now terminated with -1.
10787   Previously it was terminated with 0, which was also part of the
10788   value; thus, the array representation was not applicable to
10789   polynomials where t^0 has coefficient zero.  This change makes
10790   the array representation useful in a more general context.
10791
10792   *Douglas Stebila*
10793
10794 * Various modifications and fixes to SSL/TLS cipher string
10795   handling.  For ECC, the code now distinguishes between fixed ECDH
10796   with RSA certificates on the one hand and with ECDSA certificates
10797   on the other hand, since these are separate ciphersuites.  The
10798   unused code for Fortezza ciphersuites has been removed.
10799
10800   For consistency with EDH, ephemeral ECDH is now called "EECDH"
10801   (not "ECDHE").  For consistency with the code for DH
10802   certificates, use of ECDH certificates is now considered ECDH
10803   authentication, not RSA or ECDSA authentication (the latter is
10804   merely the CA's signing algorithm and not actively used in the
10805   protocol).
10806
10807   The temporary ciphersuite alias "ECCdraft" is no longer
10808   available, and ECC ciphersuites are no longer excluded from "ALL"
10809   and "DEFAULT".  The following aliases now exist for RFC 4492
10810   ciphersuites, most of these by analogy with the DH case:
10811
10812           kECDHr   - ECDH cert, signed with RSA
10813           kECDHe   - ECDH cert, signed with ECDSA
10814           kECDH    - ECDH cert (signed with either RSA or ECDSA)
10815           kEECDH   - ephemeral ECDH
10816           ECDH     - ECDH cert or ephemeral ECDH
10817
10818           aECDH    - ECDH cert
10819           aECDSA   - ECDSA cert
10820           ECDSA    - ECDSA cert
10821
10822           AECDH    - anonymous ECDH
10823           EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
10824
10825   *Bodo Moeller*
10826
10827 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
10828   Use correct micalg parameters depending on digest(s) in signed message.
10829
10830   *Steve Henson*
10831
10832 * Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
10833   an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
10834
10835   *Steve Henson*
10836
10837 * Initial engine support for EVP_PKEY_METHOD. New functions to permit
10838   an engine to register a method. Add ENGINE lookups for methods and
10839   functional reference processing.
10840
10841   *Steve Henson*
10842
10843 * New functions `EVP_Digest{Sign,Verify)*`. These are enhanced versions of
10844   `EVP_{Sign,Verify}*` which allow an application to customise the signature
10845   process.
10846
10847   *Steve Henson*
10848
10849 * New -resign option to smime utility. This adds one or more signers
10850   to an existing PKCS#7 signedData structure. Also -md option to use an
10851   alternative message digest algorithm for signing.
10852
10853   *Steve Henson*
10854
10855 * Tidy up PKCS#7 routines and add new functions to make it easier to
10856   create PKCS7 structures containing multiple signers. Update smime
10857   application to support multiple signers.
10858
10859   *Steve Henson*
10860
10861 * New -macalg option to pkcs12 utility to allow setting of an alternative
10862   digest MAC.
10863
10864   *Steve Henson*
10865
10866 * Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
10867   Reorganize PBE internals to lookup from a static table using NIDs,
10868   add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
10869   EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
10870   PRF which will be automatically used with PBES2.
10871
10872   *Steve Henson*
10873
10874 * Replace the algorithm specific calls to generate keys in "req" with the
10875   new API.
10876
10877   *Steve Henson*
10878
10879 * Update PKCS#7 enveloped data routines to use new API. This is now
10880   supported by any public key method supporting the encrypt operation. A
10881   ctrl is added to allow the public key algorithm to examine or modify
10882   the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
10883   a no op.
10884
10885   *Steve Henson*
10886
10887 * Add a ctrl to asn1 method to allow a public key algorithm to express
10888   a default digest type to use. In most cases this will be SHA1 but some
10889   algorithms (such as GOST) need to specify an alternative digest. The
10890   return value indicates how strong the preference is 1 means optional and
10891   2 is mandatory (that is it is the only supported type). Modify
10892   ASN1_item_sign() to accept a NULL digest argument to indicate it should
10893   use the default md. Update openssl utilities to use the default digest
10894   type for signing if it is not explicitly indicated.
10895
10896   *Steve Henson*
10897
10898 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
10899   EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
10900   signing method from the key type. This effectively removes the link
10901   between digests and public key types.
10902
10903   *Steve Henson*
10904
10905 * Add an OID cross reference table and utility functions. Its purpose is to
10906   translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
10907   rsaEncryption. This will allow some of the algorithm specific hackery
10908   needed to use the correct OID to be removed.
10909
10910   *Steve Henson*
10911
10912 * Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
10913   structures for PKCS7_sign(). They are now set up by the relevant public
10914   key ASN1 method.
10915
10916   *Steve Henson*
10917
10918 * Add provisional EC pkey method with support for ECDSA and ECDH.
10919
10920   *Steve Henson*
10921
10922 * Add support for key derivation (agreement) in the API, DH method and
10923   pkeyutl.
10924
10925   *Steve Henson*
10926
10927 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
10928   public and private key formats. As a side effect these add additional
10929   command line functionality not previously available: DSA signatures can be
10930   generated and verified using pkeyutl and DH key support and generation in
10931   pkey, genpkey.
10932
10933   *Steve Henson*
10934
10935 * BeOS support.
10936
10937   *Oliver Tappe <zooey@hirschkaefer.de>*
10938
10939 * New make target "install_html_docs" installs HTML renditions of the
10940   manual pages.
10941
10942   *Oliver Tappe <zooey@hirschkaefer.de>*
10943
10944 * New utility "genpkey" this is analogous to "genrsa" etc except it can
10945   generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
10946   support key and parameter generation and add initial key generation
10947   functionality for RSA.
10948
10949   *Steve Henson*
10950
10951 * Add functions for main EVP_PKEY_method operations. The undocumented
10952   functions `EVP_PKEY_{encrypt,decrypt}` have been renamed to
10953   `EVP_PKEY_{encrypt,decrypt}_old`.
10954
10955   *Steve Henson*
10956
10957 * Initial definitions for EVP_PKEY_METHOD. This will be a high level public
10958   key API, doesn't do much yet.
10959
10960   *Steve Henson*
10961
10962 * New function EVP_PKEY_asn1_get0_info() to retrieve information about
10963   public key algorithms. New option to openssl utility:
10964   "list-public-key-algorithms" to print out info.
10965
10966   *Steve Henson*
10967
10968 * Implement the Supported Elliptic Curves Extension for
10969   ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10970
10971   *Douglas Stebila*
10972
10973 * Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
10974   EVP_CIPHER structures to avoid later problems in EVP_cleanup().
10975
10976   *Steve Henson*
10977
10978 * New utilities pkey and pkeyparam. These are similar to algorithm specific
10979   utilities such as rsa, dsa, dsaparam etc except they process any key
10980   type.
10981
10982   *Steve Henson*
10983
10984 * Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
10985   functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
10986   EVP_PKEY_print_param() to print public key data from an EVP_PKEY
10987   structure.
10988
10989   *Steve Henson*
10990
10991 * Initial support for pluggable public key ASN1.
10992   De-spaghettify the public key ASN1 handling. Move public and private
10993   key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
10994   algorithm specific handling to a single module within the relevant
10995   algorithm directory. Add functions to allow (near) opaque processing
10996   of public and private key structures.
10997
10998   *Steve Henson*
10999
11000 * Implement the Supported Point Formats Extension for
11001   ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
11002
11003   *Douglas Stebila*
11004
11005 * Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
11006   for the psk identity [hint] and the psk callback functions to the
11007   SSL_SESSION, SSL and SSL_CTX structure.
11008
11009   New ciphersuites:
11010           PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
11011           PSK-AES256-CBC-SHA
11012
11013   New functions:
11014           SSL_CTX_use_psk_identity_hint
11015           SSL_get_psk_identity_hint
11016           SSL_get_psk_identity
11017           SSL_use_psk_identity_hint
11018
11019   *Mika Kousa and Pasi Eronen of Nokia Corporation*
11020
11021 * Add RFC 3161 compliant time stamp request creation, response generation
11022   and response verification functionality.
11023
11024   *Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project*
11025
11026 * Add initial support for TLS extensions, specifically for the server_name
11027   extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
11028   have new members for a hostname.  The SSL data structure has an
11029   additional member `SSL_CTX *initial_ctx` so that new sessions can be
11030   stored in that context to allow for session resumption, even after the
11031   SSL has been switched to a new SSL_CTX in reaction to a client's
11032   server_name extension.
11033
11034   New functions (subject to change):
11035
11036           SSL_get_servername()
11037           SSL_get_servername_type()
11038           SSL_set_SSL_CTX()
11039
11040   New CTRL codes and macros (subject to change):
11041
11042           SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
11043                               - SSL_CTX_set_tlsext_servername_callback()
11044           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
11045                                    - SSL_CTX_set_tlsext_servername_arg()
11046           SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
11047
11048   openssl s_client has a new '-servername ...' option.
11049
11050   openssl s_server has new options '-servername_host ...', '-cert2 ...',
11051   '-key2 ...', '-servername_fatal' (subject to change).  This allows
11052   testing the HostName extension for a specific single hostname ('-cert'
11053   and '-key' remain fallbacks for handshakes without HostName
11054   negotiation).  If the unrecognized_name alert has to be sent, this by
11055   default is a warning; it becomes fatal with the '-servername_fatal'
11056   option.
11057
11058   *Peter Sylvester,  Remy Allais, Christophe Renou*
11059
11060 * Whirlpool hash implementation is added.
11061
11062   *Andy Polyakov*
11063
11064 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
11065   bn(64,32). Because of instruction set limitations it doesn't have
11066   any negative impact on performance. This was done mostly in order
11067   to make it possible to share assembler modules, such as bn_mul_mont
11068   implementations, between 32- and 64-bit builds without hassle.
11069
11070   *Andy Polyakov*
11071
11072 * Move code previously exiled into file crypto/ec/ec2_smpt.c
11073   to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
11074   macro.
11075
11076   *Bodo Moeller*
11077
11078 * New candidate for BIGNUM assembler implementation, bn_mul_mont,
11079   dedicated Montgomery multiplication procedure, is introduced.
11080   BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
11081   "64-bit" performance on certain 32-bit targets.
11082
11083   *Andy Polyakov*
11084
11085 * New option SSL_OP_NO_COMP to disable use of compression selectively
11086   in SSL structures. New SSL ctrl to set maximum send fragment size.
11087   Save memory by setting the I/O buffer sizes dynamically instead of
11088   using the maximum available value.
11089
11090   *Steve Henson*
11091
11092 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
11093   in addition to the text details.
11094
11095   *Bodo Moeller*
11096
11097 * Very, very preliminary EXPERIMENTAL support for printing of general
11098   ASN1 structures. This currently produces rather ugly output and doesn't
11099   handle several customised structures at all.
11100
11101   *Steve Henson*
11102
11103 * Integrated support for PVK file format and some related formats such
11104   as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
11105   these in the 'rsa' and 'dsa' utilities.
11106
11107   *Steve Henson*
11108
11109 * Support for PKCS#1 RSAPublicKey format on rsa utility command line.
11110
11111   *Steve Henson*
11112
11113 * Remove the ancient ASN1_METHOD code. This was only ever used in one
11114   place for the (very old) "NETSCAPE" format certificates which are now
11115   handled using new ASN1 code equivalents.
11116
11117   *Steve Henson*
11118
11119 * Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
11120   pointer and make the SSL_METHOD parameter in SSL_CTX_new,
11121   SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
11122
11123   *Nils Larsch*
11124
11125 * Modify CRL distribution points extension code to print out previously
11126   unsupported fields. Enhance extension setting code to allow setting of
11127   all fields.
11128
11129   *Steve Henson*
11130
11131 * Add print and set support for Issuing Distribution Point CRL extension.
11132
11133   *Steve Henson*
11134
11135 * Change 'Configure' script to enable Camellia by default.
11136
11137   *NTT*
11138
11139OpenSSL 0.9.x
11140-------------
11141
11142### Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
11143
11144 * When rejecting SSL/TLS records due to an incorrect version number, never
11145   update s->server with a new major version number.  As of
11146   - OpenSSL 0.9.8m if 'short' is a 16-bit type,
11147   - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
11148   the previous behavior could result in a read attempt at NULL when
11149   receiving specific incorrect SSL/TLS records once record payload
11150   protection is active.  ([CVE-2010-0740])
11151
11152   *Bodo Moeller, Adam Langley <agl@chromium.org>*
11153
11154 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
11155   could be crashed if the relevant tables were not present (e.g. chrooted).
11156
11157   *Tomas Hoger <thoger@redhat.com>*
11158
11159### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
11160
11161 * Always check bn_wexpand() return values for failure.  ([CVE-2009-3245])
11162
11163   *Martin Olsson, Neel Mehta*
11164
11165 * Fix X509_STORE locking: Every 'objs' access requires a lock (to
11166   accommodate for stack sorting, always a write lock!).
11167
11168   *Bodo Moeller*
11169
11170 * On some versions of WIN32 Heap32Next is very slow. This can cause
11171   excessive delays in the RAND_poll(): over a minute. As a workaround
11172   include a time check in the inner Heap32Next loop too.
11173
11174   *Steve Henson*
11175
11176 * The code that handled flushing of data in SSL/TLS originally used the
11177   BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
11178   the problem outlined in PR#1949. The fix suggested there however can
11179   trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
11180   of Apache). So instead simplify the code to flush unconditionally.
11181   This should be fine since flushing with no data to flush is a no op.
11182
11183   *Steve Henson*
11184
11185 * Handle TLS versions 2.0 and later properly and correctly use the
11186   highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
11187   off ancient servers have a habit of sticking around for a while...
11188
11189   *Steve Henson*
11190
11191 * Modify compression code so it frees up structures without using the
11192   ex_data callbacks. This works around a problem where some applications
11193   call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
11194   restarting) then use compression (e.g. SSL with compression) later.
11195   This results in significant per-connection memory leaks and
11196   has caused some security issues including CVE-2008-1678 and
11197   CVE-2009-4355.
11198
11199   *Steve Henson*
11200
11201 * Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
11202   change when encrypting or decrypting.
11203
11204   *Bodo Moeller*
11205
11206 * Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
11207   connect and renegotiate with servers which do not support RI.
11208   Until RI is more widely deployed this option is enabled by default.
11209
11210   *Steve Henson*
11211
11212 * Add "missing" ssl ctrls to clear options and mode.
11213
11214   *Steve Henson*
11215
11216 * If client attempts to renegotiate and doesn't support RI respond with
11217   a no_renegotiation alert as required by RFC5746.  Some renegotiating
11218   TLS clients will continue a connection gracefully when they receive
11219   the alert. Unfortunately OpenSSL mishandled this alert and would hang
11220   waiting for a server hello which it will never receive. Now we treat a
11221   received no_renegotiation alert as a fatal error. This is because
11222   applications requesting a renegotiation might well expect it to succeed
11223   and would have no code in place to handle the server denying it so the
11224   only safe thing to do is to terminate the connection.
11225
11226   *Steve Henson*
11227
11228 * Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
11229   peer supports secure renegotiation and 0 otherwise. Print out peer
11230   renegotiation support in s_client/s_server.
11231
11232   *Steve Henson*
11233
11234 * Replace the highly broken and deprecated SPKAC certification method with
11235   the updated NID creation version. This should correctly handle UTF8.
11236
11237   *Steve Henson*
11238
11239 * Implement RFC5746. Re-enable renegotiation but require the extension
11240   as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
11241   turns out to be a bad idea. It has been replaced by
11242   SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
11243   SSL_CTX_set_options(). This is really not recommended unless you
11244   know what you are doing.
11245
11246   *Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson*
11247
11248 * Fixes to stateless session resumption handling. Use initial_ctx when
11249   issuing and attempting to decrypt tickets in case it has changed during
11250   servername handling. Use a non-zero length session ID when attempting
11251   stateless session resumption: this makes it possible to determine if
11252   a resumption has occurred immediately after receiving server hello
11253   (several places in OpenSSL subtly assume this) instead of later in
11254   the handshake.
11255
11256   *Steve Henson*
11257
11258 * The functions ENGINE_ctrl(), OPENSSL_isservice(),
11259   CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
11260   fixes for a few places where the return code is not checked
11261   correctly.
11262
11263   *Julia Lawall <julia@diku.dk>*
11264
11265 * Add --strict-warnings option to Configure script to include devteam
11266   warnings in other configurations.
11267
11268   *Steve Henson*
11269
11270 * Add support for --libdir option and LIBDIR variable in makefiles. This
11271   makes it possible to install openssl libraries in locations which
11272   have names other than "lib", for example "/usr/lib64" which some
11273   systems need.
11274
11275   *Steve Henson, based on patch from Jeremy Utley*
11276
11277 * Don't allow the use of leading 0x80 in OIDs. This is a violation of
11278   X690 8.9.12 and can produce some misleading textual output of OIDs.
11279
11280   *Steve Henson, reported by Dan Kaminsky*
11281
11282 * Delete MD2 from algorithm tables. This follows the recommendation in
11283   several standards that it is not used in new applications due to
11284   several cryptographic weaknesses. For binary compatibility reasons
11285   the MD2 API is still compiled in by default.
11286
11287   *Steve Henson*
11288
11289 * Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
11290   and restored.
11291
11292   *Steve Henson*
11293
11294 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
11295   OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
11296   clash.
11297
11298   *Guenter <lists@gknw.net>*
11299
11300 * Fix the server certificate chain building code to use X509_verify_cert(),
11301   it used to have an ad-hoc builder which was unable to cope with anything
11302   other than a simple chain.
11303
11304   *David Woodhouse <dwmw2@infradead.org>, Steve Henson*
11305
11306 * Don't check self signed certificate signatures in X509_verify_cert()
11307   by default (a flag can override this): it just wastes time without
11308   adding any security. As a useful side effect self signed root CAs
11309   with non-FIPS digests are now usable in FIPS mode.
11310
11311   *Steve Henson*
11312
11313 * In dtls1_process_out_of_seq_message() the check if the current message
11314   is already buffered was missing. For every new message was memory
11315   allocated, allowing an attacker to perform an denial of service attack
11316   with sending out of seq handshake messages until there is no memory
11317   left. Additionally every future message was buffered, even if the
11318   sequence number made no sense and would be part of another handshake.
11319   So only messages with sequence numbers less than 10 in advance will be
11320   buffered.  ([CVE-2009-1378])
11321
11322   *Robin Seggelmann, discovered by Daniel Mentz*
11323
11324 * Records are buffered if they arrive with a future epoch to be
11325   processed after finishing the corresponding handshake. There is
11326   currently no limitation to this buffer allowing an attacker to perform
11327   a DOS attack with sending records with future epochs until there is no
11328   memory left. This patch adds the pqueue_size() function to determine
11329   the size of a buffer and limits the record buffer to 100 entries.
11330   ([CVE-2009-1377])
11331
11332   *Robin Seggelmann, discovered by Daniel Mentz*
11333
11334 * Keep a copy of frag->msg_header.frag_len so it can be used after the
11335   parent structure is freed.  ([CVE-2009-1379])
11336
11337   *Daniel Mentz*
11338
11339 * Handle non-blocking I/O properly in SSL_shutdown() call.
11340
11341   *Darryl Miles <darryl-mailinglists@netbauds.net>*
11342
11343 * Add `2.5.4.*` OIDs
11344
11345   *Ilya O. <vrghost@gmail.com>*
11346
11347### Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
11348
11349 * Disable renegotiation completely - this fixes a severe security
11350   problem ([CVE-2009-3555]) at the cost of breaking all
11351   renegotiation. Renegotiation can be re-enabled by setting
11352   SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
11353   run-time. This is really not recommended unless you know what
11354   you're doing.
11355
11356   *Ben Laurie*
11357
11358### Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
11359
11360 * Don't set val to NULL when freeing up structures, it is freed up by
11361   underlying code. If `sizeof(void *) > sizeof(long)` this can result in
11362   zeroing past the valid field. ([CVE-2009-0789])
11363
11364   *Paolo Ganci <Paolo.Ganci@AdNovum.CH>*
11365
11366 * Fix bug where return value of CMS_SignerInfo_verify_content() was not
11367   checked correctly. This would allow some invalid signed attributes to
11368   appear to verify correctly. ([CVE-2009-0591])
11369
11370   *Ivan Nestlerode <inestlerode@us.ibm.com>*
11371
11372 * Reject UniversalString and BMPString types with invalid lengths. This
11373   prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
11374   a legal length. ([CVE-2009-0590])
11375
11376   *Steve Henson*
11377
11378 * Set S/MIME signing as the default purpose rather than setting it
11379   unconditionally. This allows applications to override it at the store
11380   level.
11381
11382   *Steve Henson*
11383
11384 * Permit restricted recursion of ASN1 strings. This is needed in practice
11385   to handle some structures.
11386
11387   *Steve Henson*
11388
11389 * Improve efficiency of mem_gets: don't search whole buffer each time
11390   for a '\n'
11391
11392   *Jeremy Shapiro <jnshapir@us.ibm.com>*
11393
11394 * New -hex option for openssl rand.
11395
11396   *Matthieu Herrb*
11397
11398 * Print out UTF8String and NumericString when parsing ASN1.
11399
11400   *Steve Henson*
11401
11402 * Support NumericString type for name components.
11403
11404   *Steve Henson*
11405
11406 * Allow CC in the environment to override the automatically chosen
11407   compiler. Note that nothing is done to ensure flags work with the
11408   chosen compiler.
11409
11410   *Ben Laurie*
11411
11412### Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
11413
11414 * Properly check EVP_VerifyFinal() and similar return values
11415   ([CVE-2008-5077]).
11416
11417   *Ben Laurie, Bodo Moeller, Google Security Team*
11418
11419 * Enable TLS extensions by default.
11420
11421   *Ben Laurie*
11422
11423 * Allow the CHIL engine to be loaded, whether the application is
11424   multithreaded or not. (This does not release the developer from the
11425   obligation to set up the dynamic locking callbacks.)
11426
11427   *Sander Temme <sander@temme.net>*
11428
11429 * Use correct exit code if there is an error in dgst command.
11430
11431   *Steve Henson; problem pointed out by Roland Dirlewanger*
11432
11433 * Tweak Configure so that you need to say "experimental-jpake" to enable
11434   JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
11435
11436   *Bodo Moeller*
11437
11438 * Add experimental JPAKE support, including demo authentication in
11439   s_client and s_server.
11440
11441   *Ben Laurie*
11442
11443 * Set the comparison function in v3_addr_canonize().
11444
11445   *Rob Austein <sra@hactrn.net>*
11446
11447 * Add support for XMPP STARTTLS in s_client.
11448
11449   *Philip Paeps <philip@freebsd.org>*
11450
11451 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
11452   to ensure that even with this option, only ciphersuites in the
11453   server's preference list will be accepted.  (Note that the option
11454   applies only when resuming a session, so the earlier behavior was
11455   just about the algorithm choice for symmetric cryptography.)
11456
11457   *Bodo Moeller*
11458
11459### Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
11460
11461 * Fix NULL pointer dereference if a DTLS server received
11462   ChangeCipherSpec as first record ([CVE-2009-1386]).
11463
11464   *PR #1679*
11465
11466 * Fix a state transition in s3_srvr.c and d1_srvr.c
11467   (was using SSL3_ST_CW_CLNT_HELLO_B, should be `..._ST_SW_SRVR_...`).
11468
11469   *Nagendra Modadugu*
11470
11471 * The fix in 0.9.8c that supposedly got rid of unsafe
11472   double-checked locking was incomplete for RSA blinding,
11473   addressing just one layer of what turns out to have been
11474   doubly unsafe triple-checked locking.
11475
11476   So now fix this for real by retiring the MONT_HELPER macro
11477   in crypto/rsa/rsa_eay.c.
11478
11479   *Bodo Moeller; problem pointed out by Marius Schilder*
11480
11481 * Various precautionary measures:
11482
11483   - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
11484
11485   - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
11486     (NB: This would require knowledge of the secret session ticket key
11487     to exploit, in which case you'd be SOL either way.)
11488
11489   - Change bn_nist.c so that it will properly handle input BIGNUMs
11490     outside the expected range.
11491
11492   - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
11493     builds.
11494
11495   *Neel Mehta, Bodo Moeller*
11496
11497 * Allow engines to be "soft loaded" - i.e. optionally don't die if
11498   the load fails. Useful for distros.
11499
11500   *Ben Laurie and the FreeBSD team*
11501
11502 * Add support for Local Machine Keyset attribute in PKCS#12 files.
11503
11504   *Steve Henson*
11505
11506 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
11507
11508   *Huang Ying*
11509
11510 * Expand ENGINE to support engine supplied SSL client certificate functions.
11511
11512   This work was sponsored by Logica.
11513
11514   *Steve Henson*
11515
11516 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
11517   keystores. Support for SSL/TLS client authentication too.
11518   Not compiled unless enable-capieng specified to Configure.
11519
11520   This work was sponsored by Logica.
11521
11522   *Steve Henson*
11523
11524 * Fix bug in X509_ATTRIBUTE creation: don't set attribute using
11525   ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
11526   attribute creation routines such as certificate requests and PKCS#12
11527   files.
11528
11529   *Steve Henson*
11530
11531### Changes between 0.9.8g and 0.9.8h  [28 May 2008]
11532
11533 * Fix flaw if 'Server Key exchange message' is omitted from a TLS
11534   handshake which could lead to a client crash as found using the
11535   Codenomicon TLS test suite ([CVE-2008-1672])
11536
11537   *Steve Henson, Mark Cox*
11538
11539 * Fix double free in TLS server name extensions which could lead to
11540   a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
11541
11542   *Joe Orton*
11543
11544 * Clear error queue in SSL_CTX_use_certificate_chain_file()
11545
11546   Clear the error queue to ensure that error entries left from
11547   older function calls do not interfere with the correct operation.
11548
11549   *Lutz Jaenicke, Erik de Castro Lopo*
11550
11551 * Remove root CA certificates of commercial CAs:
11552
11553   The OpenSSL project does not recommend any specific CA and does not
11554   have any policy with respect to including or excluding any CA.
11555   Therefore, it does not make any sense to ship an arbitrary selection
11556   of root CA certificates with the OpenSSL software.
11557
11558   *Lutz Jaenicke*
11559
11560 * RSA OAEP patches to fix two separate invalid memory reads.
11561   The first one involves inputs when 'lzero' is greater than
11562   'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
11563   before the beginning of from). The second one involves inputs where
11564   the 'db' section contains nothing but zeroes (there is a one-byte
11565   invalid read after the end of 'db').
11566
11567   *Ivan Nestlerode <inestlerode@us.ibm.com>*
11568
11569 * Partial backport from 0.9.9-dev:
11570
11571   Introduce bn_mul_mont (dedicated Montgomery multiplication
11572   procedure) as a candidate for BIGNUM assembler implementation.
11573   While 0.9.9-dev uses assembler for various architectures, only
11574   x86_64 is available by default here in the 0.9.8 branch, and
11575   32-bit x86 is available through a compile-time setting.
11576
11577   To try the 32-bit x86 assembler implementation, use Configure
11578   option "enable-montasm" (which exists only for this backport).
11579
11580   As "enable-montasm" for 32-bit x86 disclaims code stability
11581   anyway, in this constellation we activate additional code
11582   backported from 0.9.9-dev for further performance improvements,
11583   namely BN_from_montgomery_word.  (To enable this otherwise,
11584   e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
11585
11586   *Andy Polyakov (backport partially by Bodo Moeller)*
11587
11588 * Add TLS session ticket callback. This allows an application to set
11589   TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
11590   values. This is useful for key rollover for example where several key
11591   sets may exist with different names.
11592
11593   *Steve Henson*
11594
11595 * Reverse ENGINE-internal logic for caching default ENGINE handles.
11596   This was broken until now in 0.9.8 releases, such that the only way
11597   a registered ENGINE could be used (assuming it initialises
11598   successfully on the host) was to explicitly set it as the default
11599   for the relevant algorithms. This is in contradiction with 0.9.7
11600   behaviour and the documentation. With this fix, when an ENGINE is
11601   registered into a given algorithm's table of implementations, the
11602   'uptodate' flag is reset so that auto-discovery will be used next
11603   time a new context for that algorithm attempts to select an
11604   implementation.
11605
11606   *Ian Lister (tweaked by Geoff Thorpe)*
11607
11608 * Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
11609   implementation in the following ways:
11610
11611   Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
11612   hard coded.
11613
11614   Lack of BER streaming support means one pass streaming processing is
11615   only supported if data is detached: setting the streaming flag is
11616   ignored for embedded content.
11617
11618   CMS support is disabled by default and must be explicitly enabled
11619   with the enable-cms configuration option.
11620
11621   *Steve Henson*
11622
11623 * Update the GMP engine glue to do direct copies between BIGNUM and
11624   mpz_t when openssl and GMP use the same limb size. Otherwise the
11625   existing "conversion via a text string export" trick is still used.
11626
11627   *Paul Sheer <paulsheer@gmail.com>*
11628
11629 * Zlib compression BIO. This is a filter BIO which compressed and
11630   uncompresses any data passed through it.
11631
11632   *Steve Henson*
11633
11634 * Add AES_wrap_key() and AES_unwrap_key() functions to implement
11635   RFC3394 compatible AES key wrapping.
11636
11637   *Steve Henson*
11638
11639 * Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
11640   sets string data without copying. X509_ALGOR_set0() and
11641   X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
11642   data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
11643   from an X509_ATTRIBUTE structure optionally checking it occurs only
11644   once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
11645   data.
11646
11647   *Steve Henson*
11648
11649 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
11650   to get the expected BN_FLG_CONSTTIME behavior.
11651
11652   *Bodo Moeller (Google)*
11653
11654 * Netware support:
11655
11656   - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
11657   - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
11658   - added some more tests to do_tests.pl
11659   - fixed RunningProcess usage so that it works with newer LIBC NDKs too
11660   - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
11661   - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
11662     netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
11663   - various changes to netware.pl to enable gcc-cross builds on Win32
11664     platform
11665   - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
11666   - various changes to fix missing prototype warnings
11667   - fixed x86nasm.pl to create correct asm files for NASM COFF output
11668   - added AES, WHIRLPOOL and CPUID assembler code to build files
11669   - added missing AES assembler make rules to mk1mf.pl
11670   - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
11671
11672   *Guenter Knauf <eflash@gmx.net>*
11673
11674 * Implement certificate status request TLS extension defined in RFC3546.
11675   A client can set the appropriate parameters and receive the encoded
11676   OCSP response via a callback. A server can query the supplied parameters
11677   and set the encoded OCSP response in the callback. Add simplified examples
11678   to s_client and s_server.
11679
11680   *Steve Henson*
11681
11682### Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
11683
11684 * Fix various bugs:
11685   + Binary incompatibility of ssl_ctx_st structure
11686   + DTLS interoperation with non-compliant servers
11687   + Don't call get_session_cb() without proposed session
11688   + Fix ia64 assembler code
11689
11690   *Andy Polyakov, Steve Henson*
11691
11692### Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
11693
11694 * DTLS Handshake overhaul. There were longstanding issues with
11695   OpenSSL DTLS implementation, which were making it impossible for
11696   RFC 4347 compliant client to communicate with OpenSSL server.
11697   Unfortunately just fixing these incompatibilities would "cut off"
11698   pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
11699   server keeps tolerating non RFC compliant syntax. The opposite is
11700   not true, 0.9.8f client can not communicate with earlier server.
11701   This update even addresses CVE-2007-4995.
11702
11703   *Andy Polyakov*
11704
11705 * Changes to avoid need for function casts in OpenSSL: some compilers
11706   (gcc 4.2 and later) reject their use.
11707   *Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
11708    Steve Henson*
11709
11710 * Add RFC4507 support to OpenSSL. This includes the corrections in
11711   RFC4507bis. The encrypted ticket format is an encrypted encoded
11712   SSL_SESSION structure, that way new session features are automatically
11713   supported.
11714
11715   If a client application caches session in an SSL_SESSION structure
11716   support is transparent because tickets are now stored in the encoded
11717   SSL_SESSION.
11718
11719   The SSL_CTX structure automatically generates keys for ticket
11720   protection in servers so again support should be possible
11721   with no application modification.
11722
11723   If a client or server wishes to disable RFC4507 support then the option
11724   SSL_OP_NO_TICKET can be set.
11725
11726   Add a TLS extension debugging callback to allow the contents of any client
11727   or server extensions to be examined.
11728
11729   This work was sponsored by Google.
11730
11731   *Steve Henson*
11732
11733 * Add initial support for TLS extensions, specifically for the server_name
11734   extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
11735   have new members for a hostname.  The SSL data structure has an
11736   additional member `SSL_CTX *initial_ctx` so that new sessions can be
11737   stored in that context to allow for session resumption, even after the
11738   SSL has been switched to a new SSL_CTX in reaction to a client's
11739   server_name extension.
11740
11741   New functions (subject to change):
11742
11743           SSL_get_servername()
11744           SSL_get_servername_type()
11745           SSL_set_SSL_CTX()
11746
11747   New CTRL codes and macros (subject to change):
11748
11749           SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
11750                               - SSL_CTX_set_tlsext_servername_callback()
11751           SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
11752                                    - SSL_CTX_set_tlsext_servername_arg()
11753           SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
11754
11755   openssl s_client has a new '-servername ...' option.
11756
11757   openssl s_server has new options '-servername_host ...', '-cert2 ...',
11758   '-key2 ...', '-servername_fatal' (subject to change).  This allows
11759   testing the HostName extension for a specific single hostname ('-cert'
11760   and '-key' remain fallbacks for handshakes without HostName
11761   negotiation).  If the unrecognized_name alert has to be sent, this by
11762   default is a warning; it becomes fatal with the '-servername_fatal'
11763   option.
11764
11765   *Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson*
11766
11767 * Add AES and SSE2 assembly language support to VC++ build.
11768
11769   *Steve Henson*
11770
11771 * Mitigate attack on final subtraction in Montgomery reduction.
11772
11773   *Andy Polyakov*
11774
11775 * Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
11776   (which previously caused an internal error).
11777
11778   *Bodo Moeller*
11779
11780 * Squeeze another 10% out of IGE mode when in != out.
11781
11782   *Ben Laurie*
11783
11784 * AES IGE mode speedup.
11785
11786   *Dean Gaudet (Google)*
11787
11788 * Add the Korean symmetric 128-bit cipher SEED (see
11789   <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and
11790   add SEED ciphersuites from RFC 4162:
11791
11792           TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
11793           TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
11794           TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
11795           TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
11796
11797   To minimize changes between patchlevels in the OpenSSL 0.9.8
11798   series, SEED remains excluded from compilation unless OpenSSL
11799   is configured with 'enable-seed'.
11800
11801   *KISA, Bodo Moeller*
11802
11803 * Mitigate branch prediction attacks, which can be practical if a
11804   single processor is shared, allowing a spy process to extract
11805   information.  For detailed background information, see
11806   <http://eprint.iacr.org/2007/039> (O. Aciicmez, S. Gueron,
11807   J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
11808   and Necessary Software Countermeasures").  The core of the change
11809   are new versions BN_div_no_branch() and
11810   BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
11811   respectively, which are slower, but avoid the security-relevant
11812   conditional branches.  These are automatically called by BN_div()
11813   and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
11814   of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
11815   remove a conditional branch.
11816
11817   BN_FLG_CONSTTIME is the new name for the previous
11818   BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
11819   modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
11820   in the exponent causes BN_mod_exp_mont() to use the alternative
11821   implementation in BN_mod_exp_mont_consttime().)  The old name
11822   remains as a deprecated alias.
11823
11824   Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
11825   RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
11826   constant-time implementations for more than just exponentiation.
11827   Here too the old name is kept as a deprecated alias.
11828
11829   BN_BLINDING_new() will now use BN_dup() for the modulus so that
11830   the BN_BLINDING structure gets an independent copy of the
11831   modulus.  This means that the previous `BIGNUM *m` argument to
11832   BN_BLINDING_new() and to BN_BLINDING_create_param() now
11833   essentially becomes `const BIGNUM *m`, although we can't actually
11834   change this in the header file before 0.9.9.  It allows
11835   RSA_setup_blinding() to use BN_with_flags() on the modulus to
11836   enable BN_FLG_CONSTTIME.
11837
11838   *Matthew D Wood (Intel Corp)*
11839
11840 * In the SSL/TLS server implementation, be strict about session ID
11841   context matching (which matters if an application uses a single
11842   external cache for different purposes).  Previously,
11843   out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
11844   set.  This did ensure strict client verification, but meant that,
11845   with applications using a single external cache for quite
11846   different requirements, clients could circumvent ciphersuite
11847   restrictions for a given session ID context by starting a session
11848   in a different context.
11849
11850   *Bodo Moeller*
11851
11852 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
11853   a ciphersuite string such as "DEFAULT:RSA" cannot enable
11854   authentication-only ciphersuites.
11855
11856   *Bodo Moeller*
11857
11858 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
11859   not complete and could lead to a possible single byte overflow
11860   ([CVE-2007-5135]) [Ben Laurie]
11861
11862### Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
11863
11864 * Since AES128 and AES256 (and similarly Camellia128 and
11865   Camellia256) share a single mask bit in the logic of
11866   ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
11867   kludge to work properly if AES128 is available and AES256 isn't
11868   (or if Camellia128 is available and Camellia256 isn't).
11869
11870   *Victor Duchovni*
11871
11872 * Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
11873   (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
11874   When a point or a seed is encoded in a BIT STRING, we need to
11875   prevent the removal of trailing zero bits to get the proper DER
11876   encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
11877   of a NamedBitList, for which trailing 0 bits need to be removed.)
11878
11879   *Bodo Moeller*
11880
11881 * Have SSL/TLS server implementation tolerate "mismatched" record
11882   protocol version while receiving ClientHello even if the
11883   ClientHello is fragmented.  (The server can't insist on the
11884   particular protocol version it has chosen before the ServerHello
11885   message has informed the client about his choice.)
11886
11887   *Bodo Moeller*
11888
11889 * Add RFC 3779 support.
11890
11891   *Rob Austein for ARIN, Ben Laurie*
11892
11893 * Load error codes if they are not already present instead of using a
11894   static variable. This allows them to be cleanly unloaded and reloaded.
11895   Improve header file function name parsing.
11896
11897   *Steve Henson*
11898
11899 * extend SMTP and IMAP protocol emulation in s_client to use EHLO
11900   or CAPABILITY handshake as required by RFCs.
11901
11902   *Goetz Babin-Ebell*
11903
11904### Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
11905
11906 * Introduce limits to prevent malicious keys being able to
11907   cause a denial of service.  ([CVE-2006-2940])
11908
11909   *Steve Henson, Bodo Moeller*
11910
11911 * Fix ASN.1 parsing of certain invalid structures that can result
11912   in a denial of service.  ([CVE-2006-2937])  [Steve Henson]
11913
11914 * Fix buffer overflow in SSL_get_shared_ciphers() function.
11915   ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
11916
11917 * Fix SSL client code which could crash if connecting to a
11918   malicious SSLv2 server.  ([CVE-2006-4343])
11919
11920   *Tavis Ormandy and Will Drewry, Google Security Team*
11921
11922 * Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
11923   match only those.  Before that, "AES256-SHA" would be interpreted
11924   as a pattern and match "AES128-SHA" too (since AES128-SHA got
11925   the same strength classification in 0.9.7h) as we currently only
11926   have a single AES bit in the ciphersuite description bitmap.
11927   That change, however, also applied to ciphersuite strings such as
11928   "RC4-MD5" that intentionally matched multiple ciphersuites --
11929   namely, SSL 2.0 ciphersuites in addition to the more common ones
11930   from SSL 3.0/TLS 1.0.
11931
11932   So we change the selection algorithm again: Naming an explicit
11933   ciphersuite selects this one ciphersuite, and any other similar
11934   ciphersuite (same bitmap) from *other* protocol versions.
11935   Thus, "RC4-MD5" again will properly select both the SSL 2.0
11936   ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
11937
11938   Since SSL 2.0 does not have any ciphersuites for which the
11939   128/256 bit distinction would be relevant, this works for now.
11940   The proper fix will be to use different bits for AES128 and
11941   AES256, which would have avoided the problems from the beginning;
11942   however, bits are scarce, so we can only do this in a new release
11943   (not just a patchlevel) when we can change the SSL_CIPHER
11944   definition to split the single 'unsigned long mask' bitmap into
11945   multiple values to extend the available space.
11946
11947   *Bodo Moeller*
11948
11949### Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
11950
11951 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
11952   ([CVE-2006-4339])  [Ben Laurie and Google Security Team]
11953
11954 * Add AES IGE and biIGE modes.
11955
11956   *Ben Laurie*
11957
11958 * Change the Unix randomness entropy gathering to use poll() when
11959   possible instead of select(), since the latter has some
11960   undesirable limitations.
11961
11962   *Darryl Miles via Richard Levitte and Bodo Moeller*
11963
11964 * Disable "ECCdraft" ciphersuites more thoroughly.  Now special
11965   treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
11966   cannot be implicitly activated as part of, e.g., the "AES" alias.
11967   However, please upgrade to OpenSSL 0.9.9[-dev] for
11968   non-experimental use of the ECC ciphersuites to get TLS extension
11969   support, which is required for curve and point format negotiation
11970   to avoid potential handshake problems.
11971
11972   *Bodo Moeller*
11973
11974 * Disable rogue ciphersuites:
11975
11976   - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
11977   - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
11978   - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
11979
11980   The latter two were purportedly from
11981   draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
11982   appear there.
11983
11984   Also deactivate the remaining ciphersuites from
11985   draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
11986   unofficial, and the ID has long expired.
11987
11988   *Bodo Moeller*
11989
11990 * Fix RSA blinding Heisenbug (problems sometimes occurred on
11991   dual-core machines) and other potential thread-safety issues.
11992
11993   *Bodo Moeller*
11994
11995 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
11996   versions), which is now available for royalty-free use
11997   (see <http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html>).
11998   Also, add Camellia TLS ciphersuites from RFC 4132.
11999
12000   To minimize changes between patchlevels in the OpenSSL 0.9.8
12001   series, Camellia remains excluded from compilation unless OpenSSL
12002   is configured with 'enable-camellia'.
12003
12004   *NTT*
12005
12006 * Disable the padding bug check when compression is in use. The padding
12007   bug check assumes the first packet is of even length, this is not
12008   necessarily true if compression is enabled and can result in false
12009   positives causing handshake failure. The actual bug test is ancient
12010   code so it is hoped that implementations will either have fixed it by
12011   now or any which still have the bug do not support compression.
12012
12013   *Steve Henson*
12014
12015### Changes between 0.9.8a and 0.9.8b  [04 May 2006]
12016
12017 * When applying a cipher rule check to see if string match is an explicit
12018   cipher suite and only match that one cipher suite if it is.
12019
12020   *Steve Henson*
12021
12022 * Link in manifests for VC++ if needed.
12023
12024   *Austin Ziegler <halostatue@gmail.com>*
12025
12026 * Update support for ECC-based TLS ciphersuites according to
12027   draft-ietf-tls-ecc-12.txt with proposed changes (but without
12028   TLS extensions, which are supported starting with the 0.9.9
12029   branch, not in the OpenSSL 0.9.8 branch).
12030
12031   *Douglas Stebila*
12032
12033 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
12034   opaque EVP_CIPHER_CTX handling.
12035
12036   *Steve Henson*
12037
12038 * Fixes and enhancements to zlib compression code. We now only use
12039   "zlib1.dll" and use the default `__cdecl` calling convention on Win32
12040   to conform with the standards mentioned here:
12041   <http://www.zlib.net/DLL_FAQ.txt>
12042   Static zlib linking now works on Windows and the new --with-zlib-include
12043   --with-zlib-lib options to Configure can be used to supply the location
12044   of the headers and library. Gracefully handle case where zlib library
12045   can't be loaded.
12046
12047   *Steve Henson*
12048
12049 * Several fixes and enhancements to the OID generation code. The old code
12050   sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
12051   handle numbers larger than ULONG_MAX, truncated printing and had a
12052   non standard OBJ_obj2txt() behaviour.
12053
12054   *Steve Henson*
12055
12056 * Add support for building of engines under engine/ as shared libraries
12057   under VC++ build system.
12058
12059   *Steve Henson*
12060
12061 * Corrected the numerous bugs in the Win32 path splitter in DSO.
12062   Hopefully, we will not see any false combination of paths any more.
12063
12064   *Richard Levitte*
12065
12066### Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
12067
12068 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
12069   (part of SSL_OP_ALL).  This option used to disable the
12070   countermeasure against man-in-the-middle protocol-version
12071   rollback in the SSL 2.0 server implementation, which is a bad
12072   idea.  ([CVE-2005-2969])
12073
12074   *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
12075   for Information Security, National Institute of Advanced Industrial
12076   Science and Technology [AIST], Japan)*
12077
12078 * Add two function to clear and return the verify parameter flags.
12079
12080   *Steve Henson*
12081
12082 * Keep cipherlists sorted in the source instead of sorting them at
12083   runtime, thus removing the need for a lock.
12084
12085   *Nils Larsch*
12086
12087 * Avoid some small subgroup attacks in Diffie-Hellman.
12088
12089   *Nick Mathewson and Ben Laurie*
12090
12091 * Add functions for well-known primes.
12092
12093   *Nick Mathewson*
12094
12095 * Extended Windows CE support.
12096
12097   *Satoshi Nakamura and Andy Polyakov*
12098
12099 * Initialize SSL_METHOD structures at compile time instead of during
12100   runtime, thus removing the need for a lock.
12101
12102   *Steve Henson*
12103
12104 * Make PKCS7_decrypt() work even if no certificate is supplied by
12105   attempting to decrypt each encrypted key in turn. Add support to
12106   smime utility.
12107
12108   *Steve Henson*
12109
12110### Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
12111
12112[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
12113OpenSSL 0.9.8.]
12114
12115 * Add libcrypto.pc and libssl.pc for those who feel they need them.
12116
12117   *Richard Levitte*
12118
12119 * Change CA.sh and CA.pl so they don't bundle the CSR and the private
12120   key into the same file any more.
12121
12122   *Richard Levitte*
12123
12124 * Add initial support for Win64, both IA64 and AMD64/x64 flavors.
12125
12126   *Andy Polyakov*
12127
12128 * Add -utf8 command line and config file option to 'ca'.
12129
12130   *Stefan <stf@udoma.org*
12131
12132 * Removed the macro des_crypt(), as it seems to conflict with some
12133   libraries.  Use DES_crypt().
12134
12135   *Richard Levitte*
12136
12137 * Correct naming of the 'chil' and '4758cca' ENGINEs. This
12138   involves renaming the source and generated shared-libs for
12139   both. The engines will accept the corrected or legacy ids
12140   ('ncipher' and '4758_cca' respectively) when binding. NB,
12141   this only applies when building 'shared'.
12142
12143   *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe*
12144
12145 * Add attribute functions to EVP_PKEY structure. Modify
12146   PKCS12_create() to recognize a CSP name attribute and
12147   use it. Make -CSP option work again in pkcs12 utility.
12148
12149   *Steve Henson*
12150
12151 * Add new functionality to the bn blinding code:
12152   - automatic re-creation of the BN_BLINDING parameters after
12153     a fixed number of uses (currently 32)
12154   - add new function for parameter creation
12155   - introduce flags to control the update behaviour of the
12156     BN_BLINDING parameters
12157   - hide BN_BLINDING structure
12158   Add a second BN_BLINDING slot to the RSA structure to improve
12159   performance when a single RSA object is shared among several
12160   threads.
12161
12162   *Nils Larsch*
12163
12164 * Add support for DTLS.
12165
12166   *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie*
12167
12168 * Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
12169   to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
12170
12171   *Walter Goulet*
12172
12173 * Remove buggy and incomplete DH cert support from
12174   ssl/ssl_rsa.c and ssl/s3_both.c
12175
12176   *Nils Larsch*
12177
12178 * Use SHA-1 instead of MD5 as the default digest algorithm for
12179   the `apps/openssl` commands.
12180
12181   *Nils Larsch*
12182
12183 * Compile clean with "-Wall -Wmissing-prototypes
12184   -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
12185   DEBUG_SAFESTACK must also be set.
12186
12187   *Ben Laurie*
12188
12189 * Change ./Configure so that certain algorithms can be disabled by default.
12190   The new counterpiece to "no-xxx" is "enable-xxx".
12191
12192   The patented RC5 and MDC2 algorithms will now be disabled unless
12193   "enable-rc5" and "enable-mdc2", respectively, are specified.
12194
12195   (IDEA remains enabled despite being patented.  This is because IDEA
12196   is frequently required for interoperability, and there is no license
12197   fee for non-commercial use.  As before, "no-idea" can be used to
12198   avoid this algorithm.)
12199
12200   *Bodo Moeller*
12201
12202 * Add processing of proxy certificates (see RFC 3820).  This work was
12203   sponsored by KTH (The Royal Institute of Technology in Stockholm) and
12204   EGEE (Enabling Grids for E-science in Europe).
12205
12206   *Richard Levitte*
12207
12208 * RC4 performance overhaul on modern architectures/implementations, such
12209   as Intel P4, IA-64 and AMD64.
12210
12211   *Andy Polyakov*
12212
12213 * New utility extract-section.pl. This can be used specify an alternative
12214   section number in a pod file instead of having to treat each file as
12215   a separate case in Makefile. This can be done by adding two lines to the
12216   pod file:
12217
12218   =for comment openssl_section:XXX
12219
12220   The blank line is mandatory.
12221
12222   *Steve Henson*
12223
12224 * New arguments -certform, -keyform and -pass for s_client and s_server
12225   to allow alternative format key and certificate files and passphrase
12226   sources.
12227
12228   *Steve Henson*
12229
12230 * New structure X509_VERIFY_PARAM which combines current verify parameters,
12231   update associated structures and add various utility functions.
12232
12233   Add new policy related verify parameters, include policy checking in
12234   standard verify code. Enhance 'smime' application with extra parameters
12235   to support policy checking and print out.
12236
12237   *Steve Henson*
12238
12239 * Add a new engine to support VIA PadLock ACE extensions in the VIA C3
12240   Nehemiah processors. These extensions support AES encryption in hardware
12241   as well as RNG (though RNG support is currently disabled).
12242
12243   *Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov*
12244
12245 * Deprecate `BN_[get|set]_params()` functions (they were ignored internally).
12246
12247   *Geoff Thorpe*
12248
12249 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
12250
12251   *Andy Polyakov and a number of other people*
12252
12253 * Improved PowerPC platform support. Most notably BIGNUM assembler
12254   implementation contributed by IBM.
12255
12256   *Suresh Chari, Peter Waltenberg, Andy Polyakov*
12257
12258 * The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
12259   exponent rather than 'unsigned long'. There is a corresponding change to
12260   the new 'rsa_keygen' element of the RSA_METHOD structure.
12261
12262   *Jelte Jansen, Geoff Thorpe*
12263
12264 * Functionality for creating the initial serial number file is now
12265   moved from CA.pl to the 'ca' utility with a new option -create_serial.
12266
12267   (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
12268   number file to 1, which is bound to cause problems.  To avoid
12269   the problems while respecting compatibility between different 0.9.7
12270   patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
12271   CA.pl for serial number initialization.  With the new release 0.9.8,
12272   we can fix the problem directly in the 'ca' utility.)
12273
12274   *Steve Henson*
12275
12276 * Reduced header interdependencies by declaring more opaque objects in
12277   ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
12278   give fewer recursive includes, which could break lazy source code - so
12279   this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
12280   developers should define this symbol when building and using openssl to
12281   ensure they track the recommended behaviour, interfaces, [etc], but
12282   backwards-compatible behaviour prevails when this isn't defined.
12283
12284   *Geoff Thorpe*
12285
12286 * New function X509_POLICY_NODE_print() which prints out policy nodes.
12287
12288   *Steve Henson*
12289
12290 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
12291   This will generate a random key of the appropriate length based on the
12292   cipher context. The EVP_CIPHER can provide its own random key generation
12293   routine to support keys of a specific form. This is used in the des and
12294   3des routines to generate a key of the correct parity. Update S/MIME
12295   code to use new functions and hence generate correct parity DES keys.
12296   Add EVP_CHECK_DES_KEY #define to return an error if the key is not
12297   valid (weak or incorrect parity).
12298
12299   *Steve Henson*
12300
12301 * Add a local set of CRLs that can be used by X509_verify_cert() as well
12302   as looking them up. This is useful when the verified structure may contain
12303   CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
12304   present unless the new PKCS7_NO_CRL flag is asserted.
12305
12306   *Steve Henson*
12307
12308 * Extend ASN1 oid configuration module. It now additionally accepts the
12309   syntax:
12310
12311   shortName = some long name, 1.2.3.4
12312
12313   *Steve Henson*
12314
12315 * Reimplemented the BN_CTX implementation. There is now no more static
12316   limitation on the number of variables it can handle nor the depth of the
12317   "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
12318   information can now expand as required, and rather than having a single
12319   static array of bignums, BN_CTX now uses a linked-list of such arrays
12320   allowing it to expand on demand whilst maintaining the usefulness of
12321   BN_CTX's "bundling".
12322
12323   *Geoff Thorpe*
12324
12325 * Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
12326   to allow all RSA operations to function using a single BN_CTX.
12327
12328   *Geoff Thorpe*
12329
12330 * Preliminary support for certificate policy evaluation and checking. This
12331   is initially intended to pass the tests outlined in "Conformance Testing
12332   of Relying Party Client Certificate Path Processing Logic" v1.07.
12333
12334   *Steve Henson*
12335
12336 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
12337   remained unused and not that useful. A variety of other little bignum
12338   tweaks and fixes have also been made continuing on from the audit (see
12339   below).
12340
12341   *Geoff Thorpe*
12342
12343 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with
12344   associated ASN1, EVP and SSL functions and old ASN1 macros.
12345
12346   *Richard Levitte*
12347
12348 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
12349   and this should never fail. So the return value from the use of
12350   BN_set_word() (which can fail due to needless expansion) is now deprecated;
12351   if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
12352
12353   *Geoff Thorpe*
12354
12355 * BN_CTX_get() should return zero-valued bignums, providing the same
12356   initialised value as BN_new().
12357
12358   *Geoff Thorpe, suggested by Ulf Möller*
12359
12360 * Support for inhibitAnyPolicy certificate extension.
12361
12362   *Steve Henson*
12363
12364 * An audit of the BIGNUM code is underway, for which debugging code is
12365   enabled when BN_DEBUG is defined. This makes stricter enforcements on what
12366   is considered valid when processing BIGNUMs, and causes execution to
12367   assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
12368   further steps are taken to deliberately pollute unused data in BIGNUM
12369   structures to try and expose faulty code further on. For now, openssl will
12370   (in its default mode of operation) continue to tolerate the inconsistent
12371   forms that it has tolerated in the past, but authors and packagers should
12372   consider trying openssl and their own applications when compiled with
12373   these debugging symbols defined. It will help highlight potential bugs in
12374   their own code, and will improve the test coverage for OpenSSL itself. At
12375   some point, these tighter rules will become openssl's default to improve
12376   maintainability, though the assert()s and other overheads will remain only
12377   in debugging configurations. See bn.h for more details.
12378
12379   *Geoff Thorpe, Nils Larsch, Ulf Möller*
12380
12381 * BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
12382   that can only be obtained through BN_CTX_new() (which implicitly
12383   initialises it). The presence of this function only made it possible
12384   to overwrite an existing structure (and cause memory leaks).
12385
12386   *Geoff Thorpe*
12387
12388 * Because of the callback-based approach for implementing LHASH as a
12389   template type, lh_insert() adds opaque objects to hash-tables and
12390   lh_doall() or lh_doall_arg() are typically used with a destructor callback
12391   to clean up those corresponding objects before destroying the hash table
12392   (and losing the object pointers). So some over-zealous constifications in
12393   LHASH have been relaxed so that lh_insert() does not take (nor store) the
12394   objects as "const" and the `lh_doall[_arg]` callback wrappers are not
12395   prototyped to have "const" restrictions on the object pointers they are
12396   given (and so aren't required to cast them away any more).
12397
12398   *Geoff Thorpe*
12399
12400 * The tmdiff.h API was so ugly and minimal that our own timing utility
12401   (speed) prefers to use its own implementation. The two implementations
12402   haven't been consolidated as yet (volunteers?) but the tmdiff API has had
12403   its object type properly exposed (MS_TM) instead of casting to/from
12404   `char *`. This may still change yet if someone realises MS_TM and
12405   `ms_time_***`
12406   aren't necessarily the greatest nomenclatures - but this is what was used
12407   internally to the implementation so I've used that for now.
12408
12409   *Geoff Thorpe*
12410
12411 * Ensure that deprecated functions do not get compiled when
12412   OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
12413   the self-tests were still using deprecated key-generation functions so
12414   these have been updated also.
12415
12416   *Geoff Thorpe*
12417
12418 * Reorganise PKCS#7 code to separate the digest location functionality
12419   into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
12420   New function PKCS7_set_digest() to set the digest type for PKCS#7
12421   digestedData type. Add additional code to correctly generate the
12422   digestedData type and add support for this type in PKCS7 initialization
12423   functions.
12424
12425   *Steve Henson*
12426
12427 * New function PKCS7_set0_type_other() this initializes a PKCS7
12428   structure of type "other".
12429
12430   *Steve Henson*
12431
12432 * Fix prime generation loop in crypto/bn/bn_prime.pl by making
12433   sure the loop does correctly stop and breaking ("division by zero")
12434   modulus operations are not performed. The (pre-generated) prime
12435   table crypto/bn/bn_prime.h was already correct, but it could not be
12436   re-generated on some platforms because of the "division by zero"
12437   situation in the script.
12438
12439   *Ralf S. Engelschall*
12440
12441 * Update support for ECC-based TLS ciphersuites according to
12442   draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
12443   SHA-1 now is only used for "small" curves (where the
12444   representation of a field element takes up to 24 bytes); for
12445   larger curves, the field element resulting from ECDH is directly
12446   used as premaster secret.
12447
12448   *Douglas Stebila (Sun Microsystems Laboratories)*
12449
12450 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
12451   curve secp160r1 to the tests.
12452
12453   *Douglas Stebila (Sun Microsystems Laboratories)*
12454
12455 * Add the possibility to load symbols globally with DSO.
12456
12457   *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
12458
12459 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
12460   control of the error stack.
12461
12462   *Richard Levitte*
12463
12464 * Add support for STORE in ENGINE.
12465
12466   *Richard Levitte*
12467
12468 * Add the STORE type.  The intention is to provide a common interface
12469   to certificate and key stores, be they simple file-based stores, or
12470   HSM-type store, or LDAP stores, or...
12471   NOTE: The code is currently UNTESTED and isn't really used anywhere.
12472
12473   *Richard Levitte*
12474
12475 * Add a generic structure called OPENSSL_ITEM.  This can be used to
12476   pass a list of arguments to any function as well as provide a way
12477   for a function to pass data back to the caller.
12478
12479   *Richard Levitte*
12480
12481 * Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
12482   works like BUF_strdup() but can be used to duplicate a portion of
12483   a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
12484   a memory area.
12485
12486   *Richard Levitte*
12487
12488 * Add the function sk_find_ex() which works like sk_find(), but will
12489   return an index to an element even if an exact match couldn't be
12490   found.  The index is guaranteed to point at the element where the
12491   searched-for key would be inserted to preserve sorting order.
12492
12493   *Richard Levitte*
12494
12495 * Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
12496   takes an extra flags argument for optional functionality.  Currently,
12497   the following flags are defined:
12498
12499      OBJ_BSEARCH_VALUE_ON_NOMATCH
12500      This one gets OBJ_bsearch_ex() to return a pointer to the first
12501      element where the comparing function returns a negative or zero
12502      number.
12503
12504      OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
12505      This one gets OBJ_bsearch_ex() to return a pointer to the first
12506      element where the comparing function returns zero.  This is useful
12507      if there are more than one element where the comparing function
12508      returns zero.
12509
12510   *Richard Levitte*
12511
12512 * Make it possible to create self-signed certificates with 'openssl ca'
12513   in such a way that the self-signed certificate becomes part of the
12514   CA database and uses the same mechanisms for serial number generation
12515   as all other certificate signing.  The new flag '-selfsign' enables
12516   this functionality.  Adapt CA.sh and CA.pl.in.
12517
12518   *Richard Levitte*
12519
12520 * Add functionality to check the public key of a certificate request
12521   against a given private.  This is useful to check that a certificate
12522   request can be signed by that key (self-signing).
12523
12524   *Richard Levitte*
12525
12526 * Make it possible to have multiple active certificates with the same
12527   subject in the CA index file.  This is done only if the keyword
12528   'unique_subject' is set to 'no' in the main CA section (default
12529   if 'CA_default') of the configuration file.  The value is saved
12530   with the database itself in a separate index attribute file,
12531   named like the index file with '.attr' appended to the name.
12532
12533   *Richard Levitte*
12534
12535 * Generate multi-valued AVAs using '+' notation in config files for
12536   req and dirName.
12537
12538   *Steve Henson*
12539
12540 * Support for nameConstraints certificate extension.
12541
12542   *Steve Henson*
12543
12544 * Support for policyConstraints certificate extension.
12545
12546   *Steve Henson*
12547
12548 * Support for policyMappings certificate extension.
12549
12550   *Steve Henson*
12551
12552 * Make sure the default DSA_METHOD implementation only uses its
12553   dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
12554   and change its own handlers to be NULL so as to remove unnecessary
12555   indirection. This lets alternative implementations fallback to the
12556   default implementation more easily.
12557
12558   *Geoff Thorpe*
12559
12560 * Support for directoryName in GeneralName related extensions
12561   in config files.
12562
12563   *Steve Henson*
12564
12565 * Make it possible to link applications using Makefile.shared.
12566   Make that possible even when linking against static libraries!
12567
12568   *Richard Levitte*
12569
12570 * Support for single pass processing for S/MIME signing. This now
12571   means that S/MIME signing can be done from a pipe, in addition
12572   cleartext signing (multipart/signed type) is effectively streaming
12573   and the signed data does not need to be all held in memory.
12574
12575   This is done with a new flag PKCS7_STREAM. When this flag is set
12576   PKCS7_sign() only initializes the PKCS7 structure and the actual signing
12577   is done after the data is output (and digests calculated) in
12578   SMIME_write_PKCS7().
12579
12580   *Steve Henson*
12581
12582 * Add full support for -rpath/-R, both in shared libraries and
12583   applications, at least on the platforms where it's known how
12584   to do it.
12585
12586   *Richard Levitte*
12587
12588 * In crypto/ec/ec_mult.c, implement fast point multiplication with
12589   precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
12590   will now compute a table of multiples of the generator that
12591   makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
12592   faster (notably in the case of a single point multiplication,
12593   scalar * generator).
12594
12595   *Nils Larsch, Bodo Moeller*
12596
12597 * IPv6 support for certificate extensions. The various extensions
12598   which use the IP:a.b.c.d can now take IPv6 addresses using the
12599   formats of RFC1884 2.2 . IPv6 addresses are now also displayed
12600   correctly.
12601
12602   *Steve Henson*
12603
12604 * Added an ENGINE that implements RSA by performing private key
12605   exponentiations with the GMP library. The conversions to and from
12606   GMP's mpz_t format aren't optimised nor are any montgomery forms
12607   cached, and on x86 it appears OpenSSL's own performance has caught up.
12608   However there are likely to be other architectures where GMP could
12609   provide a boost. This ENGINE is not built in by default, but it can be
12610   specified at Configure time and should be accompanied by the necessary
12611   linker additions, eg;
12612           ./config -DOPENSSL_USE_GMP -lgmp
12613
12614   *Geoff Thorpe*
12615
12616 * "openssl engine" will not display ENGINE/DSO load failure errors when
12617   testing availability of engines with "-t" - the old behaviour is
12618   produced by increasing the feature's verbosity with "-tt".
12619
12620   *Geoff Thorpe*
12621
12622 * ECDSA routines: under certain error conditions uninitialized BN objects
12623   could be freed. Solution: make sure initialization is performed early
12624   enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
12625   via PR#459)
12626
12627   *Lutz Jaenicke*
12628
12629 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
12630   and DH_METHOD (eg. by ENGINE implementations) to override the normal
12631   software implementations. For DSA and DH, parameter generation can
12632   also be overridden by providing the appropriate method callbacks.
12633
12634   *Geoff Thorpe*
12635
12636 * Change the "progress" mechanism used in key-generation and
12637   primality testing to functions that take a new BN_GENCB pointer in
12638   place of callback/argument pairs. The new API functions have `_ex`
12639   postfixes and the older functions are reimplemented as wrappers for
12640   the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
12641   declarations of the old functions to help (graceful) attempts to
12642   migrate to the new functions. Also, the new key-generation API
12643   functions operate on a caller-supplied key-structure and return
12644   success/failure rather than returning a key or NULL - this is to
12645   help make "keygen" another member function of RSA_METHOD etc.
12646
12647   Example for using the new callback interface:
12648
12649           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
12650           void *my_arg = ...;
12651           BN_GENCB my_cb;
12652
12653           BN_GENCB_set(&my_cb, my_callback, my_arg);
12654
12655           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
12656           /* For the meaning of a, b in calls to my_callback(), see the
12657            * documentation of the function that calls the callback.
12658            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
12659            * my_callback should return 1 if it wants BN_is_prime_ex()
12660            * to continue, or 0 to stop.
12661            */
12662
12663   *Geoff Thorpe*
12664
12665 * Change the ZLIB compression method to be stateful, and make it
12666   available to TLS with the number defined in
12667   draft-ietf-tls-compression-04.txt.
12668
12669   *Richard Levitte*
12670
12671 * Add the ASN.1 structures and functions for CertificatePair, which
12672   is defined as follows (according to X.509_4thEditionDraftV6.pdf):
12673
12674           CertificatePair ::= SEQUENCE {
12675              forward         [0]     Certificate OPTIONAL,
12676              reverse         [1]     Certificate OPTIONAL,
12677              -- at least one of the pair shall be present -- }
12678
12679   Also implement the PEM functions to read and write certificate
12680   pairs, and defined the PEM tag as "CERTIFICATE PAIR".
12681
12682   This needed to be defined, mostly for the sake of the LDAP
12683   attribute crossCertificatePair, but may prove useful elsewhere as
12684   well.
12685
12686   *Richard Levitte*
12687
12688 * Make it possible to inhibit symlinking of shared libraries in
12689   Makefile.shared, for Cygwin's sake.
12690
12691   *Richard Levitte*
12692
12693 * Extend the BIGNUM API by creating a function
12694           void BN_set_negative(BIGNUM *a, int neg);
12695   and a macro that behave like
12696           int  BN_is_negative(const BIGNUM *a);
12697
12698   to avoid the need to access 'a->neg' directly in applications.
12699
12700   *Nils Larsch*
12701
12702 * Implement fast modular reduction for pseudo-Mersenne primes
12703   used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
12704   EC_GROUP_new_curve_GFp() will now automatically use this
12705   if applicable.
12706
12707   *Nils Larsch <nla@trustcenter.de>*
12708
12709 * Add new lock type (CRYPTO_LOCK_BN).
12710
12711   *Bodo Moeller*
12712
12713 * Change the ENGINE framework to automatically load engines
12714   dynamically from specific directories unless they could be
12715   found to already be built in or loaded.  Move all the
12716   current engines except for the cryptodev one to a new
12717   directory engines/.
12718   The engines in engines/ are built as shared libraries if
12719   the "shared" options was given to ./Configure or ./config.
12720   Otherwise, they are inserted in libcrypto.a.
12721   /usr/local/ssl/engines is the default directory for dynamic
12722   engines, but that can be overridden at configure time through
12723   the usual use of --prefix and/or --openssldir, and at run
12724   time with the environment variable OPENSSL_ENGINES.
12725
12726   *Geoff Thorpe and Richard Levitte*
12727
12728 * Add Makefile.shared, a helper makefile to build shared
12729   libraries.  Adapt Makefile.org.
12730
12731   *Richard Levitte*
12732
12733 * Add version info to Win32 DLLs.
12734
12735   *Peter 'Luna' Runestig" <peter@runestig.com>*
12736
12737 * Add new 'medium level' PKCS#12 API. Certificates and keys
12738   can be added using this API to created arbitrary PKCS#12
12739   files while avoiding the low-level API.
12740
12741   New options to PKCS12_create(), key or cert can be NULL and
12742   will then be omitted from the output file. The encryption
12743   algorithm NIDs can be set to -1 for no encryption, the mac
12744   iteration count can be set to 0 to omit the mac.
12745
12746   Enhance pkcs12 utility by making the -nokeys and -nocerts
12747   options work when creating a PKCS#12 file. New option -nomac
12748   to omit the mac, NONE can be set for an encryption algorithm.
12749   New code is modified to use the enhanced PKCS12_create()
12750   instead of the low-level API.
12751
12752   *Steve Henson*
12753
12754 * Extend ASN1 encoder to support indefinite length constructed
12755   encoding. This can output sequences tags and octet strings in
12756   this form. Modify pk7_asn1.c to support indefinite length
12757   encoding. This is experimental and needs additional code to
12758   be useful, such as an ASN1 bio and some enhanced streaming
12759   PKCS#7 code.
12760
12761   Extend template encode functionality so that tagging is passed
12762   down to the template encoder.
12763
12764   *Steve Henson*
12765
12766 * Let 'openssl req' fail if an argument to '-newkey' is not
12767   recognized instead of using RSA as a default.
12768
12769   *Bodo Moeller*
12770
12771 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
12772   As these are not official, they are not included in "ALL";
12773   the "ECCdraft" ciphersuite group alias can be used to select them.
12774
12775   *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)*
12776
12777 * Add ECDH engine support.
12778
12779   *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)*
12780
12781 * Add ECDH in new directory crypto/ecdh/.
12782
12783   *Douglas Stebila (Sun Microsystems Laboratories)*
12784
12785 * Let BN_rand_range() abort with an error after 100 iterations
12786   without success (which indicates a broken PRNG).
12787
12788   *Bodo Moeller*
12789
12790 * Change BN_mod_sqrt() so that it verifies that the input value
12791   is really the square of the return value.  (Previously,
12792   BN_mod_sqrt would show GIGO behaviour.)
12793
12794   *Bodo Moeller*
12795
12796 * Add named elliptic curves over binary fields from X9.62, SECG,
12797   and WAP/WTLS; add OIDs that were still missing.
12798
12799   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12800
12801 * Extend the EC library for elliptic curves over binary fields
12802   (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
12803   New EC_METHOD:
12804
12805           EC_GF2m_simple_method
12806
12807   New API functions:
12808
12809           EC_GROUP_new_curve_GF2m
12810           EC_GROUP_set_curve_GF2m
12811           EC_GROUP_get_curve_GF2m
12812           EC_POINT_set_affine_coordinates_GF2m
12813           EC_POINT_get_affine_coordinates_GF2m
12814           EC_POINT_set_compressed_coordinates_GF2m
12815
12816   Point compression for binary fields is disabled by default for
12817   patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
12818   enable it).
12819
12820   As binary polynomials are represented as BIGNUMs, various members
12821   of the EC_GROUP and EC_POINT data structures can be shared
12822   between the implementations for prime fields and binary fields;
12823   the above `..._GF2m functions` (except for EX_GROUP_new_curve_GF2m)
12824   are essentially identical to their `..._GFp` counterparts.
12825   (For simplicity, the `..._GFp` prefix has been dropped from
12826   various internal method names.)
12827
12828   An internal 'field_div' method (similar to 'field_mul' and
12829   'field_sqr') has been added; this is used only for binary fields.
12830
12831   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12832
12833 * Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
12834   through methods ('mul', 'precompute_mult').
12835
12836   The generic implementations (now internally called 'ec_wNAF_mul'
12837   and 'ec_wNAF_precomputed_mult') remain the default if these
12838   methods are undefined.
12839
12840   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12841
12842 * New function EC_GROUP_get_degree, which is defined through
12843   EC_METHOD.  For curves over prime fields, this returns the bit
12844   length of the modulus.
12845
12846   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12847
12848 * New functions EC_GROUP_dup, EC_POINT_dup.
12849   (These simply call ..._new  and ..._copy).
12850
12851   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12852
12853 * Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
12854   Polynomials are represented as BIGNUMs (where the sign bit is not
12855   used) in the following functions [macros]:
12856
12857           BN_GF2m_add
12858           BN_GF2m_sub             [= BN_GF2m_add]
12859           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
12860           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
12861           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
12862           BN_GF2m_mod_inv
12863           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
12864           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
12865           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
12866           BN_GF2m_cmp             [= BN_ucmp]
12867
12868   (Note that only the 'mod' functions are actually for fields GF(2^m).
12869   BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
12870
12871   For some functions, an the irreducible polynomial defining a
12872   field can be given as an 'unsigned int[]' with strictly
12873   decreasing elements giving the indices of those bits that are set;
12874   i.e., p[] represents the polynomial
12875           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
12876   where
12877           p[0] > p[1] > ... > p[k] = 0.
12878   This applies to the following functions:
12879
12880           BN_GF2m_mod_arr
12881           BN_GF2m_mod_mul_arr
12882           BN_GF2m_mod_sqr_arr
12883           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
12884           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
12885           BN_GF2m_mod_exp_arr
12886           BN_GF2m_mod_sqrt_arr
12887           BN_GF2m_mod_solve_quad_arr
12888           BN_GF2m_poly2arr
12889           BN_GF2m_arr2poly
12890
12891   Conversion can be performed by the following functions:
12892
12893           BN_GF2m_poly2arr
12894           BN_GF2m_arr2poly
12895
12896   bntest.c has additional tests for binary polynomial arithmetic.
12897
12898   Two implementations for BN_GF2m_mod_div() are available.
12899   The default algorithm simply uses BN_GF2m_mod_inv() and
12900   BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
12901   if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
12902   copyright notice in crypto/bn/bn_gf2m.c before enabling it).
12903
12904   *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
12905
12906 * Add new error code 'ERR_R_DISABLED' that can be used when some
12907   functionality is disabled at compile-time.
12908
12909   *Douglas Stebila <douglas.stebila@sun.com>*
12910
12911 * Change default behaviour of 'openssl asn1parse' so that more
12912   information is visible when viewing, e.g., a certificate:
12913
12914   Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
12915   mode the content of non-printable OCTET STRINGs is output in a
12916   style similar to INTEGERs, but with '[HEX DUMP]' prepended to
12917   avoid the appearance of a printable string.
12918
12919   *Nils Larsch <nla@trustcenter.de>*
12920
12921 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
12922   functions
12923           EC_GROUP_set_asn1_flag()
12924           EC_GROUP_get_asn1_flag()
12925           EC_GROUP_set_point_conversion_form()
12926           EC_GROUP_get_point_conversion_form()
12927   These control ASN1 encoding details:
12928   - Curves (i.e., groups) are encoded explicitly unless asn1_flag
12929     has been set to OPENSSL_EC_NAMED_CURVE.
12930   - Points are encoded in uncompressed form by default; options for
12931     asn1_for are as for point2oct, namely
12932           POINT_CONVERSION_COMPRESSED
12933           POINT_CONVERSION_UNCOMPRESSED
12934           POINT_CONVERSION_HYBRID
12935
12936   Also add 'seed' and 'seed_len' members to EC_GROUP with access
12937   functions
12938           EC_GROUP_set_seed()
12939           EC_GROUP_get0_seed()
12940           EC_GROUP_get_seed_len()
12941   This is used only for ASN1 purposes (so far).
12942
12943   *Nils Larsch <nla@trustcenter.de>*
12944
12945 * Add 'field_type' member to EC_METHOD, which holds the NID
12946   of the appropriate field type OID.  The new function
12947   EC_METHOD_get_field_type() returns this value.
12948
12949   *Nils Larsch <nla@trustcenter.de>*
12950
12951 * Add functions
12952           EC_POINT_point2bn()
12953           EC_POINT_bn2point()
12954           EC_POINT_point2hex()
12955           EC_POINT_hex2point()
12956   providing useful interfaces to EC_POINT_point2oct() and
12957   EC_POINT_oct2point().
12958
12959   *Nils Larsch <nla@trustcenter.de>*
12960
12961 * Change internals of the EC library so that the functions
12962           EC_GROUP_set_generator()
12963           EC_GROUP_get_generator()
12964           EC_GROUP_get_order()
12965           EC_GROUP_get_cofactor()
12966   are implemented directly in crypto/ec/ec_lib.c and not dispatched
12967   to methods, which would lead to unnecessary code duplication when
12968   adding different types of curves.
12969
12970   *Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller*
12971
12972 * Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
12973   arithmetic, and such that modified wNAFs are generated
12974   (which avoid length expansion in many cases).
12975
12976   *Bodo Moeller*
12977
12978 * Add a function EC_GROUP_check_discriminant() (defined via
12979   EC_METHOD) that verifies that the curve discriminant is non-zero.
12980
12981   Add a function EC_GROUP_check() that makes some sanity tests
12982   on a EC_GROUP, its generator and order.  This includes
12983   EC_GROUP_check_discriminant().
12984
12985   *Nils Larsch <nla@trustcenter.de>*
12986
12987 * Add ECDSA in new directory crypto/ecdsa/.
12988
12989   Add applications 'openssl ecparam' and 'openssl ecdsa'
12990   (these are based on 'openssl dsaparam' and 'openssl dsa').
12991
12992   ECDSA support is also included in various other files across the
12993   library.  Most notably,
12994   - 'openssl req' now has a '-newkey ecdsa:file' option;
12995   - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
12996   - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
12997     d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
12998     them suitable for ECDSA where domain parameters must be
12999     extracted before the specific public key;
13000   - ECDSA engine support has been added.
13001
13002   *Nils Larsch <nla@trustcenter.de>*
13003
13004 * Include some named elliptic curves, and add OIDs from X9.62,
13005   SECG, and WAP/WTLS.  Each curve can be obtained from the new
13006   function
13007           EC_GROUP_new_by_curve_name(),
13008   and the list of available named curves can be obtained with
13009           EC_get_builtin_curves().
13010   Also add a 'curve_name' member to EC_GROUP objects, which can be
13011   accessed via
13012           EC_GROUP_set_curve_name()
13013           EC_GROUP_get_curve_name()
13014
13015   *Nils Larsch <larsch@trustcenter.de, Bodo Moeller*
13016
13017 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
13018   was actually never needed) and in BN_mul().  The removal in BN_mul()
13019   required a small change in bn_mul_part_recursive() and the addition
13020   of the functions bn_cmp_part_words(), bn_sub_part_words() and
13021   bn_add_part_words(), which do the same thing as bn_cmp_words(),
13022   bn_sub_words() and bn_add_words() except they take arrays with
13023   differing sizes.
13024
13025   *Richard Levitte*
13026
13027### Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
13028
13029 * Cleanse PEM buffers before freeing them since they may contain
13030   sensitive data.
13031
13032   *Benjamin Bennett <ben@psc.edu>*
13033
13034 * Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
13035   a ciphersuite string such as "DEFAULT:RSA" cannot enable
13036   authentication-only ciphersuites.
13037
13038   *Bodo Moeller*
13039
13040 * Since AES128 and AES256 share a single mask bit in the logic of
13041   ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
13042   kludge to work properly if AES128 is available and AES256 isn't.
13043
13044   *Victor Duchovni*
13045
13046 * Expand security boundary to match 1.1.1 module.
13047
13048   *Steve Henson*
13049
13050 * Remove redundant features: hash file source, editing of test vectors
13051   modify fipsld to use external fips_premain.c signature.
13052
13053   *Steve Henson*
13054
13055 * New perl script mkfipsscr.pl to create shell scripts or batch files to
13056   run algorithm test programs.
13057
13058   *Steve Henson*
13059
13060 * Make algorithm test programs more tolerant of whitespace.
13061
13062   *Steve Henson*
13063
13064 * Have SSL/TLS server implementation tolerate "mismatched" record
13065   protocol version while receiving ClientHello even if the
13066   ClientHello is fragmented.  (The server can't insist on the
13067   particular protocol version it has chosen before the ServerHello
13068   message has informed the client about his choice.)
13069
13070   *Bodo Moeller*
13071
13072 * Load error codes if they are not already present instead of using a
13073   static variable. This allows them to be cleanly unloaded and reloaded.
13074
13075   *Steve Henson*
13076
13077### Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
13078
13079 * Introduce limits to prevent malicious keys being able to
13080   cause a denial of service.  ([CVE-2006-2940])
13081
13082   *Steve Henson, Bodo Moeller*
13083
13084 * Fix ASN.1 parsing of certain invalid structures that can result
13085   in a denial of service.  ([CVE-2006-2937])  [Steve Henson]
13086
13087 * Fix buffer overflow in SSL_get_shared_ciphers() function.
13088   ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
13089
13090 * Fix SSL client code which could crash if connecting to a
13091   malicious SSLv2 server.  ([CVE-2006-4343])
13092
13093   *Tavis Ormandy and Will Drewry, Google Security Team*
13094
13095 * Change ciphersuite string processing so that an explicit
13096   ciphersuite selects this one ciphersuite (so that "AES256-SHA"
13097   will no longer include "AES128-SHA"), and any other similar
13098   ciphersuite (same bitmap) from *other* protocol versions (so that
13099   "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
13100   SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
13101   changes from 0.9.8b and 0.9.8d.
13102
13103   *Bodo Moeller*
13104
13105### Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
13106
13107 * Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
13108   ([CVE-2006-4339])  [Ben Laurie and Google Security Team]
13109
13110 * Change the Unix randomness entropy gathering to use poll() when
13111   possible instead of select(), since the latter has some
13112   undesirable limitations.
13113
13114   *Darryl Miles via Richard Levitte and Bodo Moeller*
13115
13116 * Disable rogue ciphersuites:
13117
13118   - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
13119   - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
13120   - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
13121
13122   The latter two were purportedly from
13123   draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
13124   appear there.
13125
13126   Also deactivate the remaining ciphersuites from
13127   draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
13128   unofficial, and the ID has long expired.
13129
13130   *Bodo Moeller*
13131
13132 * Fix RSA blinding Heisenbug (problems sometimes occurred on
13133   dual-core machines) and other potential thread-safety issues.
13134
13135   *Bodo Moeller*
13136
13137### Changes between 0.9.7i and 0.9.7j  [04 May 2006]
13138
13139 * Adapt fipsld and the build system to link against the validated FIPS
13140   module in FIPS mode.
13141
13142   *Steve Henson*
13143
13144 * Fixes for VC++ 2005 build under Windows.
13145
13146   *Steve Henson*
13147
13148 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
13149   from a Windows bash shell such as MSYS. It is autodetected from the
13150   "config" script when run from a VC++ environment. Modify standard VC++
13151   build to use fipscanister.o from the GNU make build.
13152
13153   *Steve Henson*
13154
13155### Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
13156
13157 * Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
13158   The value now differs depending on if you build for FIPS or not.
13159   BEWARE!  A program linked with a shared FIPSed libcrypto can't be
13160   safely run with a non-FIPSed libcrypto, as it may crash because of
13161   the difference induced by this change.
13162
13163   *Andy Polyakov*
13164
13165### Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
13166
13167 * Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
13168   (part of SSL_OP_ALL).  This option used to disable the
13169   countermeasure against man-in-the-middle protocol-version
13170   rollback in the SSL 2.0 server implementation, which is a bad
13171   idea.  ([CVE-2005-2969])
13172
13173   *Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
13174   for Information Security, National Institute of Advanced Industrial
13175   Science and Technology [AIST, Japan)]*
13176
13177 * Minimal support for X9.31 signatures and PSS padding modes. This is
13178   mainly for FIPS compliance and not fully integrated at this stage.
13179
13180   *Steve Henson*
13181
13182 * For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
13183   the exponentiation using a fixed-length exponent.  (Otherwise,
13184   the information leaked through timing could expose the secret key
13185   after many signatures; cf. Bleichenbacher's attack on DSA with
13186   biased k.)
13187
13188   *Bodo Moeller*
13189
13190 * Make a new fixed-window mod_exp implementation the default for
13191   RSA, DSA, and DH private-key operations so that the sequence of
13192   squares and multiplies and the memory access pattern are
13193   independent of the particular secret key.  This will mitigate
13194   cache-timing and potential related attacks.
13195
13196   BN_mod_exp_mont_consttime() is the new exponentiation implementation,
13197   and this is automatically used by BN_mod_exp_mont() if the new flag
13198   BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
13199   will use this BN flag for private exponents unless the flag
13200   RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
13201   DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
13202
13203   *Matthew D Wood (Intel Corp), with some changes by Bodo Moeller*
13204
13205 * Change the client implementation for SSLv23_method() and
13206   SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
13207   Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
13208   (Previously, the SSL 2.0 backwards compatible Client Hello
13209   message format would be used even with SSL_OP_NO_SSLv2.)
13210
13211   *Bodo Moeller*
13212
13213 * Add support for smime-type MIME parameter in S/MIME messages which some
13214   clients need.
13215
13216   *Steve Henson*
13217
13218 * New function BN_MONT_CTX_set_locked() to set montgomery parameters in
13219   a threadsafe manner. Modify rsa code to use new function and add calls
13220   to dsa and dh code (which had race conditions before).
13221
13222   *Steve Henson*
13223
13224 * Include the fixed error library code in the C error file definitions
13225   instead of fixing them up at runtime. This keeps the error code
13226   structures constant.
13227
13228   *Steve Henson*
13229
13230### Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
13231
13232[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
13233OpenSSL 0.9.8.]
13234
13235 * Fixes for newer kerberos headers. NB: the casts are needed because
13236   the 'length' field is signed on one version and unsigned on another
13237   with no (?) obvious way to tell the difference, without these VC++
13238   complains. Also the "definition" of FAR (blank) is no longer included
13239   nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
13240   some needed definitions.
13241
13242   *Steve Henson*
13243
13244 * Undo Cygwin change.
13245
13246   *Ulf Möller*
13247
13248 * Added support for proxy certificates according to RFC 3820.
13249   Because they may be a security thread to unaware applications,
13250   they must be explicitly allowed in run-time.  See
13251   docs/HOWTO/proxy_certificates.txt for further information.
13252
13253   *Richard Levitte*
13254
13255### Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
13256
13257 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
13258   server and client random values. Previously
13259   (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
13260   less random data when sizeof(time_t) > 4 (some 64 bit platforms).
13261
13262   This change has negligible security impact because:
13263
13264   1. Server and client random values still have 24 bytes of pseudo random
13265      data.
13266
13267   2. Server and client random values are sent in the clear in the initial
13268      handshake.
13269
13270   3. The master secret is derived using the premaster secret (48 bytes in
13271      size for static RSA ciphersuites) as well as client server and random
13272      values.
13273
13274   The OpenSSL team would like to thank the UK NISCC for bringing this issue
13275   to our attention.
13276
13277   *Stephen Henson, reported by UK NISCC*
13278
13279 * Use Windows randomness collection on Cygwin.
13280
13281   *Ulf Möller*
13282
13283 * Fix hang in EGD/PRNGD query when communication socket is closed
13284   prematurely by EGD/PRNGD.
13285
13286   *Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014*
13287
13288 * Prompt for pass phrases when appropriate for PKCS12 input format.
13289
13290   *Steve Henson*
13291
13292 * Back-port of selected performance improvements from development
13293   branch, as well as improved support for PowerPC platforms.
13294
13295   *Andy Polyakov*
13296
13297 * Add lots of checks for memory allocation failure, error codes to indicate
13298   failure and freeing up memory if a failure occurs.
13299
13300   *Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson*
13301
13302 * Add new -passin argument to dgst.
13303
13304   *Steve Henson*
13305
13306 * Perform some character comparisons of different types in X509_NAME_cmp:
13307   this is needed for some certificates that re-encode DNs into UTF8Strings
13308   (in violation of RFC3280) and can't or won't issue name rollover
13309   certificates.
13310
13311   *Steve Henson*
13312
13313 * Make an explicit check during certificate validation to see that
13314   the CA setting in each certificate on the chain is correct.  As a
13315   side effect always do the following basic checks on extensions,
13316   not just when there's an associated purpose to the check:
13317
13318   - if there is an unhandled critical extension (unless the user
13319     has chosen to ignore this fault)
13320   - if the path length has been exceeded (if one is set at all)
13321   - that certain extensions fit the associated purpose (if one has
13322     been given)
13323
13324   *Richard Levitte*
13325
13326### Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
13327
13328 * Avoid a race condition when CRLs are checked in a multi threaded
13329   environment. This would happen due to the reordering of the revoked
13330   entries during signature checking and serial number lookup. Now the
13331   encoding is cached and the serial number sort performed under a lock.
13332   Add new STACK function sk_is_sorted().
13333
13334   *Steve Henson*
13335
13336 * Add Delta CRL to the extension code.
13337
13338   *Steve Henson*
13339
13340 * Various fixes to s3_pkt.c so alerts are sent properly.
13341
13342   *David Holmes <d.holmes@f5.com>*
13343
13344 * Reduce the chances of duplicate issuer name and serial numbers (in
13345   violation of RFC3280) using the OpenSSL certificate creation utilities.
13346   This is done by creating a random 64 bit value for the initial serial
13347   number when a serial number file is created or when a self signed
13348   certificate is created using 'openssl req -x509'. The initial serial
13349   number file is created using 'openssl x509 -next_serial' in CA.pl
13350   rather than being initialized to 1.
13351
13352   *Steve Henson*
13353
13354### Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
13355
13356 * Fix null-pointer assignment in do_change_cipher_spec() revealed
13357   by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
13358
13359   *Joe Orton, Steve Henson*
13360
13361 * Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
13362   ([CVE-2004-0112])
13363
13364   *Joe Orton, Steve Henson*
13365
13366 * Make it possible to have multiple active certificates with the same
13367   subject in the CA index file.  This is done only if the keyword
13368   'unique_subject' is set to 'no' in the main CA section (default
13369   if 'CA_default') of the configuration file.  The value is saved
13370   with the database itself in a separate index attribute file,
13371   named like the index file with '.attr' appended to the name.
13372
13373   *Richard Levitte*
13374
13375 * X509 verify fixes. Disable broken certificate workarounds when
13376   X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
13377   keyUsage extension present. Don't accept CRLs with unhandled critical
13378   extensions: since verify currently doesn't process CRL extensions this
13379   rejects a CRL with *any* critical extensions. Add new verify error codes
13380   for these cases.
13381
13382   *Steve Henson*
13383
13384 * When creating an OCSP nonce use an OCTET STRING inside the extnValue.
13385   A clarification of RFC2560 will require the use of OCTET STRINGs and
13386   some implementations cannot handle the current raw format. Since OpenSSL
13387   copies and compares OCSP nonces as opaque blobs without any attempt at
13388   parsing them this should not create any compatibility issues.
13389
13390   *Steve Henson*
13391
13392 * New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
13393   calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
13394   this HMAC (and other) operations are several times slower than OpenSSL
13395   < 0.9.7.
13396
13397   *Steve Henson*
13398
13399 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
13400
13401   *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>*
13402
13403 * Use the correct content when signing type "other".
13404
13405   *Steve Henson*
13406
13407### Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
13408
13409 * Fix various bugs revealed by running the NISCC test suite:
13410
13411   Stop out of bounds reads in the ASN1 code when presented with
13412   invalid tags (CVE-2003-0543 and CVE-2003-0544).
13413
13414   Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
13415
13416   If verify callback ignores invalid public key errors don't try to check
13417   certificate signature with the NULL public key.
13418
13419   *Steve Henson*
13420
13421 * New -ignore_err option in ocsp application to stop the server
13422   exiting on the first error in a request.
13423
13424   *Steve Henson*
13425
13426 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
13427   if the server requested one: as stated in TLS 1.0 and SSL 3.0
13428   specifications.
13429
13430   *Steve Henson*
13431
13432 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
13433   extra data after the compression methods not only for TLS 1.0
13434   but also for SSL 3.0 (as required by the specification).
13435
13436   *Bodo Moeller; problem pointed out by Matthias Loepfe*
13437
13438 * Change X509_certificate_type() to mark the key as exported/exportable
13439   when it's 512 *bits* long, not 512 bytes.
13440
13441   *Richard Levitte*
13442
13443 * Change AES_cbc_encrypt() so it outputs exact multiple of
13444   blocks during encryption.
13445
13446   *Richard Levitte*
13447
13448 * Various fixes to base64 BIO and non blocking I/O. On write
13449   flushes were not handled properly if the BIO retried. On read
13450   data was not being buffered properly and had various logic bugs.
13451   This also affects blocking I/O when the data being decoded is a
13452   certain size.
13453
13454   *Steve Henson*
13455
13456 * Various S/MIME bugfixes and compatibility changes:
13457   output correct application/pkcs7 MIME type if
13458   PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
13459   Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
13460   of files as .eml work). Correctly handle very long lines in MIME
13461   parser.
13462
13463   *Steve Henson*
13464
13465### Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
13466
13467 * Countermeasure against the Klima-Pokorny-Rosa extension of
13468   Bleichbacher's attack on PKCS #1 v1.5 padding: treat
13469   a protocol version number mismatch like a decryption error
13470   in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
13471
13472   *Bodo Moeller*
13473
13474 * Turn on RSA blinding by default in the default implementation
13475   to avoid a timing attack. Applications that don't want it can call
13476   RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
13477   They would be ill-advised to do so in most cases.
13478
13479   *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller*
13480
13481 * Change RSA blinding code so that it works when the PRNG is not
13482   seeded (in this case, the secret RSA exponent is abused as
13483   an unpredictable seed -- if it is not unpredictable, there
13484   is no point in blinding anyway).  Make RSA blinding thread-safe
13485   by remembering the creator's thread ID in rsa->blinding and
13486   having all other threads use local one-time blinding factors
13487   (this requires more computation than sharing rsa->blinding, but
13488   avoids excessive locking; and if an RSA object is not shared
13489   between threads, blinding will still be very fast).
13490
13491   *Bodo Moeller*
13492
13493 * Fixed a typo bug that would cause ENGINE_set_default() to set an
13494   ENGINE as defaults for all supported algorithms irrespective of
13495   the 'flags' parameter. 'flags' is now honoured, so applications
13496   should make sure they are passing it correctly.
13497
13498   *Geoff Thorpe*
13499
13500 * Target "mingw" now allows native Windows code to be generated in
13501   the Cygwin environment as well as with the MinGW compiler.
13502
13503   *Ulf Moeller*
13504
13505### Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
13506
13507 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
13508   via timing by performing a MAC computation even if incorrect
13509   block cipher padding has been found.  This is a countermeasure
13510   against active attacks where the attacker has to distinguish
13511   between bad padding and a MAC verification error. ([CVE-2003-0078])
13512
13513   *Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
13514   Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
13515   Martin Vuagnoux (EPFL, Ilion)*
13516
13517 * Make the no-err option work as intended.  The intention with no-err
13518   is not to have the whole error stack handling routines removed from
13519   libcrypto, it's only intended to remove all the function name and
13520   reason texts, thereby removing some of the footprint that may not
13521   be interesting if those errors aren't displayed anyway.
13522
13523   NOTE: it's still possible for any application or module to have its
13524   own set of error texts inserted.  The routines are there, just not
13525   used by default when no-err is given.
13526
13527   *Richard Levitte*
13528
13529 * Add support for FreeBSD on IA64.
13530
13531   *dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454*
13532
13533 * Adjust DES_cbc_cksum() so it returns the same value as the MIT
13534   Kerberos function mit_des_cbc_cksum().  Before this change,
13535   the value returned by DES_cbc_cksum() was like the one from
13536   mit_des_cbc_cksum(), except the bytes were swapped.
13537
13538   *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte*
13539
13540 * Allow an application to disable the automatic SSL chain building.
13541   Before this a rather primitive chain build was always performed in
13542   ssl3_output_cert_chain(): an application had no way to send the
13543   correct chain if the automatic operation produced an incorrect result.
13544
13545   Now the chain builder is disabled if either:
13546
13547   1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
13548
13549   2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
13550
13551   The reasoning behind this is that an application would not want the
13552   auto chain building to take place if extra chain certificates are
13553   present and it might also want a means of sending no additional
13554   certificates (for example the chain has two certificates and the
13555   root is omitted).
13556
13557   *Steve Henson*
13558
13559 * Add the possibility to build without the ENGINE framework.
13560
13561   *Steven Reddie <smr@essemer.com.au> via Richard Levitte*
13562
13563 * Under Win32 gmtime() can return NULL: check return value in
13564   OPENSSL_gmtime(). Add error code for case where gmtime() fails.
13565
13566   *Steve Henson*
13567
13568 * DSA routines: under certain error conditions uninitialized BN objects
13569   could be freed. Solution: make sure initialization is performed early
13570   enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
13571   Nils Larsch <nla@trustcenter.de> via PR#459)
13572
13573   *Lutz Jaenicke*
13574
13575 * Another fix for SSLv2 session ID handling: the session ID was incorrectly
13576   checked on reconnect on the client side, therefore session resumption
13577   could still fail with a "ssl session id is different" error. This
13578   behaviour is masked when SSL_OP_ALL is used due to
13579   SSL_OP_MICROSOFT_SESS_ID_BUG being set.
13580   Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
13581   followup to PR #377.
13582
13583   *Lutz Jaenicke*
13584
13585 * IA-32 assembler support enhancements: unified ELF targets, support
13586   for SCO/Caldera platforms, fix for Cygwin shared build.
13587
13588   *Andy Polyakov*
13589
13590 * Add support for FreeBSD on sparc64.  As a consequence, support for
13591   FreeBSD on non-x86 processors is separate from x86 processors on
13592   the config script, much like the NetBSD support.
13593
13594   *Richard Levitte & Kris Kennaway <kris@obsecurity.org>*
13595
13596### Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
13597
13598[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
13599OpenSSL 0.9.7.]
13600
13601 * Fix session ID handling in SSLv2 client code: the SERVER FINISHED
13602   code (06) was taken as the first octet of the session ID and the last
13603   octet was ignored consequently. As a result SSLv2 client side session
13604   caching could not have worked due to the session ID mismatch between
13605   client and server.
13606   Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
13607   PR #377.
13608
13609   *Lutz Jaenicke*
13610
13611 * Change the declaration of needed Kerberos libraries to use EX_LIBS
13612   instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
13613   removed entirely.
13614
13615   *Richard Levitte*
13616
13617 * The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
13618   seems that in spite of existing for more than a year, many application
13619   author have done nothing to provide the necessary callbacks, which
13620   means that this particular engine will not work properly anywhere.
13621   This is a very unfortunate situation which forces us, in the name
13622   of usability, to give the hw_ncipher.c a static lock, which is part
13623   of libcrypto.
13624   NOTE: This is for the 0.9.7 series ONLY.  This hack will never
13625   appear in 0.9.8 or later.  We EXPECT application authors to have
13626   dealt properly with this when 0.9.8 is released (unless we actually
13627   make such changes in the libcrypto locking code that changes will
13628   have to be made anyway).
13629
13630   *Richard Levitte*
13631
13632 * In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
13633   octets have been read, EOF or an error occurs. Without this change
13634   some truncated ASN1 structures will not produce an error.
13635
13636   *Steve Henson*
13637
13638 * Disable Heimdal support, since it hasn't been fully implemented.
13639   Still give the possibility to force the use of Heimdal, but with
13640   warnings and a request that patches get sent to openssl-dev.
13641
13642   *Richard Levitte*
13643
13644 * Add the VC-CE target, introduce the WINCE sysname, and add
13645   INSTALL.WCE and appropriate conditionals to make it build.
13646
13647   *Steven Reddie <smr@essemer.com.au> via Richard Levitte*
13648
13649 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
13650   cygssl-x.y.z.dll, where x, y and z are the major, minor and
13651   edit numbers of the version.
13652
13653   *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
13654
13655 * Introduce safe string copy and catenation functions
13656   (BUF_strlcpy() and BUF_strlcat()).
13657
13658   *Ben Laurie (CHATS) and Richard Levitte*
13659
13660 * Avoid using fixed-size buffers for one-line DNs.
13661
13662   *Ben Laurie (CHATS)*
13663
13664 * Add BUF_MEM_grow_clean() to avoid information leakage when
13665   resizing buffers containing secrets, and use where appropriate.
13666
13667   *Ben Laurie (CHATS)*
13668
13669 * Avoid using fixed size buffers for configuration file location.
13670
13671   *Ben Laurie (CHATS)*
13672
13673 * Avoid filename truncation for various CA files.
13674
13675   *Ben Laurie (CHATS)*
13676
13677 * Use sizeof in preference to magic numbers.
13678
13679   *Ben Laurie (CHATS)*
13680
13681 * Avoid filename truncation in cert requests.
13682
13683   *Ben Laurie (CHATS)*
13684
13685 * Add assertions to check for (supposedly impossible) buffer
13686   overflows.
13687
13688   *Ben Laurie (CHATS)*
13689
13690 * Don't cache truncated DNS entries in the local cache (this could
13691   potentially lead to a spoofing attack).
13692
13693   *Ben Laurie (CHATS)*
13694
13695 * Fix various buffers to be large enough for hex/decimal
13696   representations in a platform independent manner.
13697
13698   *Ben Laurie (CHATS)*
13699
13700 * Add CRYPTO_realloc_clean() to avoid information leakage when
13701   resizing buffers containing secrets, and use where appropriate.
13702
13703   *Ben Laurie (CHATS)*
13704
13705 * Add BIO_indent() to avoid much slightly worrying code to do
13706   indents.
13707
13708   *Ben Laurie (CHATS)*
13709
13710 * Convert sprintf()/BIO_puts() to BIO_printf().
13711
13712   *Ben Laurie (CHATS)*
13713
13714 * buffer_gets() could terminate with the buffer only half
13715   full. Fixed.
13716
13717   *Ben Laurie (CHATS)*
13718
13719 * Add assertions to prevent user-supplied crypto functions from
13720   overflowing internal buffers by having large block sizes, etc.
13721
13722   *Ben Laurie (CHATS)*
13723
13724 * New OPENSSL_assert() macro (similar to assert(), but enabled
13725   unconditionally).
13726
13727   *Ben Laurie (CHATS)*
13728
13729 * Eliminate unused copy of key in RC4.
13730
13731   *Ben Laurie (CHATS)*
13732
13733 * Eliminate unused and incorrectly sized buffers for IV in pem.h.
13734
13735   *Ben Laurie (CHATS)*
13736
13737 * Fix off-by-one error in EGD path.
13738
13739   *Ben Laurie (CHATS)*
13740
13741 * If RANDFILE path is too long, ignore instead of truncating.
13742
13743   *Ben Laurie (CHATS)*
13744
13745 * Eliminate unused and incorrectly sized X.509 structure
13746   CBCParameter.
13747
13748   *Ben Laurie (CHATS)*
13749
13750 * Eliminate unused and dangerous function knumber().
13751
13752   *Ben Laurie (CHATS)*
13753
13754 * Eliminate unused and dangerous structure, KSSL_ERR.
13755
13756   *Ben Laurie (CHATS)*
13757
13758 * Protect against overlong session ID context length in an encoded
13759   session object. Since these are local, this does not appear to be
13760   exploitable.
13761
13762   *Ben Laurie (CHATS)*
13763
13764 * Change from security patch (see 0.9.6e below) that did not affect
13765   the 0.9.6 release series:
13766
13767   Remote buffer overflow in SSL3 protocol - an attacker could
13768   supply an oversized master key in Kerberos-enabled versions.
13769   ([CVE-2002-0657])
13770
13771   *Ben Laurie (CHATS)*
13772
13773 * Change the SSL kerb5 codes to match RFC 2712.
13774
13775   *Richard Levitte*
13776
13777 * Make -nameopt work fully for req and add -reqopt switch.
13778
13779   *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
13780
13781 * The "block size" for block ciphers in CFB and OFB mode should be 1.
13782
13783   *Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>*
13784
13785 * Make sure tests can be performed even if the corresponding algorithms
13786   have been removed entirely.  This was also the last step to make
13787   OpenSSL compilable with DJGPP under all reasonable conditions.
13788
13789   *Richard Levitte, Doug Kaufman <dkaufman@rahul.net>*
13790
13791 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
13792   to allow version independent disabling of normally unselected ciphers,
13793   which may be activated as a side-effect of selecting a single cipher.
13794
13795   (E.g., cipher list string "RSA" enables ciphersuites that are left
13796   out of "ALL" because they do not provide symmetric encryption.
13797   "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
13798
13799   *Lutz Jaenicke, Bodo Moeller*
13800
13801 * Add appropriate support for separate platform-dependent build
13802   directories.  The recommended way to make a platform-dependent
13803   build directory is the following (tested on Linux), maybe with
13804   some local tweaks:
13805
13806           # Place yourself outside of the OpenSSL source tree.  In
13807           # this example, the environment variable OPENSSL_SOURCE
13808           # is assumed to contain the absolute OpenSSL source directory.
13809           mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
13810           cd objtree/"`uname -s`-`uname -r`-`uname -m`"
13811           (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
13812                   mkdir -p `dirname $F`
13813                   ln -s $OPENSSL_SOURCE/$F $F
13814           done
13815
13816   To be absolutely sure not to disturb the source tree, a "make clean"
13817   is a good thing.  If it isn't successful, don't worry about it,
13818   it probably means the source directory is very clean.
13819
13820   *Richard Levitte*
13821
13822 * Make sure any ENGINE control commands make local copies of string
13823   pointers passed to them whenever necessary. Otherwise it is possible
13824   the caller may have overwritten (or deallocated) the original string
13825   data when a later ENGINE operation tries to use the stored values.
13826
13827   *Götz Babin-Ebell <babinebell@trustcenter.de>*
13828
13829 * Improve diagnostics in file reading and command-line digests.
13830
13831   *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>*
13832
13833 * Add AES modes CFB and OFB to the object database.  Correct an
13834   error in AES-CFB decryption.
13835
13836   *Richard Levitte*
13837
13838 * Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
13839   allows existing EVP_CIPHER_CTX structures to be reused after
13840   calling `EVP_*Final()`. This behaviour is used by encryption
13841   BIOs and some applications. This has the side effect that
13842   applications must explicitly clean up cipher contexts with
13843   EVP_CIPHER_CTX_cleanup() or they will leak memory.
13844
13845   *Steve Henson*
13846
13847 * Check the values of dna and dnb in bn_mul_recursive before calling
13848   bn_mul_comba (a non zero value means the a or b arrays do not contain
13849   n2 elements) and fallback to bn_mul_normal if either is not zero.
13850
13851   *Steve Henson*
13852
13853 * Fix escaping of non-ASCII characters when using the -subj option
13854   of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
13855
13856   *Lutz Jaenicke*
13857
13858 * Make object definitions compliant to LDAP (RFC2256): SN is the short
13859   form for "surname", serialNumber has no short form.
13860   Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
13861   therefore remove "mail" short name for "internet 7".
13862   The OID for unique identifiers in X509 certificates is
13863   x500UniqueIdentifier, not uniqueIdentifier.
13864   Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
13865
13866   *Lutz Jaenicke*
13867
13868 * Add an "init" command to the ENGINE config module and auto initialize
13869   ENGINEs. Without any "init" command the ENGINE will be initialized
13870   after all ctrl commands have been executed on it. If init=1 the
13871   ENGINE is initialized at that point (ctrls before that point are run
13872   on the uninitialized ENGINE and after on the initialized one). If
13873   init=0 then the ENGINE will not be initialized at all.
13874
13875   *Steve Henson*
13876
13877 * Fix the 'app_verify_callback' interface so that the user-defined
13878   argument is actually passed to the callback: In the
13879   SSL_CTX_set_cert_verify_callback() prototype, the callback
13880   declaration has been changed from
13881           int (*cb)()
13882   into
13883           int (*cb)(X509_STORE_CTX *,void *);
13884   in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
13885           i=s->ctx->app_verify_callback(&ctx)
13886   has been changed into
13887           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
13888
13889   To update applications using SSL_CTX_set_cert_verify_callback(),
13890   a dummy argument can be added to their callback functions.
13891
13892   *D. K. Smetters <smetters@parc.xerox.com>*
13893
13894 * Added the '4758cca' ENGINE to support IBM 4758 cards.
13895
13896   *Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe*
13897
13898 * Add and OPENSSL_LOAD_CONF define which will cause
13899   OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
13900   This allows older applications to transparently support certain
13901   OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
13902   Two new functions OPENSSL_add_all_algorithms_noconf() which will never
13903   load the config file and OPENSSL_add_all_algorithms_conf() which will
13904   always load it have also been added.
13905
13906   *Steve Henson*
13907
13908 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
13909   Adjust NIDs and EVP layer.
13910
13911   *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
13912
13913 * Config modules support in openssl utility.
13914
13915   Most commands now load modules from the config file,
13916   though in a few (such as version) this isn't done
13917   because it couldn't be used for anything.
13918
13919   In the case of ca and req the config file used is
13920   the same as the utility itself: that is the -config
13921   command line option can be used to specify an
13922   alternative file.
13923
13924   *Steve Henson*
13925
13926 * Move default behaviour from OPENSSL_config(). If appname is NULL
13927   use "openssl_conf" if filename is NULL use default openssl config file.
13928
13929   *Steve Henson*
13930
13931 * Add an argument to OPENSSL_config() to allow the use of an alternative
13932   config section name. Add a new flag to tolerate a missing config file
13933   and move code to CONF_modules_load_file().
13934
13935   *Steve Henson*
13936
13937 * Support for crypto accelerator cards from Accelerated Encryption
13938   Processing, www.aep.ie.  (Use engine 'aep')
13939   The support was copied from 0.9.6c [engine] and adapted/corrected
13940   to work with the new engine framework.
13941
13942   *AEP Inc. and Richard Levitte*
13943
13944 * Support for SureWare crypto accelerator cards from Baltimore
13945   Technologies.  (Use engine 'sureware')
13946   The support was copied from 0.9.6c [engine] and adapted
13947   to work with the new engine framework.
13948
13949   *Richard Levitte*
13950
13951 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
13952   make the newer ENGINE framework commands for the CHIL engine work.
13953
13954   *Toomas Kiisk <vix@cyber.ee> and Richard Levitte*
13955
13956 * Make it possible to produce shared libraries on ReliantUNIX.
13957
13958   *Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte*
13959
13960 * Add the configuration target debug-linux-ppro.
13961   Make 'openssl rsa' use the general key loading routines
13962   implemented in `apps.c`, and make those routines able to
13963   handle the key format FORMAT_NETSCAPE and the variant
13964   FORMAT_IISSGC.
13965
13966   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
13967
13968 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
13969
13970   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
13971
13972 * Add -keyform to rsautl, and document -engine.
13973
13974   *Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>*
13975
13976 * Change BIO_new_file (crypto/bio/bss_file.c) to use new
13977   BIO_R_NO_SUCH_FILE error code rather than the generic
13978   ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
13979
13980   *Ben Laurie*
13981
13982 * Add new functions
13983           ERR_peek_last_error
13984           ERR_peek_last_error_line
13985           ERR_peek_last_error_line_data.
13986   These are similar to
13987           ERR_peek_error
13988           ERR_peek_error_line
13989           ERR_peek_error_line_data,
13990   but report on the latest error recorded rather than the first one
13991   still in the error queue.
13992
13993   *Ben Laurie, Bodo Moeller*
13994
13995 * default_algorithms option in ENGINE config module. This allows things
13996   like:
13997   default_algorithms = ALL
13998   default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
13999
14000   *Steve Henson*
14001
14002 * Preliminary ENGINE config module.
14003
14004   *Steve Henson*
14005
14006 * New experimental application configuration code.
14007
14008   *Steve Henson*
14009
14010 * Change the AES code to follow the same name structure as all other
14011   symmetric ciphers, and behave the same way.  Move everything to
14012   the directory crypto/aes, thereby obsoleting crypto/rijndael.
14013
14014   *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
14015
14016 * SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
14017
14018   *Ben Laurie and Theo de Raadt*
14019
14020 * Add option to output public keys in req command.
14021
14022   *Massimiliano Pala madwolf@openca.org*
14023
14024 * Use wNAFs in EC_POINTs_mul() for improved efficiency
14025   (up to about 10% better than before for P-192 and P-224).
14026
14027   *Bodo Moeller*
14028
14029 * New functions/macros
14030
14031           SSL_CTX_set_msg_callback(ctx, cb)
14032           SSL_CTX_set_msg_callback_arg(ctx, arg)
14033           SSL_set_msg_callback(ssl, cb)
14034           SSL_set_msg_callback_arg(ssl, arg)
14035
14036   to request calling a callback function
14037
14038           void cb(int write_p, int version, int content_type,
14039                   const void *buf, size_t len, SSL *ssl, void *arg)
14040
14041   whenever a protocol message has been completely received
14042   (write_p == 0) or sent (write_p == 1).  Here 'version' is the
14043   protocol version  according to which the SSL library interprets
14044   the current protocol message (SSL2_VERSION, SSL3_VERSION, or
14045   TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
14046   the content type as defined in the SSL 3.0/TLS 1.0 protocol
14047   specification (change_cipher_spec(20), alert(21), handshake(22)).
14048   'buf' and 'len' point to the actual message, 'ssl' to the
14049   SSL object, and 'arg' is the application-defined value set by
14050   SSL[_CTX]_set_msg_callback_arg().
14051
14052   'openssl s_client' and 'openssl s_server' have new '-msg' options
14053   to enable a callback that displays all protocol messages.
14054
14055   *Bodo Moeller*
14056
14057 * Change the shared library support so shared libraries are built as
14058   soon as the corresponding static library is finished, and thereby get
14059   openssl and the test programs linked against the shared library.
14060   This still only happens when the keyword "shard" has been given to
14061   the configuration scripts.
14062
14063   NOTE: shared library support is still an experimental thing, and
14064   backward binary compatibility is still not guaranteed.
14065
14066   *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte*
14067
14068 * Add support for Subject Information Access extension.
14069
14070   *Peter Sylvester <Peter.Sylvester@EdelWeb.fr>*
14071
14072 * Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
14073   additional bytes when new memory had to be allocated, not just
14074   when reusing an existing buffer.
14075
14076   *Bodo Moeller*
14077
14078 * New command line and configuration option 'utf8' for the req command.
14079   This allows field values to be specified as UTF8 strings.
14080
14081   *Steve Henson*
14082
14083 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
14084   runs for the former and machine-readable output for the latter.
14085
14086   *Ben Laurie*
14087
14088 * Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
14089   of the e-mail address in the DN (i.e., it will go into a certificate
14090   extension only).  The new configuration file option 'email_in_dn = no'
14091   has the same effect.
14092
14093   *Massimiliano Pala madwolf@openca.org*
14094
14095 * Change all functions with names starting with `des_` to be starting
14096   with `DES_` instead.  Add wrappers that are compatible with libdes,
14097   but are named `_ossl_old_des_*`.  Finally, add macros that map the
14098   `des_*` symbols to the corresponding `_ossl_old_des_*` if libdes
14099   compatibility is desired.  If OpenSSL 0.9.6c compatibility is
14100   desired, the `des_*` symbols will be mapped to `DES_*`, with one
14101   exception.
14102
14103   Since we provide two compatibility mappings, the user needs to
14104   define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
14105   compatibility is desired.  The default (i.e., when that macro
14106   isn't defined) is OpenSSL 0.9.6c compatibility.
14107
14108   There are also macros that enable and disable the support of old
14109   des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
14110   and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
14111   are defined, the default will apply: to support the old des routines.
14112
14113   In either case, one must include openssl/des.h to get the correct
14114   definitions.  Do not try to just include openssl/des_old.h, that
14115   won't work.
14116
14117   NOTE: This is a major break of an old API into a new one.  Software
14118   authors are encouraged to switch to the `DES_` style functions.  Some
14119   time in the future, des_old.h and the libdes compatibility functions
14120   will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
14121   default), and then completely removed.
14122
14123   *Richard Levitte*
14124
14125 * Test for certificates which contain unsupported critical extensions.
14126   If such a certificate is found during a verify operation it is
14127   rejected by default: this behaviour can be overridden by either
14128   handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
14129   by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
14130   X509_supported_extension() has also been added which returns 1 if a
14131   particular extension is supported.
14132
14133   *Steve Henson*
14134
14135 * Modify the behaviour of EVP cipher functions in similar way to digests
14136   to retain compatibility with existing code.
14137
14138   *Steve Henson*
14139
14140 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
14141   compatibility with existing code. In particular the 'ctx' parameter does
14142   not have to be to be initialized before the call to EVP_DigestInit() and
14143   it is tidied up after a call to EVP_DigestFinal(). New function
14144   EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
14145   EVP_MD_CTX_copy() changed to not require the destination to be
14146   initialized valid and new function EVP_MD_CTX_copy_ex() added which
14147   requires the destination to be valid.
14148
14149   Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
14150   EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
14151
14152   *Steve Henson*
14153
14154 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it
14155   so that complete 'Handshake' protocol structures are kept in memory
14156   instead of overwriting 'msg_type' and 'length' with 'body' data.
14157
14158   *Bodo Moeller*
14159
14160 * Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
14161
14162   *Massimo Santin via Richard Levitte*
14163
14164 * Major restructuring to the underlying ENGINE code. This includes
14165   reduction of linker bloat, separation of pure "ENGINE" manipulation
14166   (initialisation, etc) from functionality dealing with implementations
14167   of specific crypto interfaces. This change also introduces integrated
14168   support for symmetric ciphers and digest implementations - so ENGINEs
14169   can now accelerate these by providing EVP_CIPHER and EVP_MD
14170   implementations of their own. This is detailed in
14171   [crypto/engine/README.md](crypto/engine/README.md)
14172   as it couldn't be adequately described here. However, there are a few
14173   API changes worth noting - some RSA, DSA, DH, and RAND functions that
14174   were changed in the original introduction of ENGINE code have now
14175   reverted back - the hooking from this code to ENGINE is now a good
14176   deal more passive and at run-time, operations deal directly with
14177   RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
14178   dereferencing through an ENGINE pointer any more. Also, the ENGINE
14179   functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
14180   they were not being used by the framework as there is no concept of a
14181   BIGNUM_METHOD and they could not be generalised to the new
14182   'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
14183   ENGINE_cpy() has been removed as it cannot be consistently defined in
14184   the new code.
14185
14186   *Geoff Thorpe*
14187
14188 * Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
14189
14190   *Steve Henson*
14191
14192 * Change mkdef.pl to sort symbols that get the same entry number,
14193   and make sure the automatically generated functions `ERR_load_*`
14194   become part of libeay.num as well.
14195
14196   *Richard Levitte*
14197
14198 * New function SSL_renegotiate_pending().  This returns true once
14199   renegotiation has been requested (either SSL_renegotiate() call
14200   or HelloRequest/ClientHello received from the peer) and becomes
14201   false once a handshake has been completed.
14202   (For servers, SSL_renegotiate() followed by SSL_do_handshake()
14203   sends a HelloRequest, but does not ensure that a handshake takes
14204   place.  SSL_renegotiate_pending() is useful for checking if the
14205   client has followed the request.)
14206
14207   *Bodo Moeller*
14208
14209 * New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
14210   By default, clients may request session resumption even during
14211   renegotiation (if session ID contexts permit); with this option,
14212   session resumption is possible only in the first handshake.
14213
14214   SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
14215   more bits available for options that should not be part of
14216   SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
14217
14218   *Bodo Moeller*
14219
14220 * Add some demos for certificate and certificate request creation.
14221
14222   *Steve Henson*
14223
14224 * Make maximum certificate chain size accepted from the peer application
14225   settable (`SSL*_get/set_max_cert_list()`), as proposed by
14226   "Douglas E. Engert" <deengert@anl.gov>.
14227
14228   *Lutz Jaenicke*
14229
14230 * Add support for shared libraries for Unixware-7
14231   (Boyd Lynn Gerber <gerberb@zenez.com>).
14232
14233   *Lutz Jaenicke*
14234
14235 * Add a "destroy" handler to ENGINEs that allows structural cleanup to
14236   be done prior to destruction. Use this to unload error strings from
14237   ENGINEs that load their own error strings. NB: This adds two new API
14238   functions to "get" and "set" this destroy handler in an ENGINE.
14239
14240   *Geoff Thorpe*
14241
14242 * Alter all existing ENGINE implementations (except "openssl" and
14243   "openbsd") to dynamically instantiate their own error strings. This
14244   makes them more flexible to be built both as statically-linked ENGINEs
14245   and self-contained shared-libraries loadable via the "dynamic" ENGINE.
14246   Also, add stub code to each that makes building them as self-contained
14247   shared-libraries easier (see [README-Engine.md](README-Engine.md)).
14248
14249   *Geoff Thorpe*
14250
14251 * Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
14252   implementations into applications that are completely implemented in
14253   self-contained shared-libraries. The "dynamic" ENGINE exposes control
14254   commands that can be used to configure what shared-library to load and
14255   to control aspects of the way it is handled. Also, made an update to
14256   the [README-Engine.md](README-Engine.md) file
14257   that brings its information up-to-date and
14258   provides some information and instructions on the "dynamic" ENGINE
14259   (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
14260
14261   *Geoff Thorpe*
14262
14263 * Make it possible to unload ranges of ERR strings with a new
14264   "ERR_unload_strings" function.
14265
14266   *Geoff Thorpe*
14267
14268 * Add a copy() function to EVP_MD.
14269
14270   *Ben Laurie*
14271
14272 * Make EVP_MD routines take a context pointer instead of just the
14273   md_data void pointer.
14274
14275   *Ben Laurie*
14276
14277 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
14278   that the digest can only process a single chunk of data
14279   (typically because it is provided by a piece of
14280   hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
14281   is only going to provide a single chunk of data, and hence the
14282   framework needn't accumulate the data for oneshot drivers.
14283
14284   *Ben Laurie*
14285
14286 * As with "ERR", make it possible to replace the underlying "ex_data"
14287   functions. This change also alters the storage and management of global
14288   ex_data state - it's now all inside ex_data.c and all "class" code (eg.
14289   RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14290   index counters. The API functions that use this state have been changed
14291   to take a "class_index" rather than pointers to the class's local STACK
14292   and counter, and there is now an API function to dynamically create new
14293   classes. This centralisation allows us to (a) plug a lot of the
14294   thread-safety problems that existed, and (b) makes it possible to clean
14295   up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
14296   such data would previously have always leaked in application code and
14297   workarounds were in place to make the memory debugging turn a blind eye
14298   to it. Application code that doesn't use this new function will still
14299   leak as before, but their memory debugging output will announce it now
14300   rather than letting it slide.
14301
14302   Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
14303   induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
14304   has a return value to indicate success or failure.
14305
14306   *Geoff Thorpe*
14307
14308 * Make it possible to replace the underlying "ERR" functions such that the
14309   global state (2 LHASH tables and 2 locks) is only used by the "default"
14310   implementation. This change also adds two functions to "get" and "set"
14311   the implementation prior to it being automatically set the first time
14312   any other ERR function takes place. Ie. an application can call "get",
14313   pass the return value to a module it has just loaded, and that module
14314   can call its own "set" function using that value. This means the
14315   module's "ERR" operations will use (and modify) the error state in the
14316   application and not in its own statically linked copy of OpenSSL code.
14317
14318   *Geoff Thorpe*
14319
14320 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
14321   reference counts. This performs normal REF_PRINT/REF_CHECK macros on
14322   the operation, and provides a more encapsulated way for external code
14323   (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
14324   to use these functions rather than manually incrementing the counts.
14325
14326   Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
14327
14328   *Geoff Thorpe*
14329
14330 * Add EVP test program.
14331
14332   *Ben Laurie*
14333
14334 * Add symmetric cipher support to ENGINE. Expect the API to change!
14335
14336   *Ben Laurie*
14337
14338 * New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
14339   X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
14340   X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
14341   These allow a CRL to be built without having to access X509_CRL fields
14342   directly. Modify 'ca' application to use new functions.
14343
14344   *Steve Henson*
14345
14346 * Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
14347   bug workarounds. Rollback attack detection is a security feature.
14348   The problem will only arise on OpenSSL servers when TLSv1 is not
14349   available (sslv3_server_method() or SSL_OP_NO_TLSv1).
14350   Software authors not wanting to support TLSv1 will have special reasons
14351   for their choice and can explicitly enable this option.
14352
14353   *Bodo Moeller, Lutz Jaenicke*
14354
14355 * Rationalise EVP so it can be extended: don't include a union of
14356   cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
14357   (similar to those existing for EVP_CIPHER_CTX).
14358   Usage example:
14359
14360           EVP_MD_CTX md;
14361
14362           EVP_MD_CTX_init(&md);             /* new function call */
14363           EVP_DigestInit(&md, EVP_sha1());
14364           EVP_DigestUpdate(&md, in, len);
14365           EVP_DigestFinal(&md, out, NULL);
14366           EVP_MD_CTX_cleanup(&md);          /* new function call */
14367
14368   *Ben Laurie*
14369
14370 * Make DES key schedule conform to the usual scheme, as well as
14371   correcting its structure. This means that calls to DES functions
14372   now have to pass a pointer to a des_key_schedule instead of a
14373   plain des_key_schedule (which was actually always a pointer
14374   anyway): E.g.,
14375
14376           des_key_schedule ks;
14377
14378           des_set_key_checked(..., &ks);
14379           des_ncbc_encrypt(..., &ks, ...);
14380
14381   (Note that a later change renames 'des_...' into 'DES_...'.)
14382
14383   *Ben Laurie*
14384
14385 * Initial reduction of linker bloat: the use of some functions, such as
14386   PEM causes large amounts of unused functions to be linked in due to
14387   poor organisation. For example pem_all.c contains every PEM function
14388   which has a knock on effect of linking in large amounts of (unused)
14389   ASN1 code. Grouping together similar functions and splitting unrelated
14390   functions prevents this.
14391
14392   *Steve Henson*
14393
14394 * Cleanup of EVP macros.
14395
14396   *Ben Laurie*
14397
14398 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the
14399   correct `_ecb suffix`.
14400
14401   *Ben Laurie*
14402
14403 * Add initial OCSP responder support to ocsp application. The
14404   revocation information is handled using the text based index
14405   use by the ca application. The responder can either handle
14406   requests generated internally, supplied in files (for example
14407   via a CGI script) or using an internal minimal server.
14408
14409   *Steve Henson*
14410
14411 * Add configuration choices to get zlib compression for TLS.
14412
14413   *Richard Levitte*
14414
14415 * Changes to Kerberos SSL for RFC 2712 compliance:
14416   1. Implemented real KerberosWrapper, instead of just using
14417      KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
14418   2. Implemented optional authenticator field of KerberosWrapper.
14419
14420   Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
14421   and authenticator structs; see crypto/krb5/.
14422
14423   Generalized Kerberos calls to support multiple Kerberos libraries.
14424   *Vern Staats <staatsvr@asc.hpc.mil>, Jeffrey Altman <jaltman@columbia.edu>
14425   via Richard Levitte*
14426
14427 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
14428   already does with RSA. testdsa.h now has 'priv_key/pub_key'
14429   values for each of the key sizes rather than having just
14430   parameters (and 'speed' generating keys each time).
14431
14432   *Geoff Thorpe*
14433
14434 * Speed up EVP routines.
14435   Before:
14436crypt
14437pe              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
14438s-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
14439s-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
14440s-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
14441crypt
14442s-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
14443s-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
14444s-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
14445   After:
14446crypt
14447s-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
14448crypt
14449s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
14450
14451   *Ben Laurie*
14452
14453 * Added the OS2-EMX target.
14454
14455   *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
14456
14457 * Rewrite commands to use `NCONF` routines instead of the old `CONF`.
14458   New functions to support `NCONF` routines in extension code.
14459   New function `CONF_set_nconf()`
14460   to allow functions which take an `NCONF` to also handle the old `LHASH`
14461   structure: this means that the old `CONF` compatible routines can be
14462   retained (in particular w.rt. extensions) without having to duplicate the
14463   code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack.
14464
14465   *Steve Henson*
14466
14467 * Enhance the general user interface with mechanisms for inner control
14468   and with possibilities to have yes/no kind of prompts.
14469
14470   *Richard Levitte*
14471
14472 * Change all calls to low-level digest routines in the library and
14473   applications to use EVP. Add missing calls to HMAC_cleanup() and
14474   don't assume HMAC_CTX can be copied using memcpy().
14475
14476   *Verdon Walker <VWalker@novell.com>, Steve Henson*
14477
14478 * Add the possibility to control engines through control names but with
14479   arbitrary arguments instead of just a string.
14480   Change the key loaders to take a UI_METHOD instead of a callback
14481   function pointer.  NOTE: this breaks binary compatibility with earlier
14482   versions of OpenSSL [engine].
14483   Adapt the nCipher code for these new conditions and add a card insertion
14484   callback.
14485
14486   *Richard Levitte*
14487
14488 * Enhance the general user interface with mechanisms to better support
14489   dialog box interfaces, application-defined prompts, the possibility
14490   to use defaults (for example default passwords from somewhere else)
14491   and interrupts/cancellations.
14492
14493   *Richard Levitte*
14494
14495 * Tidy up PKCS#12 attribute handling. Add support for the CSP name
14496   attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
14497
14498   *Steve Henson*
14499
14500 * Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
14501   tidy up some unnecessarily weird code in 'sk_new()').
14502
14503   *Geoff, reported by Diego Tartara <dtartara@novamens.com>*
14504
14505 * Change the key loading routines for ENGINEs to use the same kind
14506   callback (pem_password_cb) as all other routines that need this
14507   kind of callback.
14508
14509   *Richard Levitte*
14510
14511 * Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
14512   256 bit (=32 byte) keys. Of course seeding with more entropy bytes
14513   than this minimum value is recommended.
14514
14515   *Lutz Jaenicke*
14516
14517 * New random seeder for OpenVMS, using the system process statistics
14518   that are easily reachable.
14519
14520   *Richard Levitte*
14521
14522 * Windows apparently can't transparently handle global
14523   variables defined in DLLs. Initialisations such as:
14524
14525           const ASN1_ITEM *it = &ASN1_INTEGER_it;
14526
14527   won't compile. This is used by the any applications that need to
14528   declare their own ASN1 modules. This was fixed by adding the option
14529   EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
14530   needed for static libraries under Win32.
14531
14532   *Steve Henson*
14533
14534 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
14535   setting of purpose and trust fields. New X509_STORE trust and
14536   purpose functions and tidy up setting in other SSL functions.
14537
14538   *Steve Henson*
14539
14540 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
14541   structure. These are inherited by X509_STORE_CTX when it is
14542   initialised. This allows various defaults to be set in the
14543   X509_STORE structure (such as flags for CRL checking and custom
14544   purpose or trust settings) for functions which only use X509_STORE_CTX
14545   internally such as S/MIME.
14546
14547   Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
14548   trust settings if they are not set in X509_STORE. This allows X509_STORE
14549   purposes and trust (in S/MIME for example) to override any set by default.
14550
14551   Add command line options for CRL checking to smime, s_client and s_server
14552   applications.
14553
14554   *Steve Henson*
14555
14556 * Initial CRL based revocation checking. If the CRL checking flag(s)
14557   are set then the CRL is looked up in the X509_STORE structure and
14558   its validity and signature checked, then if the certificate is found
14559   in the CRL the verify fails with a revoked error.
14560
14561   Various new CRL related callbacks added to X509_STORE_CTX structure.
14562
14563   Command line options added to 'verify' application to support this.
14564
14565   This needs some additional work, such as being able to handle multiple
14566   CRLs with different times, extension based lookup (rather than just
14567   by subject name) and ultimately more complete V2 CRL extension
14568   handling.
14569
14570   *Steve Henson*
14571
14572 * Add a general user interface API (crypto/ui/).  This is designed
14573   to replace things like des_read_password and friends (backward
14574   compatibility functions using this new API are provided).
14575   The purpose is to remove prompting functions from the DES code
14576   section as well as provide for prompting through dialog boxes in
14577   a window system and the like.
14578
14579   *Richard Levitte*
14580
14581 * Add "ex_data" support to ENGINE so implementations can add state at a
14582   per-structure level rather than having to store it globally.
14583
14584   *Geoff*
14585
14586 * Make it possible for ENGINE structures to be copied when retrieved by
14587   ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
14588   This causes the "original" ENGINE structure to act like a template,
14589   analogous to the RSA vs. RSA_METHOD type of separation. Because of this
14590   operational state can be localised to each ENGINE structure, despite the
14591   fact they all share the same "methods". New ENGINE structures returned in
14592   this case have no functional references and the return value is the single
14593   structural reference. This matches the single structural reference returned
14594   by ENGINE_by_id() normally, when it is incremented on the pre-existing
14595   ENGINE structure.
14596
14597   *Geoff*
14598
14599 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
14600   needs to match any other type at all we need to manually clear the
14601   tag cache.
14602
14603   *Steve Henson*
14604
14605 * Changes to the "openssl engine" utility to include;
14606   - verbosity levels ('-v', '-vv', and '-vvv') that provide information
14607     about an ENGINE's available control commands.
14608   - executing control commands from command line arguments using the
14609     '-pre' and '-post' switches. '-post' is only used if '-t' is
14610     specified and the ENGINE is successfully initialised. The syntax for
14611     the individual commands are colon-separated, for example;
14612           openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
14613
14614   *Geoff*
14615
14616 * New dynamic control command support for ENGINEs. ENGINEs can now
14617   declare their own commands (numbers), names (strings), descriptions,
14618   and input types for run-time discovery by calling applications. A
14619   subset of these commands are implicitly classed as "executable"
14620   depending on their input type, and only these can be invoked through
14621   the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
14622   can be based on user input, config files, etc). The distinction is
14623   that "executable" commands cannot return anything other than a boolean
14624   result and can only support numeric or string input, whereas some
14625   discoverable commands may only be for direct use through
14626   ENGINE_ctrl(), eg. supporting the exchange of binary data, function
14627   pointers, or other custom uses. The "executable" commands are to
14628   support parameterisations of ENGINE behaviour that can be
14629   unambiguously defined by ENGINEs and used consistently across any
14630   OpenSSL-based application. Commands have been added to all the
14631   existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
14632   control over shared-library paths without source code alterations.
14633
14634   *Geoff*
14635
14636 * Changed all ENGINE implementations to dynamically allocate their
14637   ENGINEs rather than declaring them statically. Apart from this being
14638   necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
14639   this also allows the implementations to compile without using the
14640   internal engine_int.h header.
14641
14642   *Geoff*
14643
14644 * Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
14645   'const' value. Any code that should be able to modify a RAND_METHOD
14646   should already have non-const pointers to it (ie. they should only
14647   modify their own ones).
14648
14649   *Geoff*
14650
14651 * Made a variety of little tweaks to the ENGINE code.
14652   - "atalla" and "ubsec" string definitions were moved from header files
14653     to C code. "nuron" string definitions were placed in variables
14654     rather than hard-coded - allowing parameterisation of these values
14655     later on via ctrl() commands.
14656   - Removed unused "#if 0"'d code.
14657   - Fixed engine list iteration code so it uses ENGINE_free() to release
14658     structural references.
14659   - Constified the RAND_METHOD element of ENGINE structures.
14660   - Constified various get/set functions as appropriate and added
14661     missing functions (including a catch-all ENGINE_cpy that duplicates
14662     all ENGINE values onto a new ENGINE except reference counts/state).
14663   - Removed NULL parameter checks in get/set functions. Setting a method
14664     or function to NULL is a way of cancelling out a previously set
14665     value.  Passing a NULL ENGINE parameter is just plain stupid anyway
14666     and doesn't justify the extra error symbols and code.
14667   - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
14668     flags from engine_int.h to engine.h.
14669   - Changed prototypes for ENGINE handler functions (init(), finish(),
14670     ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
14671
14672   *Geoff*
14673
14674 * Implement binary inversion algorithm for BN_mod_inverse in addition
14675   to the algorithm using long division.  The binary algorithm can be
14676   used only if the modulus is odd.  On 32-bit systems, it is faster
14677   only for relatively small moduli (roughly 20-30% for 128-bit moduli,
14678   roughly 5-15% for 256-bit moduli), so we use it only for moduli
14679   up to 450 bits.  In 64-bit environments, the binary algorithm
14680   appears to be advantageous for much longer moduli; here we use it
14681   for moduli up to 2048 bits.
14682
14683   *Bodo Moeller*
14684
14685 * Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
14686   could not support the combine flag in choice fields.
14687
14688   *Steve Henson*
14689
14690 * Add a 'copy_extensions' option to the 'ca' utility. This copies
14691   extensions from a certificate request to the certificate.
14692
14693   *Steve Henson*
14694
14695 * Allow multiple 'certopt' and 'nameopt' options to be separated
14696   by commas. Add 'namopt' and 'certopt' options to the 'ca' config
14697   file: this allows the display of the certificate about to be
14698   signed to be customised, to allow certain fields to be included
14699   or excluded and extension details. The old system didn't display
14700   multicharacter strings properly, omitted fields not in the policy
14701   and couldn't display additional details such as extensions.
14702
14703   *Steve Henson*
14704
14705 * Function EC_POINTs_mul for multiple scalar multiplication
14706   of an arbitrary number of elliptic curve points
14707           \sum scalars[i]*points[i],
14708   optionally including the generator defined for the EC_GROUP:
14709           scalar*generator +  \sum scalars[i]*points[i].
14710
14711   EC_POINT_mul is a simple wrapper function for the typical case
14712   that the point list has just one item (besides the optional
14713   generator).
14714
14715   *Bodo Moeller*
14716
14717 * First EC_METHODs for curves over GF(p):
14718
14719   EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
14720   operations and provides various method functions that can also
14721   operate with faster implementations of modular arithmetic.
14722
14723   EC_GFp_mont_method() reuses most functions that are part of
14724   EC_GFp_simple_method, but uses Montgomery arithmetic.
14725
14726   *Bodo Moeller; point addition and point doubling
14727   implementation directly derived from source code provided by
14728   Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
14729
14730 * Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
14731   crypto/ec/ec_lib.c):
14732
14733   Curves are EC_GROUP objects (with an optional group generator)
14734   based on EC_METHODs that are built into the library.
14735
14736   Points are EC_POINT objects based on EC_GROUP objects.
14737
14738   Most of the framework would be able to handle curves over arbitrary
14739   finite fields, but as there are no obvious types for fields other
14740   than GF(p), some functions are limited to that for now.
14741
14742   *Bodo Moeller*
14743
14744 * Add the -HTTP option to s_server.  It is similar to -WWW, but requires
14745   that the file contains a complete HTTP response.
14746
14747   *Richard Levitte*
14748
14749 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
14750   change the def and num file printf format specifier from "%-40sXXX"
14751   to "%-39s XXX". The latter will always guarantee a space after the
14752   field while the former will cause them to run together if the field
14753   is 40 of more characters long.
14754
14755   *Steve Henson*
14756
14757 * Constify the cipher and digest 'method' functions and structures
14758   and modify related functions to take constant EVP_MD and EVP_CIPHER
14759   pointers.
14760
14761   *Steve Henson*
14762
14763 * Hide BN_CTX structure details in bn_lcl.h instead of publishing them
14764   in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
14765
14766   *Bodo Moeller*
14767
14768 * Modify `EVP_Digest*()` routines so they now return values. Although the
14769   internal software routines can never fail additional hardware versions
14770   might.
14771
14772   *Steve Henson*
14773
14774 * Clean up crypto/err/err.h and change some error codes to avoid conflicts:
14775
14776   Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
14777   (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
14778
14779   ASN1 error codes
14780           ERR_R_NESTED_ASN1_ERROR
14781           ...
14782           ERR_R_MISSING_ASN1_EOS
14783   were 4 .. 9, conflicting with
14784           ERR_LIB_RSA (= ERR_R_RSA_LIB)
14785           ...
14786           ERR_LIB_PEM (= ERR_R_PEM_LIB).
14787   They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
14788
14789   Add new error code 'ERR_R_INTERNAL_ERROR'.
14790
14791   *Bodo Moeller*
14792
14793 * Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
14794   suffices.
14795
14796   *Bodo Moeller*
14797
14798 * New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
14799   sets the subject name for a new request or supersedes the
14800   subject name in a given request. Formats that can be parsed are
14801           'CN=Some Name, OU=myOU, C=IT'
14802   and
14803           'CN=Some Name/OU=myOU/C=IT'.
14804
14805   Add options '-batch' and '-verbose' to 'openssl req'.
14806
14807   *Massimiliano Pala <madwolf@hackmasters.net>*
14808
14809 * Introduce the possibility to access global variables through
14810   functions on platform were that's the best way to handle exporting
14811   global variables in shared libraries.  To enable this functionality,
14812   one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
14813   "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
14814   is normally done by Configure or something similar).
14815
14816   To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
14817   in the source file (foo.c) like this:
14818
14819           OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
14820           OPENSSL_IMPLEMENT_GLOBAL(double,bar);
14821
14822   To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
14823   and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
14824
14825           OPENSSL_DECLARE_GLOBAL(int,foo);
14826           #define foo OPENSSL_GLOBAL_REF(foo)
14827           OPENSSL_DECLARE_GLOBAL(double,bar);
14828           #define bar OPENSSL_GLOBAL_REF(bar)
14829
14830   The #defines are very important, and therefore so is including the
14831   header file everywhere where the defined globals are used.
14832
14833   The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
14834   of ASN.1 items, but that structure is a bit different.
14835
14836   The largest change is in util/mkdef.pl which has been enhanced with
14837   better and easier to understand logic to choose which symbols should
14838   go into the Windows .def files as well as a number of fixes and code
14839   cleanup (among others, algorithm keywords are now sorted
14840   lexicographically to avoid constant rewrites).
14841
14842   *Richard Levitte*
14843
14844 * In BN_div() keep a copy of the sign of 'num' before writing the
14845   result to 'rm' because if rm==num the value will be overwritten
14846   and produce the wrong result if 'num' is negative: this caused
14847   problems with BN_mod() and BN_nnmod().
14848
14849   *Steve Henson*
14850
14851 * Function OCSP_request_verify(). This checks the signature on an
14852   OCSP request and verifies the signer certificate. The signer
14853   certificate is just checked for a generic purpose and OCSP request
14854   trust settings.
14855
14856   *Steve Henson*
14857
14858 * Add OCSP_check_validity() function to check the validity of OCSP
14859   responses. OCSP responses are prepared in real time and may only
14860   be a few seconds old. Simply checking that the current time lies
14861   between thisUpdate and nextUpdate max reject otherwise valid responses
14862   caused by either OCSP responder or client clock inaccuracy. Instead
14863   we allow thisUpdate and nextUpdate to fall within a certain period of
14864   the current time. The age of the response can also optionally be
14865   checked. Two new options -validity_period and -status_age added to
14866   ocsp utility.
14867
14868   *Steve Henson*
14869
14870 * If signature or public key algorithm is unrecognized print out its
14871   OID rather that just UNKNOWN.
14872
14873   *Steve Henson*
14874
14875 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
14876   OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
14877   ID to be generated from the issuer certificate alone which can then be
14878   passed to OCSP_id_issuer_cmp().
14879
14880   *Steve Henson*
14881
14882 * New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
14883   ASN1 modules to export functions returning ASN1_ITEM pointers
14884   instead of the ASN1_ITEM structures themselves. This adds several
14885   new macros which allow the underlying ASN1 function/structure to
14886   be accessed transparently. As a result code should not use ASN1_ITEM
14887   references directly (such as &X509_it) but instead use the relevant
14888   macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
14889   use of the new ASN1 code on platforms where exporting structures
14890   is problematical (for example in shared libraries) but exporting
14891   functions returning pointers to structures is not.
14892
14893   *Steve Henson*
14894
14895 * Add support for overriding the generation of SSL/TLS session IDs.
14896   These callbacks can be registered either in an SSL_CTX or per SSL.
14897   The purpose of this is to allow applications to control, if they wish,
14898   the arbitrary values chosen for use as session IDs, particularly as it
14899   can be useful for session caching in multiple-server environments. A
14900   command-line switch for testing this (and any client code that wishes
14901   to use such a feature) has been added to "s_server".
14902
14903   *Geoff Thorpe, Lutz Jaenicke*
14904
14905 * Modify mkdef.pl to recognise and parse preprocessor conditionals
14906   of the form `#if defined(...) || defined(...) || ...` and
14907   `#if !defined(...) && !defined(...) && ...`.  This also avoids
14908   the growing number of special cases it was previously handling.
14909
14910   *Richard Levitte*
14911
14912 * Make all configuration macros available for application by making
14913   sure they are available in opensslconf.h, by giving them names starting
14914   with `OPENSSL_` to avoid conflicts with other packages and by making
14915   sure e_os2.h will cover all platform-specific cases together with
14916   opensslconf.h.
14917   Additionally, it is now possible to define configuration/platform-
14918   specific names (called "system identities").  In the C code, these
14919   are prefixed with `OPENSSL_SYSNAME_`.  e_os2.h will create another
14920   macro with the name beginning with `OPENSSL_SYS_`, which is determined
14921   from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
14922   what is available.
14923
14924   *Richard Levitte*
14925
14926 * New option -set_serial to 'req' and 'x509' this allows the serial
14927   number to use to be specified on the command line. Previously self
14928   signed certificates were hard coded with serial number 0 and the
14929   CA options of 'x509' had to use a serial number in a file which was
14930   auto incremented.
14931
14932   *Steve Henson*
14933
14934 * New options to 'ca' utility to support V2 CRL entry extensions.
14935   Currently CRL reason, invalidity date and hold instruction are
14936   supported. Add new CRL extensions to V3 code and some new objects.
14937
14938   *Steve Henson*
14939
14940 * New function EVP_CIPHER_CTX_set_padding() this is used to
14941   disable standard block padding (aka PKCS#5 padding) in the EVP
14942   API, which was previously mandatory. This means that the data is
14943   not padded in any way and so the total length much be a multiple
14944   of the block size, otherwise an error occurs.
14945
14946   *Steve Henson*
14947
14948 * Initial (incomplete) OCSP SSL support.
14949
14950   *Steve Henson*
14951
14952 * New function OCSP_parse_url(). This splits up a URL into its host,
14953   port and path components: primarily to parse OCSP URLs. New -url
14954   option to ocsp utility.
14955
14956   *Steve Henson*
14957
14958 * New nonce behavior. The return value of OCSP_check_nonce() now
14959   reflects the various checks performed. Applications can decide
14960   whether to tolerate certain situations such as an absent nonce
14961   in a response when one was present in a request: the ocsp application
14962   just prints out a warning. New function OCSP_add1_basic_nonce()
14963   this is to allow responders to include a nonce in a response even if
14964   the request is nonce-less.
14965
14966   *Steve Henson*
14967
14968 * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are
14969   skipped when using openssl x509 multiple times on a single input file,
14970   e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
14971
14972   *Bodo Moeller*
14973
14974 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
14975   set string type: to handle setting ASN1_TIME structures. Fix ca
14976   utility to correctly initialize revocation date of CRLs.
14977
14978   *Steve Henson*
14979
14980 * New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
14981   the clients preferred ciphersuites and rather use its own preferences.
14982   Should help to work around M$ SGC (Server Gated Cryptography) bug in
14983   Internet Explorer by ensuring unchanged hash method during stepup.
14984   (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
14985
14986   *Lutz Jaenicke*
14987
14988 * Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
14989   to aes and add a new 'exist' option to print out symbols that don't
14990   appear to exist.
14991
14992   *Steve Henson*
14993
14994 * Additional options to ocsp utility to allow flags to be set and
14995   additional certificates supplied.
14996
14997   *Steve Henson*
14998
14999 * Add the option -VAfile to 'openssl ocsp', so the user can give the
15000   OCSP client a number of certificate to only verify the response
15001   signature against.
15002
15003   *Richard Levitte*
15004
15005 * Update Rijndael code to version 3.0 and change EVP AES ciphers to
15006   handle the new API. Currently only ECB, CBC modes supported. Add new
15007   AES OIDs.
15008
15009   Add TLS AES ciphersuites as described in RFC3268, "Advanced
15010   Encryption Standard (AES) Ciphersuites for Transport Layer
15011   Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
15012   not enabled by default and were not part of the "ALL" ciphersuite
15013   alias because they were not yet official; they could be
15014   explicitly requested by specifying the "AESdraft" ciphersuite
15015   group alias.  In the final release of OpenSSL 0.9.7, the group
15016   alias is called "AES" and is part of "ALL".)
15017
15018   *Ben Laurie, Steve  Henson, Bodo Moeller*
15019
15020 * New function OCSP_copy_nonce() to copy nonce value (if present) from
15021   request to response.
15022
15023   *Steve Henson*
15024
15025 * Functions for OCSP responders. OCSP_request_onereq_count(),
15026   OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
15027   extract information from a certificate request. OCSP_response_create()
15028   creates a response and optionally adds a basic response structure.
15029   OCSP_basic_add1_status() adds a complete single response to a basic
15030   response and returns the OCSP_SINGLERESP structure just added (to allow
15031   extensions to be included for example). OCSP_basic_add1_cert() adds a
15032   certificate to a basic response and OCSP_basic_sign() signs a basic
15033   response with various flags. New helper functions ASN1_TIME_check()
15034   (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
15035   (converts ASN1_TIME to GeneralizedTime).
15036
15037   *Steve Henson*
15038
15039 * Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
15040   in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
15041   structure from a certificate. X509_pubkey_digest() digests the public_key
15042   contents: this is used in various key identifiers.
15043
15044   *Steve Henson*
15045
15046 * Make sk_sort() tolerate a NULL argument.
15047
15048   *Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>*
15049
15050 * New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
15051   passed by the function are trusted implicitly. If any of them signed the
15052   response then it is assumed to be valid and is not verified.
15053
15054   *Steve Henson*
15055
15056 * In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
15057   to data. This was previously part of the PKCS7 ASN1 code. This
15058   was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
15059   *Steve Henson, reported by Kenneth R. Robinette
15060                              <support@securenetterm.com>*
15061
15062 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
15063   routines: without these tracing memory leaks is very painful.
15064   Fix leaks in PKCS12 and PKCS7 routines.
15065
15066   *Steve Henson*
15067
15068 * Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
15069   Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
15070   effectively meant GeneralizedTime would never be used. Now it
15071   is initialised to -1 but X509_time_adj() now has to check the value
15072   and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
15073   V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
15074   *Steve Henson, reported by Kenneth R. Robinette
15075                              <support@securenetterm.com>*
15076
15077 * Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
15078   result in a zero length in the ASN1_INTEGER structure which was
15079   not consistent with the structure when d2i_ASN1_INTEGER() was used
15080   and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
15081   to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
15082   where it did not print out a minus for negative ASN1_INTEGER.
15083
15084   *Steve Henson*
15085
15086 * Add summary printout to ocsp utility. The various functions which
15087   convert status values to strings have been renamed to:
15088   OCSP_response_status_str(), OCSP_cert_status_str() and
15089   OCSP_crl_reason_str() and are no longer static. New options
15090   to verify nonce values and to disable verification. OCSP response
15091   printout format cleaned up.
15092
15093   *Steve Henson*
15094
15095 * Add additional OCSP certificate checks. These are those specified
15096   in RFC2560. This consists of two separate checks: the CA of the
15097   certificate being checked must either be the OCSP signer certificate
15098   or the issuer of the OCSP signer certificate. In the latter case the
15099   OCSP signer certificate must contain the OCSP signing extended key
15100   usage. This check is performed by attempting to match the OCSP
15101   signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
15102   in the OCSP_CERTID structures of the response.
15103
15104   *Steve Henson*
15105
15106 * Initial OCSP certificate verification added to OCSP_basic_verify()
15107   and related routines. This uses the standard OpenSSL certificate
15108   verify routines to perform initial checks (just CA validity) and
15109   to obtain the certificate chain. Then additional checks will be
15110   performed on the chain. Currently the root CA is checked to see
15111   if it is explicitly trusted for OCSP signing. This is used to set
15112   a root CA as a global signing root: that is any certificate that
15113   chains to that CA is an acceptable OCSP signing certificate.
15114
15115   *Steve Henson*
15116
15117 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
15118   extensions from a separate configuration file.
15119   As when reading extensions from the main configuration file,
15120   the '-extensions ...' option may be used for specifying the
15121   section to use.
15122
15123   *Massimiliano Pala <madwolf@comune.modena.it>*
15124
15125 * New OCSP utility. Allows OCSP requests to be generated or
15126   read. The request can be sent to a responder and the output
15127   parsed, outputted or printed in text form. Not complete yet:
15128   still needs to check the OCSP response validity.
15129
15130   *Steve Henson*
15131
15132 * New subcommands for 'openssl ca':
15133   `openssl ca -status <serial>` prints the status of the cert with
15134   the given serial number (according to the index file).
15135   `openssl ca -updatedb` updates the expiry status of certificates
15136   in the index file.
15137
15138   *Massimiliano Pala <madwolf@comune.modena.it>*
15139
15140 * New '-newreq-nodes' command option to CA.pl.  This is like
15141   '-newreq', but calls 'openssl req' with the '-nodes' option
15142   so that the resulting key is not encrypted.
15143
15144   *Damien Miller <djm@mindrot.org>*
15145
15146 * New configuration for the GNU Hurd.
15147
15148   *Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte*
15149
15150 * Initial code to implement OCSP basic response verify. This
15151   is currently incomplete. Currently just finds the signer's
15152   certificate and verifies the signature on the response.
15153
15154   *Steve Henson*
15155
15156 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
15157   value of OPENSSLDIR.  This is available via the new '-d' option
15158   to 'openssl version', and is also included in 'openssl version -a'.
15159
15160   *Bodo Moeller*
15161
15162 * Allowing defining memory allocation callbacks that will be given
15163   file name and line number information in additional arguments
15164   (a `const char*` and an int).  The basic functionality remains, as
15165   well as the original possibility to just replace malloc(),
15166   realloc() and free() by functions that do not know about these
15167   additional arguments.  To register and find out the current
15168   settings for extended allocation functions, the following
15169   functions are provided:
15170
15171           CRYPTO_set_mem_ex_functions
15172           CRYPTO_set_locked_mem_ex_functions
15173           CRYPTO_get_mem_ex_functions
15174           CRYPTO_get_locked_mem_ex_functions
15175
15176   These work the same way as CRYPTO_set_mem_functions and friends.
15177   `CRYPTO_get_[locked_]mem_functions` now writes 0 where such an
15178   extended allocation function is enabled.
15179   Similarly, `CRYPTO_get_[locked_]mem_ex_functions` writes 0 where
15180   a conventional allocation function is enabled.
15181
15182   *Richard Levitte, Bodo Moeller*
15183
15184 * Finish off removing the remaining LHASH function pointer casts.
15185   There should no longer be any prototype-casting required when using
15186   the LHASH abstraction, and any casts that remain are "bugs". See
15187   the callback types and macros at the head of lhash.h for details
15188   (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
15189
15190   *Geoff Thorpe*
15191
15192 * Add automatic query of EGD sockets in RAND_poll() for the unix variant.
15193   If /dev/[u]random devices are not available or do not return enough
15194   entropy, EGD style sockets (served by EGD or PRNGD) will automatically
15195   be queried.
15196   The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
15197   /etc/entropy will be queried once each in this sequence, querying stops
15198   when enough entropy was collected without querying more sockets.
15199
15200   *Lutz Jaenicke*
15201
15202 * Change the Unix RAND_poll() variant to be able to poll several
15203   random devices, as specified by DEVRANDOM, until a sufficient amount
15204   of data has been collected.   We spend at most 10 ms on each file
15205   (select timeout) and read in non-blocking mode.  DEVRANDOM now
15206   defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
15207   (previously it was just the string "/dev/urandom"), so on typical
15208   platforms the 10 ms delay will never occur.
15209   Also separate out the Unix variant to its own file, rand_unix.c.
15210   For VMS, there's a currently-empty rand_vms.c.
15211
15212   *Richard Levitte*
15213
15214 * Move OCSP client related routines to ocsp_cl.c. These
15215   provide utility functions which an application needing
15216   to issue a request to an OCSP responder and analyse the
15217   response will typically need: as opposed to those which an
15218   OCSP responder itself would need which will be added later.
15219
15220   OCSP_request_sign() signs an OCSP request with an API similar
15221   to PKCS7_sign(). OCSP_response_status() returns status of OCSP
15222   response. OCSP_response_get1_basic() extracts basic response
15223   from response. OCSP_resp_find_status(): finds and extracts status
15224   information from an OCSP_CERTID structure (which will be created
15225   when the request structure is built). These are built from lower
15226   level functions which work on OCSP_SINGLERESP structures but
15227   won't normally be used unless the application wishes to examine
15228   extensions in the OCSP response for example.
15229
15230   Replace nonce routines with a pair of functions.
15231   OCSP_request_add1_nonce() adds a nonce value and optionally
15232   generates a random value. OCSP_check_nonce() checks the
15233   validity of the nonce in an OCSP response.
15234
15235   *Steve Henson*
15236
15237 * Change function OCSP_request_add() to OCSP_request_add0_id().
15238   This doesn't copy the supplied OCSP_CERTID and avoids the
15239   need to free up the newly created id. Change return type
15240   to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
15241   This can then be used to add extensions to the request.
15242   Deleted OCSP_request_new(), since most of its functionality
15243   is now in OCSP_REQUEST_new() (and the case insensitive name
15244   clash) apart from the ability to set the request name which
15245   will be added elsewhere.
15246
15247   *Steve Henson*
15248
15249 * Update OCSP API. Remove obsolete extensions argument from
15250   various functions. Extensions are now handled using the new
15251   OCSP extension code. New simple OCSP HTTP function which
15252   can be used to send requests and parse the response.
15253
15254   *Steve Henson*
15255
15256 * Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
15257   ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
15258   uses the special reorder version of SET OF to sort the attributes
15259   and reorder them to match the encoded order. This resolves a long
15260   standing problem: a verify on a PKCS7 structure just after signing
15261   it used to fail because the attribute order did not match the
15262   encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
15263   it uses the received order. This is necessary to tolerate some broken
15264   software that does not order SET OF. This is handled by encoding
15265   as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
15266   to produce the required SET OF.
15267
15268   *Steve Henson*
15269
15270 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
15271   OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
15272   files to get correct declarations of the ASN.1 item variables.
15273
15274   *Richard Levitte*
15275
15276 * Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
15277   PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
15278   asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
15279   NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
15280   New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
15281   ASN1_ITEM and no wrapper functions.
15282
15283   *Steve Henson*
15284
15285 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
15286   replace the old function pointer based I/O routines. Change most of
15287   the `*_d2i_bio()` and `*_d2i_fp()` functions to use these.
15288
15289   *Steve Henson*
15290
15291 * Enhance mkdef.pl to be more accepting about spacing in C preprocessor
15292   lines, recognize more "algorithms" that can be deselected, and make
15293   it complain about algorithm deselection that isn't recognised.
15294
15295   *Richard Levitte*
15296
15297 * New ASN1 functions to handle dup, sign, verify, digest, pack and
15298   unpack operations in terms of ASN1_ITEM. Modify existing wrappers
15299   to use new functions. Add NO_ASN1_OLD which can be set to remove
15300   some old style ASN1 functions: this can be used to determine if old
15301   code will still work when these eventually go away.
15302
15303   *Steve Henson*
15304
15305 * New extension functions for OCSP structures, these follow the
15306   same conventions as certificates and CRLs.
15307
15308   *Steve Henson*
15309
15310 * New function X509V3_add1_i2d(). This automatically encodes and
15311   adds an extension. Its behaviour can be customised with various
15312   flags to append, replace or delete. Various wrappers added for
15313   certificates and CRLs.
15314
15315   *Steve Henson*
15316
15317 * Fix to avoid calling the underlying ASN1 print routine when
15318   an extension cannot be parsed. Correct a typo in the
15319   OCSP_SERVICELOC extension. Tidy up print OCSP format.
15320
15321   *Steve Henson*
15322
15323 * Make mkdef.pl parse some of the ASN1 macros and add appropriate
15324   entries for variables.
15325
15326   *Steve Henson*
15327
15328 * Add functionality to `apps/openssl.c` for detecting locking
15329   problems: As the program is single-threaded, all we have
15330   to do is register a locking callback using an array for
15331   storing which locks are currently held by the program.
15332
15333   *Bodo Moeller*
15334
15335 * Use a lock around the call to CRYPTO_get_ex_new_index() in
15336   SSL_get_ex_data_X509_STORE_idx(), which is used in
15337   ssl_verify_cert_chain() and thus can be called at any time
15338   during TLS/SSL handshakes so that thread-safety is essential.
15339   Unfortunately, the ex_data design is not at all suited
15340   for multi-threaded use, so it probably should be abolished.
15341
15342   *Bodo Moeller*
15343
15344 * Added Broadcom "ubsec" ENGINE to OpenSSL.
15345
15346   *Broadcom, tweaked and integrated by Geoff Thorpe*
15347
15348 * Move common extension printing code to new function
15349   X509V3_print_extensions(). Reorganise OCSP print routines and
15350   implement some needed OCSP ASN1 functions. Add OCSP extensions.
15351
15352   *Steve Henson*
15353
15354 * New function X509_signature_print() to remove duplication in some
15355   print routines.
15356
15357   *Steve Henson*
15358
15359 * Add a special meaning when SET OF and SEQUENCE OF flags are both
15360   set (this was treated exactly the same as SET OF previously). This
15361   is used to reorder the STACK representing the structure to match the
15362   encoding. This will be used to get round a problem where a PKCS7
15363   structure which was signed could not be verified because the STACK
15364   order did not reflect the encoded order.
15365
15366   *Steve Henson*
15367
15368 * Reimplement the OCSP ASN1 module using the new code.
15369
15370   *Steve Henson*
15371
15372 * Update the X509V3 code to permit the use of an ASN1_ITEM structure
15373   for its ASN1 operations. The old style function pointers still exist
15374   for now but they will eventually go away.
15375
15376   *Steve Henson*
15377
15378 * Merge in replacement ASN1 code from the ASN1 branch. This almost
15379   completely replaces the old ASN1 functionality with a table driven
15380   encoder and decoder which interprets an ASN1_ITEM structure describing
15381   the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
15382   largely maintained. Almost all of the old asn1_mac.h macro based ASN1
15383   has also been converted to the new form.
15384
15385   *Steve Henson*
15386
15387 * Change BN_mod_exp_recp so that negative moduli are tolerated
15388   (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
15389   so that BN_mod_exp_mont and BN_mod_exp_mont_word work
15390   for negative moduli.
15391
15392   *Bodo Moeller*
15393
15394 * Fix BN_uadd and BN_usub: Always return non-negative results instead
15395   of not touching the result's sign bit.
15396
15397   *Bodo Moeller*
15398
15399 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
15400   set.
15401
15402   *Bodo Moeller*
15403
15404 * Changed the LHASH code to use prototypes for callbacks, and created
15405   macros to declare and implement thin (optionally static) functions
15406   that provide type-safety and avoid function pointer casting for the
15407   type-specific callbacks.
15408
15409   *Geoff Thorpe*
15410
15411 * Added Kerberos Cipher Suites to be used with TLS, as written in
15412   RFC 2712.
15413   *Veers Staats <staatsvr@asc.hpc.mil>,
15414   Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte*
15415
15416 * Reformat the FAQ so the different questions and answers can be divided
15417   in sections depending on the subject.
15418
15419   *Richard Levitte*
15420
15421 * Have the zlib compression code load ZLIB.DLL dynamically under
15422   Windows.
15423
15424   *Richard Levitte*
15425
15426 * New function BN_mod_sqrt for computing square roots modulo a prime
15427   (using the probabilistic Tonelli-Shanks algorithm unless
15428   p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
15429   be handled deterministically).
15430
15431   *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15432
15433 * Make BN_mod_inverse faster by explicitly handling small quotients
15434   in the Euclid loop. (Speed gain about 20% for small moduli [256 or
15435   512 bits], about 30% for larger ones [1024 or 2048 bits].)
15436
15437   *Bodo Moeller*
15438
15439 * New function BN_kronecker.
15440
15441   *Bodo Moeller*
15442
15443 * Fix BN_gcd so that it works on negative inputs; the result is
15444   positive unless both parameters are zero.
15445   Previously something reasonably close to an infinite loop was
15446   possible because numbers could be growing instead of shrinking
15447   in the implementation of Euclid's algorithm.
15448
15449   *Bodo Moeller*
15450
15451 * Fix BN_is_word() and BN_is_one() macros to take into account the
15452   sign of the number in question.
15453
15454   Fix BN_is_word(a,w) to work correctly for w == 0.
15455
15456   The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
15457   because its test if the absolute value of 'a' equals 'w'.
15458   Note that BN_abs_is_word does *not* handle w == 0 reliably;
15459   it exists mostly for use in the implementations of BN_is_zero(),
15460   BN_is_one(), and BN_is_word().
15461
15462   *Bodo Moeller*
15463
15464 * New function BN_swap.
15465
15466   *Bodo Moeller*
15467
15468 * Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
15469   the exponentiation functions are more likely to produce reasonable
15470   results on negative inputs.
15471
15472   *Bodo Moeller*
15473
15474 * Change BN_mod_mul so that the result is always non-negative.
15475   Previously, it could be negative if one of the factors was negative;
15476   I don't think anyone really wanted that behaviour.
15477
15478   *Bodo Moeller*
15479
15480 * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c`
15481   (except for exponentiation, which stays in `crypto/bn/bn_exp.c`,
15482   and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`)
15483   and add new functions:
15484
15485           BN_nnmod
15486           BN_mod_sqr
15487           BN_mod_add
15488           BN_mod_add_quick
15489           BN_mod_sub
15490           BN_mod_sub_quick
15491           BN_mod_lshift1
15492           BN_mod_lshift1_quick
15493           BN_mod_lshift
15494           BN_mod_lshift_quick
15495
15496   These functions always generate non-negative results.
15497
15498   `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r`
15499   such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead).
15500
15501   `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as
15502   `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and  `b`]
15503   be reduced modulo `m`.
15504
15505   *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
15506
15507<!--
15508   The following entry accidentally appeared in the CHANGES file
15509   distributed with OpenSSL 0.9.7.  The modifications described in
15510   it do *not* apply to OpenSSL 0.9.7.
15511
15512 * Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
15513   was actually never needed) and in BN_mul().  The removal in BN_mul()
15514   required a small change in bn_mul_part_recursive() and the addition
15515   of the functions bn_cmp_part_words(), bn_sub_part_words() and
15516   bn_add_part_words(), which do the same thing as bn_cmp_words(),
15517   bn_sub_words() and bn_add_words() except they take arrays with
15518   differing sizes.
15519
15520   *Richard Levitte*
15521-->
15522
15523 * In 'openssl passwd', verify passwords read from the terminal
15524   unless the '-salt' option is used (which usually means that
15525   verification would just waste user's time since the resulting
15526   hash is going to be compared with some given password hash)
15527   or the new '-noverify' option is used.
15528
15529   This is an incompatible change, but it does not affect
15530   non-interactive use of 'openssl passwd' (passwords on the command
15531   line, '-stdin' option, '-in ...' option) and thus should not
15532   cause any problems.
15533
15534   *Bodo Moeller*
15535
15536 * Remove all references to RSAref, since there's no more need for it.
15537
15538   *Richard Levitte*
15539
15540 * Make DSO load along a path given through an environment variable
15541   (SHLIB_PATH) with shl_load().
15542
15543   *Richard Levitte*
15544
15545 * Constify the ENGINE code as a result of BIGNUM constification.
15546   Also constify the RSA code and most things related to it.  In a
15547   few places, most notable in the depth of the ASN.1 code, ugly
15548   casts back to non-const were required (to be solved at a later
15549   time)
15550
15551   *Richard Levitte*
15552
15553 * Make it so the openssl application has all engines loaded by default.
15554
15555   *Richard Levitte*
15556
15557 * Constify the BIGNUM routines a little more.
15558
15559   *Richard Levitte*
15560
15561 * Add the following functions:
15562
15563           ENGINE_load_cswift()
15564           ENGINE_load_chil()
15565           ENGINE_load_atalla()
15566           ENGINE_load_nuron()
15567           ENGINE_load_builtin_engines()
15568
15569   That way, an application can itself choose if external engines that
15570   are built-in in OpenSSL shall ever be used or not.  The benefit is
15571   that applications won't have to be linked with libdl or other dso
15572   libraries unless it's really needed.
15573
15574   Changed 'openssl engine' to load all engines on demand.
15575   Changed the engine header files to avoid the duplication of some
15576   declarations (they differed!).
15577
15578   *Richard Levitte*
15579
15580 * 'openssl engine' can now list capabilities.
15581
15582   *Richard Levitte*
15583
15584 * Better error reporting in 'openssl engine'.
15585
15586   *Richard Levitte*
15587
15588 * Never call load_dh_param(NULL) in s_server.
15589
15590   *Bodo Moeller*
15591
15592 * Add engine application.  It can currently list engines by name and
15593   identity, and test if they are actually available.
15594
15595   *Richard Levitte*
15596
15597 * Improve RPM specification file by forcing symbolic linking and making
15598   sure the installed documentation is also owned by root.root.
15599
15600   *Damien Miller <djm@mindrot.org>*
15601
15602 * Give the OpenSSL applications more possibilities to make use of
15603   keys (public as well as private) handled by engines.
15604
15605   *Richard Levitte*
15606
15607 * Add OCSP code that comes from CertCo.
15608
15609   *Richard Levitte*
15610
15611 * Add VMS support for the Rijndael code.
15612
15613   *Richard Levitte*
15614
15615 * Added untested support for Nuron crypto accelerator.
15616
15617   *Ben Laurie*
15618
15619 * Add support for external cryptographic devices.  This code was
15620   previously distributed separately as the "engine" branch.
15621
15622   *Geoff Thorpe, Richard Levitte*
15623
15624 * Rework the filename-translation in the DSO code. It is now possible to
15625   have far greater control over how a "name" is turned into a filename
15626   depending on the operating environment and any oddities about the
15627   different shared library filenames on each system.
15628
15629   *Geoff Thorpe*
15630
15631 * Support threads on FreeBSD-elf in Configure.
15632
15633   *Richard Levitte*
15634
15635 * Fix for SHA1 assembly problem with MASM: it produces
15636   warnings about corrupt line number information when assembling
15637   with debugging information. This is caused by the overlapping
15638   of two sections.
15639
15640   *Bernd Matthes <mainbug@celocom.de>, Steve Henson*
15641
15642 * NCONF changes.
15643   NCONF_get_number() has no error checking at all.  As a replacement,
15644   NCONF_get_number_e() is defined (`_e` for "error checking") and is
15645   promoted strongly.  The old NCONF_get_number is kept around for
15646   binary backward compatibility.
15647   Make it possible for methods to load from something other than a BIO,
15648   by providing a function pointer that is given a name instead of a BIO.
15649   For example, this could be used to load configuration data from an
15650   LDAP server.
15651
15652   *Richard Levitte*
15653
15654 * Fix for non blocking accept BIOs. Added new I/O special reason
15655   BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
15656   with non blocking I/O was not possible because no retry code was
15657   implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
15658   this case.
15659
15660   *Steve Henson*
15661
15662 * Added the beginnings of Rijndael support.
15663
15664   *Ben Laurie*
15665
15666 * Fix for bug in DirectoryString mask setting. Add support for
15667   X509_NAME_print_ex() in 'req' and X509_print_ex() function
15668   to allow certificate printing to more controllable, additional
15669   'certopt' option to 'x509' to allow new printing options to be
15670   set.
15671
15672   *Steve Henson*
15673
15674 * Clean old EAY MD5 hack from e_os.h.
15675
15676   *Richard Levitte*
15677
15678### Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
15679
15680 * Fix null-pointer assignment in do_change_cipher_spec() revealed
15681   by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
15682
15683   *Joe Orton, Steve Henson*
15684
15685### Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
15686
15687 * Fix additional bug revealed by the NISCC test suite:
15688
15689   Stop bug triggering large recursion when presented with
15690   certain ASN.1 tags ([CVE-2003-0851])
15691
15692   *Steve Henson*
15693
15694### Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
15695
15696 * Fix various bugs revealed by running the NISCC test suite:
15697
15698   Stop out of bounds reads in the ASN1 code when presented with
15699   invalid tags (CVE-2003-0543 and CVE-2003-0544).
15700
15701   If verify callback ignores invalid public key errors don't try to check
15702   certificate signature with the NULL public key.
15703
15704   *Steve Henson*
15705
15706 * In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
15707   if the server requested one: as stated in TLS 1.0 and SSL 3.0
15708   specifications.
15709
15710   *Steve Henson*
15711
15712 * In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
15713   extra data after the compression methods not only for TLS 1.0
15714   but also for SSL 3.0 (as required by the specification).
15715
15716   *Bodo Moeller; problem pointed out by Matthias Loepfe*
15717
15718 * Change X509_certificate_type() to mark the key as exported/exportable
15719   when it's 512 *bits* long, not 512 bytes.
15720
15721   *Richard Levitte*
15722
15723### Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
15724
15725 * Countermeasure against the Klima-Pokorny-Rosa extension of
15726   Bleichbacher's attack on PKCS #1 v1.5 padding: treat
15727   a protocol version number mismatch like a decryption error
15728   in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
15729
15730   *Bodo Moeller*
15731
15732 * Turn on RSA blinding by default in the default implementation
15733   to avoid a timing attack. Applications that don't want it can call
15734   RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
15735   They would be ill-advised to do so in most cases.
15736
15737   *Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller*
15738
15739 * Change RSA blinding code so that it works when the PRNG is not
15740   seeded (in this case, the secret RSA exponent is abused as
15741   an unpredictable seed -- if it is not unpredictable, there
15742   is no point in blinding anyway).  Make RSA blinding thread-safe
15743   by remembering the creator's thread ID in rsa->blinding and
15744   having all other threads use local one-time blinding factors
15745   (this requires more computation than sharing rsa->blinding, but
15746   avoids excessive locking; and if an RSA object is not shared
15747   between threads, blinding will still be very fast).
15748
15749   *Bodo Moeller*
15750
15751### Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
15752
15753 * In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
15754   via timing by performing a MAC computation even if incorrect
15755   block cipher padding has been found.  This is a countermeasure
15756   against active attacks where the attacker has to distinguish
15757   between bad padding and a MAC verification error. ([CVE-2003-0078])
15758
15759   *Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
15760   Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
15761   Martin Vuagnoux (EPFL, Ilion)*
15762
15763### Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
15764
15765 * New function OPENSSL_cleanse(), which is used to cleanse a section of
15766   memory from its contents.  This is done with a counter that will
15767   place alternating values in each byte.  This can be used to solve
15768   two issues: 1) the removal of calls to memset() by highly optimizing
15769   compilers, and 2) cleansing with other values than 0, since those can
15770   be read through on certain media, for example a swap space on disk.
15771
15772   *Geoff Thorpe*
15773
15774 * Bugfix: client side session caching did not work with external caching,
15775   because the session->cipher setting was not restored when reloading
15776   from the external cache. This problem was masked, when
15777   SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
15778   (Found by Steve Haslam <steve@araqnid.ddts.net>.)
15779
15780   *Lutz Jaenicke*
15781
15782 * Fix client_certificate (ssl/s2_clnt.c): The permissible total
15783   length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
15784
15785   *Zeev Lieber <zeev-l@yahoo.com>*
15786
15787 * Undo an undocumented change introduced in 0.9.6e which caused
15788   repeated calls to OpenSSL_add_all_ciphers() and
15789   OpenSSL_add_all_digests() to be ignored, even after calling
15790   EVP_cleanup().
15791
15792   *Richard Levitte*
15793
15794 * Change the default configuration reader to deal with last line not
15795   being properly terminated.
15796
15797   *Richard Levitte*
15798
15799 * Change X509_NAME_cmp() so it applies the special rules on handling
15800   DN values that are of type PrintableString, as well as RDNs of type
15801   emailAddress where the value has the type ia5String.
15802
15803   *stefank@valicert.com via Richard Levitte*
15804
15805 * Add an SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
15806   the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
15807   doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
15808   the bitwise-OR of the two for use by the majority of applications
15809   wanting this behaviour, and update the docs. The documented
15810   behaviour and actual behaviour were inconsistent and had been
15811   changing anyway, so this is more a bug-fix than a behavioural
15812   change.
15813
15814   *Geoff Thorpe, diagnosed by Nadav Har'El*
15815
15816 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
15817   (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
15818
15819   *Bodo Moeller*
15820
15821 * Fix initialization code race conditions in
15822           SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
15823           SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
15824           SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
15825           TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
15826           ssl2_get_cipher_by_char(),
15827           ssl3_get_cipher_by_char().
15828
15829   *Patrick McCormick <patrick@tellme.com>, Bodo Moeller*
15830
15831 * Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
15832   the cached sessions are flushed, as the remove_cb() might use ex_data
15833   contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
15834   (see [openssl.org #212]).
15835
15836   *Geoff Thorpe, Lutz Jaenicke*
15837
15838 * Fix typo in OBJ_txt2obj which incorrectly passed the content
15839   length, instead of the encoding length to d2i_ASN1_OBJECT.
15840
15841   *Steve Henson*
15842
15843### Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
15844
15845 * [In 0.9.6g-engine release:]
15846   Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use `_stdcall`).
15847
15848   *Lynn Gazis <lgazis@rainbow.com>*
15849
15850### Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
15851
15852 * Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
15853   and get fix the header length calculation.
15854   *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
15855   Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson*
15856
15857 * Use proper error handling instead of 'assertions' in buffer
15858   overflow checks added in 0.9.6e.  This prevents DoS (the
15859   assertions could call abort()).
15860
15861   *Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller*
15862
15863### Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
15864
15865 * Add various sanity checks to asn1_get_length() to reject
15866   the ASN1 length bytes if they exceed sizeof(long), will appear
15867   negative or the content length exceeds the length of the
15868   supplied buffer.
15869
15870   *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
15871
15872 * Fix cipher selection routines: ciphers without encryption had no flags
15873   for the cipher strength set and where therefore not handled correctly
15874   by the selection routines (PR #130).
15875
15876   *Lutz Jaenicke*
15877
15878 * Fix EVP_dsa_sha macro.
15879
15880   *Nils Larsch*
15881
15882 * New option
15883        SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
15884   for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
15885   that was added in OpenSSL 0.9.6d.
15886
15887   As the countermeasure turned out to be incompatible with some
15888   broken SSL implementations, the new option is part of SSL_OP_ALL.
15889   SSL_OP_ALL is usually employed when compatibility with weird SSL
15890   implementations is desired (e.g. '-bugs' option to 's_client' and
15891   's_server'), so the new option is automatically set in many
15892   applications.
15893
15894   *Bodo Moeller*
15895
15896 * Changes in security patch:
15897
15898   Changes marked "(CHATS)" were sponsored by the Defense Advanced
15899   Research Projects Agency (DARPA) and Air Force Research Laboratory,
15900   Air Force Materiel Command, USAF, under agreement number
15901   F30602-01-2-0537.
15902
15903 * Add various sanity checks to asn1_get_length() to reject
15904   the ASN1 length bytes if they exceed sizeof(long), will appear
15905   negative or the content length exceeds the length of the
15906   supplied buffer. ([CVE-2002-0659])
15907
15908   *Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>*
15909
15910 * Assertions for various potential buffer overflows, not known to
15911   happen in practice.
15912
15913   *Ben Laurie (CHATS)*
15914
15915 * Various temporary buffers to hold ASCII versions of integers were
15916   too small for 64 bit platforms. ([CVE-2002-0655])
15917   *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
15918
15919 * Remote buffer overflow in SSL3 protocol - an attacker could
15920   supply an oversized session ID to a client. ([CVE-2002-0656])
15921
15922   *Ben Laurie (CHATS)*
15923
15924 * Remote buffer overflow in SSL2 protocol - an attacker could
15925   supply an oversized client master key. ([CVE-2002-0656])
15926
15927   *Ben Laurie (CHATS)*
15928
15929### Changes between 0.9.6c and 0.9.6d  [9 May 2002]
15930
15931 * Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
15932   encoded as NULL) with id-dsa-with-sha1.
15933
15934   *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller*
15935
15936 * Check various `X509_...()` return values in `apps/req.c`.
15937
15938   *Nils Larsch <nla@trustcenter.de>*
15939
15940 * Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
15941   an end-of-file condition would erroneously be flagged, when the CRLF
15942   was just at the end of a processed block. The bug was discovered when
15943   processing data through a buffering memory BIO handing the data to a
15944   BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
15945   <ptsekov@syntrex.com> and Nedelcho Stanev.
15946
15947   *Lutz Jaenicke*
15948
15949 * Implement a countermeasure against a vulnerability recently found
15950   in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
15951   before application data chunks to avoid the use of known IVs
15952   with data potentially chosen by the attacker.
15953
15954   *Bodo Moeller*
15955
15956 * Fix length checks in ssl3_get_client_hello().
15957
15958   *Bodo Moeller*
15959
15960 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
15961   to prevent ssl3_read_internal() from incorrectly assuming that
15962   ssl3_read_bytes() found application data while handshake
15963   processing was enabled when in fact s->s3->in_read_app_data was
15964   merely automatically cleared during the initial handshake.
15965
15966   *Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>*
15967
15968 * Fix object definitions for Private and Enterprise: they were not
15969   recognized in their shortname (=lowercase) representation. Extend
15970   obj_dat.pl to issue an error when using undefined keywords instead
15971   of silently ignoring the problem (Svenning Sorensen
15972   <sss@sss.dnsalias.net>).
15973
15974   *Lutz Jaenicke*
15975
15976 * Fix DH_generate_parameters() so that it works for 'non-standard'
15977   generators, i.e. generators other than 2 and 5.  (Previously, the
15978   code did not properly initialise the 'add' and 'rem' values to
15979   BN_generate_prime().)
15980
15981   In the new general case, we do not insist that 'generator' is
15982   actually a primitive root: This requirement is rather pointless;
15983   a generator of the order-q subgroup is just as good, if not
15984   better.
15985
15986   *Bodo Moeller*
15987
15988 * Map new X509 verification errors to alerts. Discovered and submitted by
15989   Tom Wu <tom@arcot.com>.
15990
15991   *Lutz Jaenicke*
15992
15993 * Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
15994   returning non-zero before the data has been completely received
15995   when using non-blocking I/O.
15996
15997   *Bodo Moeller; problem pointed out by John Hughes*
15998
15999 * Some of the ciphers missed the strength entry (SSL_LOW etc).
16000
16001   *Ben Laurie, Lutz Jaenicke*
16002
16003 * Fix bug in SSL_clear(): bad sessions were not removed (found by
16004   Yoram Zahavi <YoramZ@gilian.com>).
16005
16006   *Lutz Jaenicke*
16007
16008 * Add information about CygWin 1.3 and on, and preserve proper
16009   configuration for the versions before that.
16010
16011   *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
16012
16013 * Make removal from session cache (SSL_CTX_remove_session()) more robust:
16014   check whether we deal with a copy of a session and do not delete from
16015   the cache in this case. Problem reported by "Izhar Shoshani Levi"
16016   <izhar@checkpoint.com>.
16017
16018   *Lutz Jaenicke*
16019
16020 * Do not store session data into the internal session cache, if it
16021   is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
16022   flag is set). Proposed by Aslam <aslam@funk.com>.
16023
16024   *Lutz Jaenicke*
16025
16026 * Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
16027   value is 0.
16028
16029   *Richard Levitte*
16030
16031 * [In 0.9.6d-engine release:]
16032   Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
16033
16034   *Toomas Kiisk <vix@cyber.ee> via Richard Levitte*
16035
16036 * Add the configuration target linux-s390x.
16037
16038   *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
16039
16040 * The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
16041   ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
16042   variable as an indication that a ClientHello message has been
16043   received.  As the flag value will be lost between multiple
16044   invocations of ssl3_accept when using non-blocking I/O, the
16045   function may not be aware that a handshake has actually taken
16046   place, thus preventing a new session from being added to the
16047   session cache.
16048
16049   To avoid this problem, we now set s->new_session to 2 instead of
16050   using a local variable.
16051
16052   *Lutz Jaenicke, Bodo Moeller*
16053
16054 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
16055   if the SSL_R_LENGTH_MISMATCH error is detected.
16056
16057   *Geoff Thorpe, Bodo Moeller*
16058
16059 * New 'shared_ldflag' column in Configure platform table.
16060
16061   *Richard Levitte*
16062
16063 * Fix EVP_CIPHER_mode macro.
16064
16065   *"Dan S. Camper" <dan@bti.net>*
16066
16067 * Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
16068   type, we must throw them away by setting rr->length to 0.
16069
16070   *D P Chang <dpc@qualys.com>*
16071
16072### Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
16073
16074 * Fix BN_rand_range bug pointed out by Dominikus Scherkl
16075   <Dominikus.Scherkl@biodata.com>.  (The previous implementation
16076   worked incorrectly for those cases where range = `10..._2`  and
16077   `3*range`  is two bits longer than  range.)
16078
16079   *Bodo Moeller*
16080
16081 * Only add signing time to PKCS7 structures if it is not already
16082   present.
16083
16084   *Steve Henson*
16085
16086 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
16087   OBJ_ld_ce should be OBJ_id_ce.
16088   Also some ip-pda OIDs in crypto/objects/objects.txt were
16089   incorrect (cf. RFC 3039).
16090
16091   *Matt Cooper, Frederic Giudicelli, Bodo Moeller*
16092
16093 * Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
16094   returns early because it has nothing to do.
16095
16096   *Andy Schneider <andy.schneider@bjss.co.uk>*
16097
16098 * [In 0.9.6c-engine release:]
16099   Fix mutex callback return values in crypto/engine/hw_ncipher.c.
16100
16101   *Andy Schneider <andy.schneider@bjss.co.uk>*
16102
16103 * [In 0.9.6c-engine release:]
16104   Add support for Cryptographic Appliance's keyserver technology.
16105   (Use engine 'keyclient')
16106
16107   *Cryptographic Appliances and Geoff Thorpe*
16108
16109 * Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
16110   is called via tools/c89.sh because arguments have to be
16111   rearranged (all '-L' options must appear before the first object
16112   modules).
16113
16114   *Richard Shapiro <rshapiro@abinitio.com>*
16115
16116 * [In 0.9.6c-engine release:]
16117   Add support for Broadcom crypto accelerator cards, backported
16118   from 0.9.7.
16119
16120   *Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox*
16121
16122 * [In 0.9.6c-engine release:]
16123   Add support for SureWare crypto accelerator cards from
16124   Baltimore Technologies.  (Use engine 'sureware')
16125
16126   *Baltimore Technologies and Mark Cox*
16127
16128 * [In 0.9.6c-engine release:]
16129   Add support for crypto accelerator cards from Accelerated
16130   Encryption Processing, www.aep.ie.  (Use engine 'aep')
16131
16132   *AEP Inc. and Mark Cox*
16133
16134 * Add a configuration entry for gcc on UnixWare.
16135
16136   *Gary Benson <gbenson@redhat.com>*
16137
16138 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
16139   messages are stored in a single piece (fixed-length part and
16140   variable-length part combined) and fix various bugs found on the way.
16141
16142   *Bodo Moeller*
16143
16144 * Disable caching in BIO_gethostbyname(), directly use gethostbyname()
16145   instead.  BIO_gethostbyname() does not know what timeouts are
16146   appropriate, so entries would stay in cache even when they have
16147   become invalid.
16148   *Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>*
16149
16150 * Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
16151   faced with a pathologically small ClientHello fragment that does
16152   not contain client_version: Instead of aborting with an error,
16153   simply choose the highest available protocol version (i.e.,
16154   TLS 1.0 unless it is disabled).  In practice, ClientHello
16155   messages are never sent like this, but this change gives us
16156   strictly correct behaviour at least for TLS.
16157
16158   *Bodo Moeller*
16159
16160 * Fix SSL handshake functions and SSL_clear() such that SSL_clear()
16161   never resets s->method to s->ctx->method when called from within
16162   one of the SSL handshake functions.
16163
16164   *Bodo Moeller; problem pointed out by Niko Baric*
16165
16166 * In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
16167   (sent using the client's version number) if client_version is
16168   smaller than the protocol version in use.  Also change
16169   ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
16170   the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
16171   the client will at least see that alert.
16172
16173   *Bodo Moeller*
16174
16175 * Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
16176   correctly.
16177
16178   *Bodo Moeller*
16179
16180 * Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
16181   client receives HelloRequest while in a handshake.
16182
16183   *Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>*
16184
16185 * Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
16186   should end in 'break', not 'goto end' which circumvents various
16187   cleanups done in state SSL_ST_OK.   But session related stuff
16188   must be disabled for SSL_ST_OK in the case that we just sent a
16189   HelloRequest.
16190
16191   Also avoid some overhead by not calling ssl_init_wbio_buffer()
16192   before just sending a HelloRequest.
16193
16194   *Bodo Moeller, Eric Rescorla <ekr@rtfm.com>*
16195
16196 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
16197   reveal whether illegal block cipher padding was found or a MAC
16198   verification error occurred.  (Neither SSLerr() codes nor alerts
16199   are directly visible to potential attackers, but the information
16200   may leak via logfiles.)
16201
16202   Similar changes are not required for the SSL 2.0 implementation
16203   because the number of padding bytes is sent in clear for SSL 2.0,
16204   and the extra bytes are just ignored.  However ssl/s2_pkt.c
16205   failed to verify that the purported number of padding bytes is in
16206   the legal range.
16207
16208   *Bodo Moeller*
16209
16210 * Add OpenUNIX-8 support including shared libraries
16211   (Boyd Lynn Gerber <gerberb@zenez.com>).
16212
16213   *Lutz Jaenicke*
16214
16215 * Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
16216   'wristwatch attack' using huge encoding parameters (cf.
16217   James H. Manger's CRYPTO 2001 paper).  Note that the
16218   RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
16219   encoding parameters and hence was not vulnerable.
16220
16221   *Bodo Moeller*
16222
16223 * BN_sqr() bug fix.
16224
16225   *Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>*
16226
16227 * Rabin-Miller test analyses assume uniformly distributed witnesses,
16228   so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
16229   followed by modular reduction.
16230
16231   *Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>*
16232
16233 * Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
16234   equivalent based on BN_pseudo_rand() instead of BN_rand().
16235
16236   *Bodo Moeller*
16237
16238 * s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
16239   This function was broken, as the check for a new client hello message
16240   to handle SGC did not allow these large messages.
16241   (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
16242
16243   *Lutz Jaenicke*
16244
16245 * Add alert descriptions for TLSv1 to `SSL_alert_desc_string[_long]()`.
16246
16247   *Lutz Jaenicke*
16248
16249 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
16250   for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
16251
16252   *Lutz Jaenicke*
16253
16254 * Rework the configuration and shared library support for Tru64 Unix.
16255   The configuration part makes use of modern compiler features and
16256   still retains old compiler behavior for those that run older versions
16257   of the OS.  The shared library support part includes a variant that
16258   uses the RPATH feature, and is available through the special
16259   configuration target "alpha-cc-rpath", which will never be selected
16260   automatically.
16261
16262   *Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte*
16263
16264 * In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
16265   with the same message size as in ssl3_get_certificate_request().
16266   Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
16267   messages might inadvertently be reject as too long.
16268
16269   *Petr Lampa <lampa@fee.vutbr.cz>*
16270
16271 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
16272
16273   *Andy Polyakov*
16274
16275 * Modified SSL library such that the verify_callback that has been set
16276   specifically for an SSL object with SSL_set_verify() is actually being
16277   used. Before the change, a verify_callback set with this function was
16278   ignored and the verify_callback() set in the SSL_CTX at the time of
16279   the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
16280   to allow the necessary settings.
16281
16282   *Lutz Jaenicke*
16283
16284 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
16285   explicitly to NULL, as at least on Solaris 8 this seems not always to be
16286   done automatically (in contradiction to the requirements of the C
16287   standard). This made problems when used from OpenSSH.
16288
16289   *Lutz Jaenicke*
16290
16291 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
16292   dh->length and always used
16293
16294           BN_rand_range(priv_key, dh->p).
16295
16296   BN_rand_range() is not necessary for Diffie-Hellman, and this
16297   specific range makes Diffie-Hellman unnecessarily inefficient if
16298   dh->length (recommended exponent length) is much smaller than the
16299   length of dh->p.  We could use BN_rand_range() if the order of
16300   the subgroup was stored in the DH structure, but we only have
16301   dh->length.
16302
16303   So switch back to
16304
16305           BN_rand(priv_key, l, ...)
16306
16307   where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
16308   otherwise.
16309
16310   *Bodo Moeller*
16311
16312 * In
16313
16314           RSA_eay_public_encrypt
16315           RSA_eay_private_decrypt
16316           RSA_eay_private_encrypt (signing)
16317           RSA_eay_public_decrypt (signature verification)
16318
16319   (default implementations for RSA_public_encrypt,
16320   RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
16321   always reject numbers >= n.
16322
16323   *Bodo Moeller*
16324
16325 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
16326   to synchronize access to 'locking_thread'.  This is necessary on
16327   systems where access to 'locking_thread' (an 'unsigned long'
16328   variable) is not atomic.
16329
16330   *Bodo Moeller*
16331
16332 * In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
16333   *before* setting the 'crypto_lock_rand' flag.  The previous code had
16334   a race condition if 0 is a valid thread ID.
16335
16336   *Travis Vitek <vitek@roguewave.com>*
16337
16338 * Add support for shared libraries under Irix.
16339
16340   *Albert Chin-A-Young <china@thewrittenword.com>*
16341
16342 * Add configuration option to build on Linux on both big-endian and
16343   little-endian MIPS.
16344
16345   *Ralf Baechle <ralf@uni-koblenz.de>*
16346
16347 * Add the possibility to create shared libraries on HP-UX.
16348
16349   *Richard Levitte*
16350
16351### Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
16352
16353 * Change ssleay_rand_bytes (crypto/rand/md_rand.c)
16354   to avoid an SSLeay/OpenSSL PRNG weakness pointed out by
16355   Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
16356   PRNG state recovery was possible based on the output of
16357   one PRNG request appropriately sized to gain knowledge on
16358   'md' followed by enough consecutive 1-byte PRNG requests
16359   to traverse all of 'state'.
16360
16361   1. When updating 'md_local' (the current thread's copy of 'md')
16362      during PRNG output generation, hash all of the previous
16363      'md_local' value, not just the half used for PRNG output.
16364
16365   2. Make the number of bytes from 'state' included into the hash
16366      independent from the number of PRNG bytes requested.
16367
16368   The first measure alone would be sufficient to avoid
16369   Markku-Juhani's attack.  (Actually it had never occurred
16370   to me that the half of 'md_local' used for chaining was the
16371   half from which PRNG output bytes were taken -- I had always
16372   assumed that the secret half would be used.)  The second
16373   measure makes sure that additional data from 'state' is never
16374   mixed into 'md_local' in small portions; this heuristically
16375   further strengthens the PRNG.
16376
16377   *Bodo Moeller*
16378
16379 * Fix crypto/bn/asm/mips3.s.
16380
16381   *Andy Polyakov*
16382
16383 * When only the key is given to "enc", the IV is undefined. Print out
16384   an error message in this case.
16385
16386   *Lutz Jaenicke*
16387
16388 * Handle special case when X509_NAME is empty in X509 printing routines.
16389
16390   *Steve Henson*
16391
16392 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
16393   positive and less than q.
16394
16395   *Bodo Moeller*
16396
16397 * Don't change `*pointer` in CRYPTO_add_lock() is add_lock_callback is
16398   used: it isn't thread safe and the add_lock_callback should handle
16399   that itself.
16400
16401   *Paul Rose <Paul.Rose@bridge.com>*
16402
16403 * Verify that incoming data obeys the block size in
16404   ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
16405
16406   *Bodo Moeller*
16407
16408 * Fix OAEP check.
16409
16410   *Ulf Möller, Bodo Möller*
16411
16412 * The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
16413   RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
16414   when fixing the server behaviour for backwards-compatible 'client
16415   hello' messages.  (Note that the attack is impractical against
16416   SSL 3.0 and TLS 1.0 anyway because length and version checking
16417   means that the probability of guessing a valid ciphertext is
16418   around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
16419   paper.)
16420
16421   Before 0.9.5, the countermeasure (hide the error by generating a
16422   random 'decryption result') did not work properly because
16423   ERR_clear_error() was missing, meaning that SSL_get_error() would
16424   detect the supposedly ignored error.
16425
16426   Both problems are now fixed.
16427
16428   *Bodo Moeller*
16429
16430 * In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
16431   (previously it was 1024).
16432
16433   *Bodo Moeller*
16434
16435 * Fix for compatibility mode trust settings: ignore trust settings
16436   unless some valid trust or reject settings are present.
16437
16438   *Steve Henson*
16439
16440 * Fix for blowfish EVP: its a variable length cipher.
16441
16442   *Steve Henson*
16443
16444 * Fix various bugs related to DSA S/MIME verification. Handle missing
16445   parameters in DSA public key structures and return an error in the
16446   DSA routines if parameters are absent.
16447
16448   *Steve Henson*
16449
16450 * In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
16451   in the current directory if neither $RANDFILE nor $HOME was set.
16452   RAND_file_name() in 0.9.6a returned NULL in this case.  This has
16453   caused some confusion to Windows users who haven't defined $HOME.
16454   Thus RAND_file_name() is changed again: e_os.h can define a
16455   DEFAULT_HOME, which will be used if $HOME is not set.
16456   For Windows, we use "C:"; on other platforms, we still require
16457   environment variables.
16458
16459 * Move 'if (!initialized) RAND_poll()' into regions protected by
16460   CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
16461   having multiple threads call RAND_poll() concurrently.
16462
16463   *Bodo Moeller*
16464
16465 * In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
16466   combination of a flag and a thread ID variable.
16467   Otherwise while one thread is in ssleay_rand_bytes (which sets the
16468   flag), *other* threads can enter ssleay_add_bytes without obeying
16469   the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
16470   that they do not hold after the first thread unsets add_do_not_lock).
16471
16472   *Bodo Moeller*
16473
16474 * Change bctest again: '-x' expressions are not available in all
16475   versions of 'test'.
16476
16477   *Bodo Moeller*
16478
16479### Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
16480
16481 * Fix a couple of memory leaks in PKCS7_dataDecode()
16482
16483   *Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>*
16484
16485 * Change Configure and Makefiles to provide EXE_EXT, which will contain
16486   the default extension for executables, if any.  Also, make the perl
16487   scripts that use symlink() to test if it really exists and use "cp"
16488   if it doesn't.  All this made OpenSSL compilable and installable in
16489   CygWin.
16490
16491   *Richard Levitte*
16492
16493 * Fix for asn1_GetSequence() for indefinite length constructed data.
16494   If SEQUENCE is length is indefinite just set c->slen to the total
16495   amount of data available.
16496
16497   *Steve Henson, reported by shige@FreeBSD.org*
16498
16499   *This change does not apply to 0.9.7.*
16500
16501 * Change bctest to avoid here-documents inside command substitution
16502   (workaround for FreeBSD /bin/sh bug).
16503   For compatibility with Ultrix, avoid shell functions (introduced
16504   in the bctest version that searches along $PATH).
16505
16506   *Bodo Moeller*
16507
16508 * Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
16509   with des_encrypt() defined on some operating systems, like Solaris
16510   and UnixWare.
16511
16512   *Richard Levitte*
16513
16514 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
16515   On the Importance of Eliminating Errors in Cryptographic
16516   Computations, J. Cryptology 14 (2001) 2, 101-119,
16517   <http://theory.stanford.edu/~dabo/papers/faults.ps.gz>).
16518
16519   *Ulf Moeller*
16520
16521 * MIPS assembler BIGNUM division bug fix.
16522
16523   *Andy Polyakov*
16524
16525 * Disabled incorrect Alpha assembler code.
16526
16527   *Richard Levitte*
16528
16529 * Fix PKCS#7 decode routines so they correctly update the length
16530   after reading an EOC for the EXPLICIT tag.
16531
16532   *Steve Henson*
16533
16534   *This change does not apply to 0.9.7.*
16535
16536 * Fix bug in PKCS#12 key generation routines. This was triggered
16537   if a 3DES key was generated with a 0 initial byte. Include
16538   PKCS12_BROKEN_KEYGEN compilation option to retain the old
16539   (but broken) behaviour.
16540
16541   *Steve Henson*
16542
16543 * Enhance bctest to search for a working bc along $PATH and print
16544   it when found.
16545
16546   *Tim Rice <tim@multitalents.net> via Richard Levitte*
16547
16548 * Fix memory leaks in err.c: free err_data string if necessary;
16549   don't write to the wrong index in ERR_set_error_data.
16550
16551   *Bodo Moeller*
16552
16553 * Implement ssl23_peek (analogous to ssl23_read), which previously
16554   did not exist.
16555
16556   *Bodo Moeller*
16557
16558 * Replace rdtsc with `_emit` statements for VC++ version 5.
16559
16560   *Jeremy Cooper <jeremy@baymoo.org>*
16561
16562 * Make it possible to reuse SSLv2 sessions.
16563
16564   *Richard Levitte*
16565
16566 * In copy_email() check for >= 0 as a return value for
16567   X509_NAME_get_index_by_NID() since 0 is a valid index.
16568
16569   *Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>*
16570
16571 * Avoid coredump with unsupported or invalid public keys by checking if
16572   X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
16573   PKCS7_verify() fails with non detached data.
16574
16575   *Steve Henson*
16576
16577 * Don't use getenv in library functions when run as setuid/setgid.
16578   New function OPENSSL_issetugid().
16579
16580   *Ulf Moeller*
16581
16582 * Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
16583   due to incorrect handling of multi-threading:
16584
16585   1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
16586
16587   2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
16588
16589   3. Count how many times MemCheck_off() has been called so that
16590      nested use can be treated correctly.  This also avoids
16591      inband-signalling in the previous code (which relied on the
16592      assumption that thread ID 0 is impossible).
16593
16594   *Bodo Moeller*
16595
16596 * Add "-rand" option also to s_client and s_server.
16597
16598   *Lutz Jaenicke*
16599
16600 * Fix CPU detection on Irix 6.x.
16601   *Kurt Hockenbury <khockenb@stevens-tech.edu> and
16602   "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
16603
16604 * Fix X509_NAME bug which produced incorrect encoding if X509_NAME
16605   was empty.
16606
16607   *Steve Henson*
16608
16609   *This change does not apply to 0.9.7.*
16610
16611 * Use the cached encoding of an X509_NAME structure rather than
16612   copying it. This is apparently the reason for the libsafe "errors"
16613   but the code is actually correct.
16614
16615   *Steve Henson*
16616
16617 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
16618   Bleichenbacher's DSA attack.
16619   Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
16620   to be set and top=0 forces the highest bit to be set; top=-1 is new
16621   and leaves the highest bit random.
16622
16623   *Ulf Moeller, Bodo Moeller*
16624
16625 * In the `NCONF_...`-based implementations for `CONF_...` queries
16626   (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
16627   a temporary CONF structure with the data component set to NULL
16628   (which gives segmentation faults in lh_retrieve).
16629   Instead, use NULL for the CONF pointer in CONF_get_string and
16630   CONF_get_number (which may use environment variables) and directly
16631   return NULL from CONF_get_section.
16632
16633   *Bodo Moeller*
16634
16635 * Fix potential buffer overrun for EBCDIC.
16636
16637   *Ulf Moeller*
16638
16639 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign
16640   keyUsage if basicConstraints absent for a CA.
16641
16642   *Steve Henson*
16643
16644 * Make SMIME_write_PKCS7() write mail header values with a format that
16645   is more generally accepted (no spaces before the semicolon), since
16646   some programs can't parse those values properly otherwise.  Also make
16647   sure BIO's that break lines after each write do not create invalid
16648   headers.
16649
16650   *Richard Levitte*
16651
16652 * Make the CRL encoding routines work with empty SEQUENCE OF. The
16653   macros previously used would not encode an empty SEQUENCE OF
16654   and break the signature.
16655
16656   *Steve Henson*
16657
16658   *This change does not apply to 0.9.7.*
16659
16660 * Zero the premaster secret after deriving the master secret in
16661   DH ciphersuites.
16662
16663   *Steve Henson*
16664
16665 * Add some EVP_add_digest_alias registrations (as found in
16666   OpenSSL_add_all_digests()) to SSL_library_init()
16667   aka OpenSSL_add_ssl_algorithms().  This provides improved
16668   compatibility with peers using X.509 certificates
16669   with unconventional AlgorithmIdentifier OIDs.
16670
16671   *Bodo Moeller*
16672
16673 * Fix for Irix with NO_ASM.
16674
16675   *"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>*
16676
16677 * ./config script fixes.
16678
16679   *Ulf Moeller, Richard Levitte*
16680
16681 * Fix 'openssl passwd -1'.
16682
16683   *Bodo Moeller*
16684
16685 * Change PKCS12_key_gen_asc() so it can cope with non null
16686   terminated strings whose length is passed in the passlen
16687   parameter, for example from PEM callbacks. This was done
16688   by adding an extra length parameter to asc2uni().
16689
16690   *Steve Henson, reported by <oddissey@samsung.co.kr>*
16691
16692 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
16693   call failed, free the DSA structure.
16694
16695   *Bodo Moeller*
16696
16697 * Fix to uni2asc() to cope with zero length Unicode strings.
16698   These are present in some PKCS#12 files.
16699
16700   *Steve Henson*
16701
16702 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
16703   Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
16704   when writing a 32767 byte record.
16705
16706   *Bodo Moeller; problem reported by Eric Day <eday@concentric.net>*
16707
16708 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c),
16709   obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
16710
16711   (RSA objects have a reference count access to which is protected
16712   by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
16713   so they are meant to be shared between threads.)
16714   *Bodo Moeller, Geoff Thorpe; original patch submitted by
16715   "Reddie, Steven" <Steven.Reddie@ca.com>*
16716
16717 * Fix a deadlock in CRYPTO_mem_leaks().
16718
16719   *Bodo Moeller*
16720
16721 * Use better test patterns in bntest.
16722
16723   *Ulf Möller*
16724
16725 * rand_win.c fix for Borland C.
16726
16727   *Ulf Möller*
16728
16729 * BN_rshift bugfix for n == 0.
16730
16731   *Bodo Moeller*
16732
16733 * Add a 'bctest' script that checks for some known 'bc' bugs
16734   so that 'make test' does not abort just because 'bc' is broken.
16735
16736   *Bodo Moeller*
16737
16738 * Store verify_result within SSL_SESSION also for client side to
16739   avoid potential security hole. (Reused sessions on the client side
16740   always resulted in verify_result==X509_V_OK, not using the original
16741   result of the server certificate verification.)
16742
16743   *Lutz Jaenicke*
16744
16745 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
16746   SSL3_RT_APPLICATION_DATA, return 0.
16747   Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
16748
16749   *Bodo Moeller*
16750
16751 * Fix SSL_peek:
16752   Both ssl2_peek and ssl3_peek, which were totally broken in earlier
16753   releases, have been re-implemented by renaming the previous
16754   implementations of ssl2_read and ssl3_read to ssl2_read_internal
16755   and ssl3_read_internal, respectively, and adding 'peek' parameters
16756   to them.  The new ssl[23]_{read,peek} functions are calls to
16757   ssl[23]_read_internal with the 'peek' flag set appropriately.
16758   A 'peek' parameter has also been added to ssl3_read_bytes, which
16759   does the actual work for ssl3_read_internal.
16760
16761   *Bodo Moeller*
16762
16763 * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
16764   the method-specific "init()" handler. Also clean up ex_data after
16765   calling the method-specific "finish()" handler. Previously, this was
16766   happening the other way round.
16767
16768   *Geoff Thorpe*
16769
16770 * Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
16771   The previous value, 12, was not always sufficient for BN_mod_exp().
16772
16773   *Bodo Moeller*
16774
16775 * Make sure that shared libraries get the internal name engine with
16776   the full version number and not just 0.  This should mark the
16777   shared libraries as not backward compatible.  Of course, this should
16778   be changed again when we can guarantee backward binary compatibility.
16779
16780   *Richard Levitte*
16781
16782 * Fix typo in get_cert_by_subject() in by_dir.c
16783
16784   *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
16785
16786 * Rework the system to generate shared libraries:
16787
16788   - Make note of the expected extension for the shared libraries and
16789     if there is a need for symbolic links from for example libcrypto.so.0
16790     to libcrypto.so.0.9.7.  There is extended info in Configure for
16791     that.
16792
16793   - Make as few rebuilds of the shared libraries as possible.
16794
16795   - Still avoid linking the OpenSSL programs with the shared libraries.
16796
16797   - When installing, install the shared libraries separately from the
16798     static ones.
16799
16800   *Richard Levitte*
16801
16802 * Fix SSL_CTX_set_read_ahead macro to actually use its argument.
16803
16804   Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
16805   and not in SSL_clear because the latter is also used by the
16806   accept/connect functions; previously, the settings made by
16807   SSL_set_read_ahead would be lost during the handshake.
16808
16809   *Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>*
16810
16811 * Correct util/mkdef.pl to be selective about disabled algorithms.
16812   Previously, it would create entries for disabled algorithms no
16813   matter what.
16814
16815   *Richard Levitte*
16816
16817 * Added several new manual pages for SSL_* function.
16818
16819   *Lutz Jaenicke*
16820
16821### Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
16822
16823 * In ssl23_get_client_hello, generate an error message when faced
16824   with an initial SSL 3.0/TLS record that is too small to contain the
16825   first two bytes of the ClientHello message, i.e. client_version.
16826   (Note that this is a pathologic case that probably has never happened
16827   in real life.)  The previous approach was to use the version number
16828   from the record header as a substitute; but our protocol choice
16829   should not depend on that one because it is not authenticated
16830   by the Finished messages.
16831
16832   *Bodo Moeller*
16833
16834 * More robust randomness gathering functions for Windows.
16835
16836   *Jeffrey Altman <jaltman@columbia.edu>*
16837
16838 * For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
16839   not set then we don't setup the error code for issuer check errors
16840   to avoid possibly overwriting other errors which the callback does
16841   handle. If an application does set the flag then we assume it knows
16842   what it is doing and can handle the new informational codes
16843   appropriately.
16844
16845   *Steve Henson*
16846
16847 * Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
16848   a general "ANY" type, as such it should be able to decode anything
16849   including tagged types. However it didn't check the class so it would
16850   wrongly interpret tagged types in the same way as their universal
16851   counterpart and unknown types were just rejected. Changed so that the
16852   tagged and unknown types are handled in the same way as a SEQUENCE:
16853   that is the encoding is stored intact. There is also a new type
16854   "V_ASN1_OTHER" which is used when the class is not universal, in this
16855   case we have no idea what the actual type is so we just lump them all
16856   together.
16857
16858   *Steve Henson*
16859
16860 * On VMS, stdout may very well lead to a file that is written to
16861   in a record-oriented fashion.  That means that every write() will
16862   write a separate record, which will be read separately by the
16863   programs trying to read from it.  This can be very confusing.
16864
16865   The solution is to put a BIO filter in the way that will buffer
16866   text until a linefeed is reached, and then write everything a
16867   line at a time, so every record written will be an actual line,
16868   not chunks of lines and not (usually doesn't happen, but I've
16869   seen it once) several lines in one record.  BIO_f_linebuffer() is
16870   the answer.
16871
16872   Currently, it's a VMS-only method, because that's where it has
16873   been tested well enough.
16874
16875   *Richard Levitte*
16876
16877 * Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
16878   it can return incorrect results.
16879   (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
16880   but it was in 0.9.6-beta[12].)
16881
16882   *Bodo Moeller*
16883
16884 * Disable the check for content being present when verifying detached
16885   signatures in pk7_smime.c. Some versions of Netscape (wrongly)
16886   include zero length content when signing messages.
16887
16888   *Steve Henson*
16889
16890 * New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
16891   BIO_ctrl (for BIO pairs).
16892
16893   *Bodo Möller*
16894
16895 * Add DSO method for VMS.
16896
16897   *Richard Levitte*
16898
16899 * Bug fix: Montgomery multiplication could produce results with the
16900   wrong sign.
16901
16902   *Ulf Möller*
16903
16904 * Add RPM specification openssl.spec and modify it to build three
16905   packages.  The default package contains applications, application
16906   documentation and run-time libraries.  The devel package contains
16907   include files, static libraries and function documentation.  The
16908   doc package contains the contents of the doc directory.  The original
16909   openssl.spec was provided by Damien Miller <djm@mindrot.org>.
16910
16911   *Richard Levitte*
16912
16913 * Add a large number of documentation files for many SSL routines.
16914
16915   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
16916
16917 * Add a configuration entry for Sony News 4.
16918
16919   *NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>*
16920
16921 * Don't set the two most significant bits to one when generating a
16922   random number < q in the DSA library.
16923
16924   *Ulf Möller*
16925
16926 * New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
16927   behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
16928   the underlying transport is blocking) if a handshake took place.
16929   (The default behaviour is needed by applications such as s_client
16930   and s_server that use select() to determine when to use SSL_read;
16931   but for applications that know in advance when to expect data, it
16932   just makes things more complicated.)
16933
16934   *Bodo Moeller*
16935
16936 * Add RAND_egd_bytes(), which gives control over the number of bytes read
16937   from EGD.
16938
16939   *Ben Laurie*
16940
16941 * Add a few more EBCDIC conditionals that make `req` and `x509`
16942   work better on such systems.
16943
16944   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
16945
16946 * Add two demo programs for PKCS12_parse() and PKCS12_create().
16947   Update PKCS12_parse() so it copies the friendlyName and the
16948   keyid to the certificates aux info.
16949
16950   *Steve Henson*
16951
16952 * Fix bug in PKCS7_verify() which caused an infinite loop
16953   if there was more than one signature.
16954
16955   *Sven Uszpelkat <su@celocom.de>*
16956
16957 * Major change in util/mkdef.pl to include extra information
16958   about each symbol, as well as presenting variables as well
16959   as functions.  This change means that there's n more need
16960   to rebuild the .num files when some algorithms are excluded.
16961
16962   *Richard Levitte*
16963
16964 * Allow the verify time to be set by an application,
16965   rather than always using the current time.
16966
16967   *Steve Henson*
16968
16969 * Phase 2 verify code reorganisation. The certificate
16970   verify code now looks up an issuer certificate by a
16971   number of criteria: subject name, authority key id
16972   and key usage. It also verifies self signed certificates
16973   by the same criteria. The main comparison function is
16974   X509_check_issued() which performs these checks.
16975
16976   Lot of changes were necessary in order to support this
16977   without completely rewriting the lookup code.
16978
16979   Authority and subject key identifier are now cached.
16980
16981   The LHASH 'certs' is X509_STORE has now been replaced
16982   by a STACK_OF(X509_OBJECT). This is mainly because an
16983   LHASH can't store or retrieve multiple objects with
16984   the same hash value.
16985
16986   As a result various functions (which were all internal
16987   use only) have changed to handle the new X509_STORE
16988   structure. This will break anything that messed round
16989   with X509_STORE internally.
16990
16991   The functions X509_STORE_add_cert() now checks for an
16992   exact match, rather than just subject name.
16993
16994   The X509_STORE API doesn't directly support the retrieval
16995   of multiple certificates matching a given criteria, however
16996   this can be worked round by performing a lookup first
16997   (which will fill the cache with candidate certificates)
16998   and then examining the cache for matches. This is probably
16999   the best we can do without throwing out X509_LOOKUP
17000   entirely (maybe later...).
17001
17002   The X509_VERIFY_CTX structure has been enhanced considerably.
17003
17004   All certificate lookup operations now go via a get_issuer()
17005   callback. Although this currently uses an X509_STORE it
17006   can be replaced by custom lookups. This is a simple way
17007   to bypass the X509_STORE hackery necessary to make this
17008   work and makes it possible to use more efficient techniques
17009   in future. A very simple version which uses a simple
17010   STACK for its trusted certificate store is also provided
17011   using X509_STORE_CTX_trusted_stack().
17012
17013   The verify_cb() and verify() callbacks now have equivalents
17014   in the X509_STORE_CTX structure.
17015
17016   X509_STORE_CTX also has a 'flags' field which can be used
17017   to customise the verify behaviour.
17018
17019   *Steve Henson*
17020
17021 * Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
17022   excludes S/MIME capabilities.
17023
17024   *Steve Henson*
17025
17026 * When a certificate request is read in keep a copy of the
17027   original encoding of the signed data and use it when outputting
17028   again. Signatures then use the original encoding rather than
17029   a decoded, encoded version which may cause problems if the
17030   request is improperly encoded.
17031
17032   *Steve Henson*
17033
17034 * For consistency with other BIO_puts implementations, call
17035   buffer_write(b, ...) directly in buffer_puts instead of calling
17036   BIO_write(b, ...).
17037
17038   In BIO_puts, increment b->num_write as in BIO_write.
17039
17040   *Peter.Sylvester@EdelWeb.fr*
17041
17042 * Fix BN_mul_word for the case where the word is 0. (We have to use
17043   BN_zero, we may not return a BIGNUM with an array consisting of
17044   words set to zero.)
17045
17046   *Bodo Moeller*
17047
17048 * Avoid calling abort() from within the library when problems are
17049   detected, except if preprocessor symbols have been defined
17050   (such as REF_CHECK, BN_DEBUG etc.).
17051
17052   *Bodo Moeller*
17053
17054 * New openssl application 'rsautl'. This utility can be
17055   used for low-level RSA operations. DER public key
17056   BIO/fp routines also added.
17057
17058   *Steve Henson*
17059
17060 * New Configure entry and patches for compiling on QNX 4.
17061
17062   *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
17063
17064 * A demo state-machine implementation was sponsored by
17065   Nuron (<http://www.nuron.com/>) and is now available in
17066   demos/state_machine.
17067
17068   *Ben Laurie*
17069
17070 * New options added to the 'dgst' utility for signature
17071   generation and verification.
17072
17073   *Steve Henson*
17074
17075 * Unrecognized PKCS#7 content types are now handled via a
17076   catch all ASN1_TYPE structure. This allows unsupported
17077   types to be stored as a "blob" and an application can
17078   encode and decode it manually.
17079
17080   *Steve Henson*
17081
17082 * Fix various signed/unsigned issues to make a_strex.c
17083   compile under VC++.
17084
17085   *Oscar Jacobsson <oscar.jacobsson@celocom.com>*
17086
17087 * ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
17088   length if passed a buffer. ASN1_INTEGER_to_BN failed
17089   if passed a NULL BN and its argument was negative.
17090
17091   *Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>*
17092
17093 * Modification to PKCS#7 encoding routines to output definite
17094   length encoding. Since currently the whole structures are in
17095   memory there's not real point in using indefinite length
17096   constructed encoding. However if OpenSSL is compiled with
17097   the flag PKCS7_INDEFINITE_ENCODING the old form is used.
17098
17099   *Steve Henson*
17100
17101 * Added BIO_vprintf() and BIO_vsnprintf().
17102
17103   *Richard Levitte*
17104
17105 * Added more prefixes to parse for in the strings written
17106   through a logging bio, to cover all the levels that are available
17107   through syslog.  The prefixes are now:
17108
17109           PANIC, EMERG, EMR       =>      LOG_EMERG
17110           ALERT, ALR              =>      LOG_ALERT
17111           CRIT, CRI               =>      LOG_CRIT
17112           ERROR, ERR              =>      LOG_ERR
17113           WARNING, WARN, WAR      =>      LOG_WARNING
17114           NOTICE, NOTE, NOT       =>      LOG_NOTICE
17115           INFO, INF               =>      LOG_INFO
17116           DEBUG, DBG              =>      LOG_DEBUG
17117
17118   and as before, if none of those prefixes are present at the
17119   beginning of the string, LOG_ERR is chosen.
17120
17121   On Win32, the `LOG_*` levels are mapped according to this:
17122
17123           LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
17124           LOG_WARNING                             => EVENTLOG_WARNING_TYPE
17125           LOG_NOTICE, LOG_INFO, LOG_DEBUG         => EVENTLOG_INFORMATION_TYPE
17126
17127   *Richard Levitte*
17128
17129 * Made it possible to reconfigure with just the configuration
17130   argument "reconf" or "reconfigure".  The command line arguments
17131   are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
17132   and are retrieved from there when reconfiguring.
17133
17134   *Richard Levitte*
17135
17136 * MD4 implemented.
17137
17138   *Assar Westerlund <assar@sics.se>, Richard Levitte*
17139
17140 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
17141
17142   *Richard Levitte*
17143
17144 * The obj_dat.pl script was messing up the sorting of object
17145   names. The reason was that it compared the quoted version
17146   of strings as a result "OCSP" > "OCSP Signing" because
17147   " > SPACE. Changed script to store unquoted versions of
17148   names and add quotes on output. It was also omitting some
17149   names from the lookup table if they were given a default
17150   value (that is if SN is missing it is given the same
17151   value as LN and vice versa), these are now added on the
17152   grounds that if an object has a name we should be able to
17153   look it up. Finally added warning output when duplicate
17154   short or long names are found.
17155
17156   *Steve Henson*
17157
17158 * Changes needed for Tandem NSK.
17159
17160   *Scott Uroff <scott@xypro.com>*
17161
17162 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
17163   RSA_padding_check_SSLv23(), special padding was never detected
17164   and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
17165   version rollback attacks was not effective.
17166
17167   In s23_clnt.c, don't use special rollback-attack detection padding
17168   (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
17169   client; similarly, in s23_srvr.c, don't do the rollback check if
17170   SSL 2.0 is the only protocol enabled in the server.
17171
17172   *Bodo Moeller*
17173
17174 * Make it possible to get hexdumps of unprintable data with 'openssl
17175   asn1parse'.  By implication, the functions ASN1_parse_dump() and
17176   BIO_dump_indent() are added.
17177
17178   *Richard Levitte*
17179
17180 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
17181   these print out strings and name structures based on various
17182   flags including RFC2253 support and proper handling of
17183   multibyte characters. Added options to the 'x509' utility
17184   to allow the various flags to be set.
17185
17186   *Steve Henson*
17187
17188 * Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
17189   Also change the functions X509_cmp_current_time() and
17190   X509_gmtime_adj() work with an ASN1_TIME structure,
17191   this will enable certificates using GeneralizedTime in validity
17192   dates to be checked.
17193
17194   *Steve Henson*
17195
17196 * Make the NEG_PUBKEY_BUG code (which tolerates invalid
17197   negative public key encodings) on by default,
17198   NO_NEG_PUBKEY_BUG can be set to disable it.
17199
17200   *Steve Henson*
17201
17202 * New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
17203   content octets. An i2c_ASN1_OBJECT is unnecessary because
17204   the encoding can be trivially obtained from the structure.
17205
17206   *Steve Henson*
17207
17208 * crypto/err.c locking bugfix: Use write locks (`CRYPTO_w_[un]lock`),
17209   not read locks (`CRYPTO_r_[un]lock`).
17210
17211   *Bodo Moeller*
17212
17213 * A first attempt at creating official support for shared
17214   libraries through configuration.  I've kept it so the
17215   default is static libraries only, and the OpenSSL programs
17216   are always statically linked for now, but there are
17217   preparations for dynamic linking in place.
17218   This has been tested on Linux and Tru64.
17219
17220   *Richard Levitte*
17221
17222 * Randomness polling function for Win9x, as described in:
17223   Peter Gutmann, Software Generation of Practically Strong
17224   Random Numbers.
17225
17226   *Ulf Möller*
17227
17228 * Fix so PRNG is seeded in req if using an already existing
17229   DSA key.
17230
17231   *Steve Henson*
17232
17233 * New options to smime application. -inform and -outform
17234   allow alternative formats for the S/MIME message including
17235   PEM and DER. The -content option allows the content to be
17236   specified separately. This should allow things like Netscape
17237   form signing output easier to verify.
17238
17239   *Steve Henson*
17240
17241 * Fix the ASN1 encoding of tags using the 'long form'.
17242
17243   *Steve Henson*
17244
17245 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT
17246   STRING types. These convert content octets to and from the
17247   underlying type. The actual tag and length octets are
17248   already assumed to have been read in and checked. These
17249   are needed because all other string types have virtually
17250   identical handling apart from the tag. By having versions
17251   of the ASN1 functions that just operate on content octets
17252   IMPLICIT tagging can be handled properly. It also allows
17253   the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
17254   and ASN1_INTEGER are identical apart from the tag.
17255
17256   *Steve Henson*
17257
17258 * Change the handling of OID objects as follows:
17259
17260   - New object identifiers are inserted in objects.txt, following
17261     the syntax given in [crypto/objects/README.md](crypto/objects/README.md).
17262   - objects.pl is used to process obj_mac.num and create a new
17263     obj_mac.h.
17264   - obj_dat.pl is used to create a new obj_dat.h, using the data in
17265     obj_mac.h.
17266
17267   This is currently kind of a hack, and the perl code in objects.pl
17268   isn't very elegant, but it works as I intended.  The simplest way
17269   to check that it worked correctly is to look in obj_dat.h and
17270   check the array nid_objs and make sure the objects haven't moved
17271   around (this is important!).  Additions are OK, as well as
17272   consistent name changes.
17273
17274   *Richard Levitte*
17275
17276 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
17277
17278   *Bodo Moeller*
17279
17280 * Addition of the command line parameter '-rand file' to 'openssl req'.
17281   The given file adds to whatever has already been seeded into the
17282   random pool through the RANDFILE configuration file option or
17283   environment variable, or the default random state file.
17284
17285   *Richard Levitte*
17286
17287 * mkstack.pl now sorts each macro group into lexical order.
17288   Previously the output order depended on the order the files
17289   appeared in the directory, resulting in needless rewriting
17290   of safestack.h .
17291
17292   *Steve Henson*
17293
17294 * Patches to make OpenSSL compile under Win32 again. Mostly
17295   work arounds for the VC++ problem that it treats func() as
17296   func(void). Also stripped out the parts of mkdef.pl that
17297   added extra typesafe functions: these no longer exist.
17298
17299   *Steve Henson*
17300
17301 * Reorganisation of the stack code. The macros are now all
17302   collected in safestack.h . Each macro is defined in terms of
17303   a "stack macro" of the form `SKM_<name>(type, a, b)`. The
17304   DEBUG_SAFESTACK is now handled in terms of function casts,
17305   this has the advantage of retaining type safety without the
17306   use of additional functions. If DEBUG_SAFESTACK is not defined
17307   then the non typesafe macros are used instead. Also modified the
17308   mkstack.pl script to handle the new form. Needs testing to see
17309   if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
17310   the default if no major problems. Similar behaviour for ASN1_SET_OF
17311   and PKCS12_STACK_OF.
17312
17313   *Steve Henson*
17314
17315 * When some versions of IIS use the 'NET' form of private key the
17316   key derivation algorithm is different. Normally MD5(password) is
17317   used as a 128 bit RC4 key. In the modified case
17318   MD5(MD5(password) + "SGCKEYSALT")  is used instead. Added some
17319   new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
17320   as the old Netscape_RSA functions except they have an additional
17321   'sgckey' parameter which uses the modified algorithm. Also added
17322   an -sgckey command line option to the rsa utility. Thanks to
17323   Adrian Peck <bertie@ncipher.com> for posting details of the modified
17324   algorithm to openssl-dev.
17325
17326   *Steve Henson*
17327
17328 * The evp_local.h macros were using 'c.##kname' which resulted in
17329   invalid expansion on some systems (SCO 5.0.5 for example).
17330   Corrected to 'c.kname'.
17331
17332   *Phillip Porch <root@theporch.com>*
17333
17334 * New X509_get1_email() and X509_REQ_get1_email() functions that return
17335   a STACK of email addresses from a certificate or request, these look
17336   in the subject name and the subject alternative name extensions and
17337   omit any duplicate addresses.
17338
17339   *Steve Henson*
17340
17341 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
17342   This makes DSA verification about 2 % faster.
17343
17344   *Bodo Moeller*
17345
17346 * Increase maximum window size in `BN_mod_exp_...` to 6 bits instead of 5
17347   (meaning that now 2^5 values will be precomputed, which is only 4 KB
17348   plus overhead for 1024 bit moduli).
17349   This makes exponentiations about 0.5 % faster for 1024 bit
17350   exponents (as measured by "openssl speed rsa2048").
17351
17352   *Bodo Moeller*
17353
17354 * Rename memory handling macros to avoid conflicts with other
17355   software:
17356           Malloc         =>  OPENSSL_malloc
17357           Malloc_locked  =>  OPENSSL_malloc_locked
17358           Realloc        =>  OPENSSL_realloc
17359           Free           =>  OPENSSL_free
17360
17361   *Richard Levitte*
17362
17363 * New function BN_mod_exp_mont_word for small bases (roughly 15%
17364   faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
17365
17366   *Bodo Moeller*
17367
17368 * CygWin32 support.
17369
17370   *John Jarvie <jjarvie@newsguy.com>*
17371
17372 * The type-safe stack code has been rejigged. It is now only compiled
17373   in when OpenSSL is configured with the DEBUG_SAFESTACK option and
17374   by default all type-specific stack functions are "#define"d back to
17375   standard stack functions. This results in more streamlined output
17376   but retains the type-safety checking possibilities of the original
17377   approach.
17378
17379   *Geoff Thorpe*
17380
17381 * The STACK code has been cleaned up, and certain type declarations
17382   that didn't make a lot of sense have been brought in line. This has
17383   also involved a cleanup of sorts in safestack.h to more correctly
17384   map type-safe stack functions onto their plain stack counterparts.
17385   This work has also resulted in a variety of "const"ifications of
17386   lots of the code, especially `_cmp` operations which should normally
17387   be prototyped with "const" parameters anyway.
17388
17389   *Geoff Thorpe*
17390
17391 * When generating bytes for the first time in md_rand.c, 'stir the pool'
17392   by seeding with STATE_SIZE dummy bytes (with zero entropy count).
17393   (The PRNG state consists of two parts, the large pool 'state' and 'md',
17394   where all of 'md' is used each time the PRNG is used, but 'state'
17395   is used only indexed by a cyclic counter. As entropy may not be
17396   well distributed from the beginning, 'md' is important as a
17397   chaining variable. However, the output function chains only half
17398   of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
17399   all of 'md', and seeding with STATE_SIZE dummy bytes will result
17400   in all of 'state' being rewritten, with the new values depending
17401   on virtually all of 'md'.  This overcomes the 80 bit limitation.)
17402
17403   *Bodo Moeller*
17404
17405 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
17406   the handshake is continued after ssl_verify_cert_chain();
17407   otherwise, if SSL_VERIFY_NONE is set, remaining error codes
17408   can lead to 'unexplainable' connection aborts later.
17409
17410   *Bodo Moeller; problem tracked down by Lutz Jaenicke*
17411
17412 * Major EVP API cipher revision.
17413   Add hooks for extra EVP features. This allows various cipher
17414   parameters to be set in the EVP interface. Support added for variable
17415   key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
17416   setting of RC2 and RC5 parameters.
17417
17418   Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
17419   ciphers.
17420
17421   Remove lots of duplicated code from the EVP library. For example *every*
17422   cipher init() function handles the 'iv' in the same way according to the
17423   cipher mode. They also all do nothing if the 'key' parameter is NULL and
17424   for CFB and OFB modes they zero ctx->num.
17425
17426   New functionality allows removal of S/MIME code RC2 hack.
17427
17428   Most of the routines have the same form and so can be declared in terms
17429   of macros.
17430
17431   By shifting this to the top level EVP_CipherInit() it can be removed from
17432   all individual ciphers. If the cipher wants to handle IVs or keys
17433   differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
17434   flags.
17435
17436   Change lots of functions like EVP_EncryptUpdate() to now return a
17437   value: although software versions of the algorithms cannot fail
17438   any installed hardware versions can.
17439
17440   *Steve Henson*
17441
17442 * Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
17443   this option is set, tolerate broken clients that send the negotiated
17444   protocol version number instead of the requested protocol version
17445   number.
17446
17447   *Bodo Moeller*
17448
17449 * Call dh_tmp_cb (set by `..._TMP_DH_CB`) with correct 'is_export' flag;
17450   i.e. non-zero for export ciphersuites, zero otherwise.
17451   Previous versions had this flag inverted, inconsistent with
17452   rsa_tmp_cb (..._TMP_RSA_CB).
17453
17454   *Bodo Moeller; problem reported by Amit Chopra*
17455
17456 * Add missing DSA library text string. Work around for some IIS
17457   key files with invalid SEQUENCE encoding.
17458
17459   *Steve Henson*
17460
17461 * Add a document (doc/standards.txt) that list all kinds of standards
17462   and so on that are implemented in OpenSSL.
17463
17464   *Richard Levitte*
17465
17466 * Enhance c_rehash script. Old version would mishandle certificates
17467   with the same subject name hash and wouldn't handle CRLs at all.
17468   Added -fingerprint option to crl utility, to support new c_rehash
17469   features.
17470
17471   *Steve Henson*
17472
17473 * Eliminate non-ANSI declarations in crypto.h and stack.h.
17474
17475   *Ulf Möller*
17476
17477 * Fix for SSL server purpose checking. Server checking was
17478   rejecting certificates which had extended key usage present
17479   but no ssl client purpose.
17480
17481   *Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>*
17482
17483 * Make PKCS#12 code work with no password. The PKCS#12 spec
17484   is a little unclear about how a blank password is handled.
17485   Since the password in encoded as a BMPString with terminating
17486   double NULL a zero length password would end up as just the
17487   double NULL. However no password at all is different and is
17488   handled differently in the PKCS#12 key generation code. NS
17489   treats a blank password as zero length. MSIE treats it as no
17490   password on export: but it will try both on import. We now do
17491   the same: PKCS12_parse() tries zero length and no password if
17492   the password is set to "" or NULL (NULL is now a valid password:
17493   it wasn't before) as does the pkcs12 application.
17494
17495   *Steve Henson*
17496
17497 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
17498   perror when PEM_read_bio_X509_REQ fails, the error message must
17499   be obtained from the error queue.
17500
17501   *Bodo Moeller*
17502
17503 * Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
17504   it in ERR_remove_state if appropriate, and change ERR_get_state
17505   accordingly to avoid race conditions (this is necessary because
17506   thread_hash is no longer constant once set).
17507
17508   *Bodo Moeller*
17509
17510 * Bugfix for linux-elf makefile.one.
17511
17512   *Ulf Möller*
17513
17514 * RSA_get_default_method() will now cause a default
17515   RSA_METHOD to be chosen if one doesn't exist already.
17516   Previously this was only set during a call to RSA_new()
17517   or RSA_new_method(NULL) meaning it was possible for
17518   RSA_get_default_method() to return NULL.
17519
17520   *Geoff Thorpe*
17521
17522 * Added native name translation to the existing DSO code
17523   that will convert (if the flag to do so is set) filenames
17524   that are sufficiently small and have no path information
17525   into a canonical native form. Eg. "blah" converted to
17526   "libblah.so" or "blah.dll" etc.
17527
17528   *Geoff Thorpe*
17529
17530 * New function ERR_error_string_n(e, buf, len) which is like
17531   ERR_error_string(e, buf), but writes at most 'len' bytes
17532   including the 0 terminator.  For ERR_error_string_n, 'buf'
17533   may not be NULL.
17534
17535   *Damien Miller <djm@mindrot.org>, Bodo Moeller*
17536
17537 * CONF library reworked to become more general.  A new CONF
17538   configuration file reader "class" is implemented as well as a
17539   new functions (`NCONF_*`, for "New CONF") to handle it.  The now
17540   old `CONF_*` functions are still there, but are reimplemented to
17541   work in terms of the new functions.  Also, a set of functions
17542   to handle the internal storage of the configuration data is
17543   provided to make it easier to write new configuration file
17544   reader "classes" (I can definitely see something reading a
17545   configuration file in XML format, for example), called `_CONF_*`,
17546   or "the configuration storage API"...
17547
17548   The new configuration file reading functions are:
17549
17550           NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
17551           NCONF_get_section, NCONF_get_string, NCONF_get_numbre
17552
17553           NCONF_default, NCONF_WIN32
17554
17555           NCONF_dump_fp, NCONF_dump_bio
17556
17557   NCONF_default and NCONF_WIN32 are method (or "class") choosers,
17558   NCONF_new creates a new CONF object.  This works in the same way
17559   as other interfaces in OpenSSL, like the BIO interface.
17560   `NCONF_dump_*` dump the internal storage of the configuration file,
17561   which is useful for debugging.  All other functions take the same
17562   arguments as the old `CONF_*` functions with the exception of the
17563   first that must be a `CONF *` instead of a `LHASH *`.
17564
17565   To make it easier to use the new classes with the old `CONF_*` functions,
17566   the function CONF_set_default_method is provided.
17567
17568   *Richard Levitte*
17569
17570 * Add '-tls1' option to 'openssl ciphers', which was already
17571   mentioned in the documentation but had not been implemented.
17572   (This option is not yet really useful because even the additional
17573   experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
17574
17575   *Bodo Moeller*
17576
17577 * Initial DSO code added into libcrypto for letting OpenSSL (and
17578   OpenSSL-based applications) load shared libraries and bind to
17579   them in a portable way.
17580
17581   *Geoff Thorpe, with contributions from Richard Levitte*
17582
17583### Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
17584
17585 * Make sure _lrotl and _lrotr are only used with MSVC.
17586
17587 * Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
17588   (the default implementation of RAND_status).
17589
17590 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
17591   to '-clrext' (= clear extensions), as intended and documented.
17592   *Bodo Moeller; inconsistency pointed out by Michael Attili
17593   <attili@amaxo.com>*
17594
17595 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length
17596   was larger than the MD block size.
17597
17598   *Steve Henson, pointed out by Yost William <YostW@tce.com>*
17599
17600 * Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
17601   fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
17602   using the passed key: if the passed key was a private key the result
17603   of X509_print(), for example, would be to print out all the private key
17604   components.
17605
17606   *Steve Henson*
17607
17608 * des_quad_cksum() byte order bug fix.
17609   *Ulf Möller, using the problem description in krb4-0.9.7, where
17610   the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>*
17611
17612 * Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
17613   discouraged.
17614
17615   *Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>*
17616
17617 * For easily testing in shell scripts whether some command
17618   'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
17619   returns with exit code 0 iff no command of the given name is available.
17620   'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
17621   the output goes to stdout and nothing is printed to stderr.
17622   Additional arguments are always ignored.
17623
17624   Since for each cipher there is a command of the same name,
17625   the 'no-cipher' compilation switches can be tested this way.
17626
17627   ('openssl no-XXX' is not able to detect pseudo-commands such
17628   as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
17629
17630   *Bodo Moeller*
17631
17632 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
17633
17634   *Bodo Moeller*
17635
17636 * For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
17637   is set; it will be thrown away anyway because each handshake creates
17638   its own key.
17639   ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
17640   to parameters -- in previous versions (since OpenSSL 0.9.3) the
17641   'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
17642   you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
17643
17644   *Bodo Moeller*
17645
17646 * New s_client option -ign_eof: EOF at stdin is ignored, and
17647   'Q' and 'R' lose their special meanings (quit/renegotiate).
17648   This is part of what -quiet does; unlike -quiet, -ign_eof
17649   does not suppress any output.
17650
17651   *Richard Levitte*
17652
17653 * Add compatibility options to the purpose and trust code. The
17654   purpose X509_PURPOSE_ANY is "any purpose" which automatically
17655   accepts a certificate or CA, this was the previous behaviour,
17656   with all the associated security issues.
17657
17658   X509_TRUST_COMPAT is the old trust behaviour: only and
17659   automatically trust self signed roots in certificate store. A
17660   new trust setting X509_TRUST_DEFAULT is used to specify that
17661   a purpose has no associated trust setting and it should instead
17662   use the value in the default purpose.
17663
17664   *Steve Henson*
17665
17666 * Fix the PKCS#8 DSA private key code so it decodes keys again
17667   and fix a memory leak.
17668
17669   *Steve Henson*
17670
17671 * In util/mkerr.pl (which implements 'make errors'), preserve
17672   reason strings from the previous version of the .c file, as
17673   the default to have only downcase letters (and digits) in
17674   automatically generated reasons codes is not always appropriate.
17675
17676   *Bodo Moeller*
17677
17678 * In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
17679   using strerror.  Previously, ERR_reason_error_string() returned
17680   library names as reason strings for SYSerr; but SYSerr is a special
17681   case where small numbers are errno values, not library numbers.
17682
17683   *Bodo Moeller*
17684
17685 * Add '-dsaparam' option to 'openssl dhparam' application.  This
17686   converts DSA parameters into DH parameters. (When creating parameters,
17687   DSA_generate_parameters is used.)
17688
17689   *Bodo Moeller*
17690
17691 * Include 'length' (recommended exponent length) in C code generated
17692   by 'openssl dhparam -C'.
17693
17694   *Bodo Moeller*
17695
17696 * The second argument to set_label in perlasm was already being used
17697   so couldn't be used as a "file scope" flag. Moved to third argument
17698   which was free.
17699
17700   *Steve Henson*
17701
17702 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
17703   instead of RAND_bytes for encryption IVs and salts.
17704
17705   *Bodo Moeller*
17706
17707 * Include RAND_status() into RAND_METHOD instead of implementing
17708   it only for md_rand.c  Otherwise replacing the PRNG by calling
17709   RAND_set_rand_method would be impossible.
17710
17711   *Bodo Moeller*
17712
17713 * Don't let DSA_generate_key() enter an infinite loop if the random
17714   number generation fails.
17715
17716   *Bodo Moeller*
17717
17718 * New 'rand' application for creating pseudo-random output.
17719
17720   *Bodo Moeller*
17721
17722 * Added configuration support for Linux/IA64
17723
17724   *Rolf Haberrecker <rolf@suse.de>*
17725
17726 * Assembler module support for Mingw32.
17727
17728   *Ulf Möller*
17729
17730 * Shared library support for HPUX (in shlib/).
17731
17732   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
17733
17734 * Shared library support for Solaris gcc.
17735
17736   *Lutz Behnke <behnke@trustcenter.de>*
17737
17738### Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
17739
17740 * PKCS7_encrypt() was adding text MIME headers twice because they
17741   were added manually and by SMIME_crlf_copy().
17742
17743   *Steve Henson*
17744
17745 * In bntest.c don't call BN_rand with zero bits argument.
17746
17747   *Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>*
17748
17749 * BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
17750   case was implemented. This caused BN_div_recp() to fail occasionally.
17751
17752   *Ulf Möller*
17753
17754 * Add an optional second argument to the set_label() in the perl
17755   assembly language builder. If this argument exists and is set
17756   to 1 it signals that the assembler should use a symbol whose
17757   scope is the entire file, not just the current function. This
17758   is needed with MASM which uses the format label:: for this scope.
17759
17760   *Steve Henson, pointed out by Peter Runestig <peter@runestig.com>*
17761
17762 * Change the ASN1 types so they are typedefs by default. Before
17763   almost all types were #define'd to ASN1_STRING which was causing
17764   STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
17765   for example.
17766
17767   *Steve Henson*
17768
17769 * Change names of new functions to the new get1/get0 naming
17770   convention: After 'get1', the caller owns a reference count
17771   and has to call `..._free`; 'get0' returns a pointer to some
17772   data structure without incrementing reference counters.
17773   (Some of the existing 'get' functions increment a reference
17774   counter, some don't.)
17775   Similarly, 'set1' and 'add1' functions increase reference
17776   counters or duplicate objects.
17777
17778   *Steve Henson*
17779
17780 * Allow for the possibility of temp RSA key generation failure:
17781   the code used to assume it always worked and crashed on failure.
17782
17783   *Steve Henson*
17784
17785 * Fix potential buffer overrun problem in BIO_printf().
17786   *Ulf Möller, using public domain code by Patrick Powell; problem
17787   pointed out by David Sacerdote <das33@cornell.edu>*
17788
17789 * Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
17790   RAND_egd() and RAND_status().  In the command line application,
17791   the EGD socket can be specified like a seed file using RANDFILE
17792   or -rand.
17793
17794   *Ulf Möller*
17795
17796 * Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
17797   Some CAs (e.g. Verisign) distribute certificates in this form.
17798
17799   *Steve Henson*
17800
17801 * Remove the SSL_ALLOW_ADH compile option and set the default cipher
17802   list to exclude them. This means that no special compilation option
17803   is needed to use anonymous DH: it just needs to be included in the
17804   cipher list.
17805
17806   *Steve Henson*
17807
17808 * Change the EVP_MD_CTX_type macro so its meaning consistent with
17809   EVP_MD_type. The old functionality is available in a new macro called
17810   EVP_MD_md(). Change code that uses it and update docs.
17811
17812   *Steve Henson*
17813
17814 * `..._ctrl` functions now have corresponding `..._callback_ctrl` functions
17815   where the `void *` argument is replaced by a function pointer argument.
17816   Previously `void *` was abused to point to functions, which works on
17817   many platforms, but is not correct.  As these functions are usually
17818   called by macros defined in OpenSSL header files, most source code
17819   should work without changes.
17820
17821   *Richard Levitte*
17822
17823 * `<openssl/opensslconf.h>` (which is created by Configure) now contains
17824   sections with information on -D... compiler switches used for
17825   compiling the library so that applications can see them.  To enable
17826   one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
17827   must be defined.  E.g.,
17828           #define OPENSSL_ALGORITHM_DEFINES
17829           #include <openssl/opensslconf.h>
17830   defines all pertinent `NO_<algo>` symbols, such as NO_IDEA, NO_RSA, etc.
17831
17832   *Richard Levitte, Ulf and Bodo Möller*
17833
17834 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
17835   record layer.
17836
17837   *Bodo Moeller*
17838
17839 * Change the 'other' type in certificate aux info to a STACK_OF
17840   X509_ALGOR. Although not an AlgorithmIdentifier as such it has
17841   the required ASN1 format: arbitrary types determined by an OID.
17842
17843   *Steve Henson*
17844
17845 * Add some PEM_write_X509_REQ_NEW() functions and a command line
17846   argument to 'req'. This is not because the function is newer or
17847   better than others it just uses the work 'NEW' in the certificate
17848   request header lines. Some software needs this.
17849
17850   *Steve Henson*
17851
17852 * Reorganise password command line arguments: now passwords can be
17853   obtained from various sources. Delete the PEM_cb function and make
17854   it the default behaviour: i.e. if the callback is NULL and the
17855   usrdata argument is not NULL interpret it as a null terminated pass
17856   phrase. If usrdata and the callback are NULL then the pass phrase
17857   is prompted for as usual.
17858
17859   *Steve Henson*
17860
17861 * Add support for the Compaq Atalla crypto accelerator. If it is installed,
17862   the support is automatically enabled. The resulting binaries will
17863   autodetect the card and use it if present.
17864
17865   *Ben Laurie and Compaq Inc.*
17866
17867 * Work around for Netscape hang bug. This sends certificate request
17868   and server done in one record. Since this is perfectly legal in the
17869   SSL/TLS protocol it isn't a "bug" option and is on by default. See
17870   the bugs/SSLv3 entry for more info.
17871
17872   *Steve Henson*
17873
17874 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
17875
17876   *Andy Polyakov*
17877
17878 * Add -rand argument to smime and pkcs12 applications and read/write
17879   of seed file.
17880
17881   *Steve Henson*
17882
17883 * New 'passwd' tool for crypt(3) and apr1 password hashes.
17884
17885   *Bodo Moeller*
17886
17887 * Add command line password options to the remaining applications.
17888
17889   *Steve Henson*
17890
17891 * Bug fix for BN_div_recp() for numerators with an even number of
17892   bits.
17893
17894   *Ulf Möller*
17895
17896 * More tests in bntest.c, and changed test_bn output.
17897
17898   *Ulf Möller*
17899
17900 * ./config recognizes MacOS X now.
17901
17902   *Andy Polyakov*
17903
17904 * Bug fix for BN_div() when the first words of num and divisor are
17905   equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
17906
17907   *Ulf Möller*
17908
17909 * Add support for various broken PKCS#8 formats, and command line
17910   options to produce them.
17911
17912   *Steve Henson*
17913
17914 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
17915   get temporary BIGNUMs from a BN_CTX.
17916
17917   *Ulf Möller*
17918
17919 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
17920   for p == 0.
17921
17922   *Ulf Möller*
17923
17924 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and
17925   include a #define from the old name to the new. The original intent
17926   was that statically linked binaries could for example just call
17927   SSLeay_add_all_ciphers() to just add ciphers to the table and not
17928   link with digests. This never worked because SSLeay_add_all_digests()
17929   and SSLeay_add_all_ciphers() were in the same source file so calling
17930   one would link with the other. They are now in separate source files.
17931
17932   *Steve Henson*
17933
17934 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
17935
17936   *Steve Henson*
17937
17938 * Use a less unusual form of the Miller-Rabin primality test (it used
17939   a binary algorithm for exponentiation integrated into the Miller-Rabin
17940   loop, our standard modexp algorithms are faster).
17941
17942   *Bodo Moeller*
17943
17944 * Support for the EBCDIC character set completed.
17945
17946   *Martin Kraemer <Martin.Kraemer@Mch.SNI.De>*
17947
17948 * Source code cleanups: use const where appropriate, eliminate casts,
17949   use `void *` instead of `char *` in lhash.
17950
17951   *Ulf Möller*
17952
17953 * Bugfix: ssl3_send_server_key_exchange was not restartable
17954   (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
17955   this the server could overwrite ephemeral keys that the client
17956   has already seen).
17957
17958   *Bodo Moeller*
17959
17960 * Turn DSA_is_prime into a macro that calls BN_is_prime,
17961   using 50 iterations of the Rabin-Miller test.
17962
17963   DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
17964   iterations of the Rabin-Miller test as required by the appendix
17965   to FIPS PUB 186[-1]) instead of DSA_is_prime.
17966   As BN_is_prime_fasttest includes trial division, DSA parameter
17967   generation becomes much faster.
17968
17969   This implies a change for the callback functions in DSA_is_prime
17970   and DSA_generate_parameters: The callback function is called once
17971   for each positive witness in the Rabin-Miller test, not just
17972   occasionally in the inner loop; and the parameters to the
17973   callback function now provide an iteration count for the outer
17974   loop rather than for the current invocation of the inner loop.
17975   DSA_generate_parameters additionally can call the callback
17976   function with an 'iteration count' of -1, meaning that a
17977   candidate has passed the trial division test (when q is generated
17978   from an application-provided seed, trial division is skipped).
17979
17980   *Bodo Moeller*
17981
17982 * New function BN_is_prime_fasttest that optionally does trial
17983   division before starting the Rabin-Miller test and has
17984   an additional BN_CTX * argument (whereas BN_is_prime always
17985   has to allocate at least one BN_CTX).
17986   'callback(1, -1, cb_arg)' is called when a number has passed the
17987   trial division stage.
17988
17989   *Bodo Moeller*
17990
17991 * Fix for bug in CRL encoding. The validity dates weren't being handled
17992   as ASN1_TIME.
17993
17994   *Steve Henson*
17995
17996 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
17997
17998   *Steve Henson*
17999
18000 * New function BN_pseudo_rand().
18001
18002   *Ulf Möller*
18003
18004 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
18005   bignum version of BN_from_montgomery() with the working code from
18006   SSLeay 0.9.0 (the word based version is faster anyway), and clean up
18007   the comments.
18008
18009   *Ulf Möller*
18010
18011 * Avoid a race condition in s2_clnt.c (function get_server_hello) that
18012   made it impossible to use the same SSL_SESSION data structure in
18013   SSL2 clients in multiple threads.
18014
18015   *Bodo Moeller*
18016
18017 * The return value of RAND_load_file() no longer counts bytes obtained
18018   by stat().  RAND_load_file(..., -1) is new and uses the complete file
18019   to seed the PRNG (previously an explicit byte count was required).
18020
18021   *Ulf Möller, Bodo Möller*
18022
18023 * Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
18024   used `char *` instead of `void *` and had casts all over the place.
18025
18026   *Steve Henson*
18027
18028 * Make BN_generate_prime() return NULL on error if ret!=NULL.
18029
18030   *Ulf Möller*
18031
18032 * Retain source code compatibility for BN_prime_checks macro:
18033   BN_is_prime(..., BN_prime_checks, ...) now uses
18034   BN_prime_checks_for_size to determine the appropriate number of
18035   Rabin-Miller iterations.
18036
18037   *Ulf Möller*
18038
18039 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
18040   DH_CHECK_P_NOT_SAFE_PRIME.
18041   (Check if this is true? OpenPGP calls them "strong".)
18042
18043   *Ulf Möller*
18044
18045 * Merge the functionality of "dh" and "gendh" programs into a new program
18046   "dhparam". The old programs are retained for now but will handle DH keys
18047   (instead of parameters) in future.
18048
18049   *Steve Henson*
18050
18051 * Make the ciphers, s_server and s_client programs check the return values
18052   when a new cipher list is set.
18053
18054   *Steve Henson*
18055
18056 * Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
18057   ciphers. Before when the 56bit ciphers were enabled the sorting was
18058   wrong.
18059
18060   The syntax for the cipher sorting has been extended to support sorting by
18061   cipher-strength (using the strength_bits hard coded in the tables).
18062   The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`).
18063
18064   Fix a bug in the cipher-command parser: when supplying a cipher command
18065   string with an "undefined" symbol (neither command nor alphanumeric
18066   *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
18067   an error is flagged.
18068
18069   Due to the strength-sorting extension, the code of the
18070   ssl_create_cipher_list() function was completely rearranged. I hope that
18071   the readability was also increased :-)
18072
18073   *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
18074
18075 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
18076   for the first serial number and places 2 in the serial number file. This
18077   avoids problems when the root CA is created with serial number zero and
18078   the first user certificate has the same issuer name and serial number
18079   as the root CA.
18080
18081   *Steve Henson*
18082
18083 * Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
18084   the new code. Add documentation for this stuff.
18085
18086   *Steve Henson*
18087
18088 * Changes to X509_ATTRIBUTE utilities. These have been renamed from
18089   `X509_*()` to `X509at_*()` on the grounds that they don't handle X509
18090   structures and behave in an analogous way to the X509v3 functions:
18091   they shouldn't be called directly but wrapper functions should be used
18092   instead.
18093
18094   So we also now have some wrapper functions that call the X509at functions
18095   when passed certificate requests. (TO DO: similar things can be done with
18096   PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
18097   things. Some of these need some d2i or i2d and print functionality
18098   because they handle more complex structures.)
18099
18100   *Steve Henson*
18101
18102 * Add missing #ifndefs that caused missing symbols when building libssl
18103   as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
18104   NO_RSA in `ssl/s2*.c`.
18105
18106   *Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller*
18107
18108 * Precautions against using the PRNG uninitialized: RAND_bytes() now
18109   has a return value which indicates the quality of the random data
18110   (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
18111   error queue. New function RAND_pseudo_bytes() generates output that is
18112   guaranteed to be unique but not unpredictable. RAND_add is like
18113   RAND_seed, but takes an extra argument for an entropy estimate
18114   (RAND_seed always assumes full entropy).
18115
18116   *Ulf Möller*
18117
18118 * Do more iterations of Rabin-Miller probable prime test (specifically,
18119   3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
18120   instead of only 2 for all lengths; see BN_prime_checks_for_size definition
18121   in crypto/bn/bn_prime.c for the complete table).  This guarantees a
18122   false-positive rate of at most 2^-80 for random input.
18123
18124   *Bodo Moeller*
18125
18126 * Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
18127
18128   *Bodo Moeller*
18129
18130 * New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
18131   in the 0.9.5 release), this returns the chain
18132   from an X509_CTX structure with a dup of the stack and all
18133   the X509 reference counts upped: so the stack will exist
18134   after X509_CTX_cleanup() has been called. Modify pkcs12.c
18135   to use this.
18136
18137   Also make SSL_SESSION_print() print out the verify return
18138   code.
18139
18140   *Steve Henson*
18141
18142 * Add manpage for the pkcs12 command. Also change the default
18143   behaviour so MAC iteration counts are used unless the new
18144   -nomaciter option is used. This improves file security and
18145   only older versions of MSIE (4.0 for example) need it.
18146
18147   *Steve Henson*
18148
18149 * Honor the no-xxx Configure options when creating .DEF files.
18150
18151   *Ulf Möller*
18152
18153 * Add PKCS#10 attributes to field table: challengePassword,
18154   unstructuredName and unstructuredAddress. These are taken from
18155   draft PKCS#9 v2.0 but are compatible with v1.2 provided no
18156   international characters are used.
18157
18158   More changes to X509_ATTRIBUTE code: allow the setting of types
18159   based on strings. Remove the 'loc' parameter when adding
18160   attributes because these will be a SET OF encoding which is sorted
18161   in ASN1 order.
18162
18163   *Steve Henson*
18164
18165 * Initial changes to the 'req' utility to allow request generation
18166   automation. This will allow an application to just generate a template
18167   file containing all the field values and have req construct the
18168   request.
18169
18170   Initial support for X509_ATTRIBUTE handling. Stacks of these are
18171   used all over the place including certificate requests and PKCS#7
18172   structures. They are currently handled manually where necessary with
18173   some primitive wrappers for PKCS#7. The new functions behave in a
18174   manner analogous to the X509 extension functions: they allow
18175   attributes to be looked up by NID and added.
18176
18177   Later something similar to the X509V3 code would be desirable to
18178   automatically handle the encoding, decoding and printing of the
18179   more complex types. The string types like challengePassword can
18180   be handled by the string table functions.
18181
18182   Also modified the multi byte string table handling. Now there is
18183   a 'global mask' which masks out certain types. The table itself
18184   can use the flag STABLE_NO_MASK to ignore the mask setting: this
18185   is useful when for example there is only one permissible type
18186   (as in countryName) and using the mask might result in no valid
18187   types at all.
18188
18189   *Steve Henson*
18190
18191 * Clean up 'Finished' handling, and add functions SSL_get_finished and
18192   SSL_get_peer_finished to allow applications to obtain the latest
18193   Finished messages sent to the peer or expected from the peer,
18194   respectively.  (SSL_get_peer_finished is usually the Finished message
18195   actually received from the peer, otherwise the protocol will be aborted.)
18196
18197   As the Finished message are message digests of the complete handshake
18198   (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
18199   be used for external authentication procedures when the authentication
18200   provided by SSL/TLS is not desired or is not enough.
18201
18202   *Bodo Moeller*
18203
18204 * Enhanced support for Alpha Linux is added. Now ./config checks if
18205   the host supports BWX extension and if Compaq C is present on the
18206   $PATH. Just exploiting of the BWX extension results in 20-30%
18207   performance kick for some algorithms, e.g. DES and RC4 to mention
18208   a couple. Compaq C in turn generates ~20% faster code for MD5 and
18209   SHA1.
18210
18211   *Andy Polyakov*
18212
18213 * Add support for MS "fast SGC". This is arguably a violation of the
18214   SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
18215   weak crypto and after checking the certificate is SGC a second one
18216   with strong crypto. MS SGC stops the first handshake after receiving
18217   the server certificate message and sends a second client hello. Since
18218   a server will typically do all the time consuming operations before
18219   expecting any further messages from the client (server key exchange
18220   is the most expensive) there is little difference between the two.
18221
18222   To get OpenSSL to support MS SGC we have to permit a second client
18223   hello message after we have sent server done. In addition we have to
18224   reset the MAC if we do get this second client hello.
18225
18226   *Steve Henson*
18227
18228 * Add a function 'd2i_AutoPrivateKey()' this will automatically decide
18229   if a DER encoded private key is RSA or DSA traditional format. Changed
18230   d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
18231   format DER encoded private key. Newer code should use PKCS#8 format which
18232   has the key type encoded in the ASN1 structure. Added DER private key
18233   support to pkcs8 application.
18234
18235   *Steve Henson*
18236
18237 * SSL 3/TLS 1 servers now don't request certificates when an anonymous
18238   ciphersuites has been selected (as required by the SSL 3/TLS 1
18239   specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
18240   is set, we interpret this as a request to violate the specification
18241   (the worst that can happen is a handshake failure, and 'correct'
18242   behaviour would result in a handshake failure anyway).
18243
18244   *Bodo Moeller*
18245
18246 * In SSL_CTX_add_session, take into account that there might be multiple
18247   SSL_SESSION structures with the same session ID (e.g. when two threads
18248   concurrently obtain them from an external cache).
18249   The internal cache can handle only one SSL_SESSION with a given ID,
18250   so if there's a conflict, we now throw out the old one to achieve
18251   consistency.
18252
18253   *Bodo Moeller*
18254
18255 * Add OIDs for idea and blowfish in CBC mode. This will allow both
18256   to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
18257   some routines that use cipher OIDs: some ciphers do not have OIDs
18258   defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
18259   example.
18260
18261   *Steve Henson*
18262
18263 * Simplify the trust setting structure and code. Now we just have
18264   two sequences of OIDs for trusted and rejected settings. These will
18265   typically have values the same as the extended key usage extension
18266   and any application specific purposes.
18267
18268   The trust checking code now has a default behaviour: it will just
18269   check for an object with the same NID as the passed id. Functions can
18270   be provided to override either the default behaviour or the behaviour
18271   for a given id. SSL client, server and email already have functions
18272   in place for compatibility: they check the NID and also return "trusted"
18273   if the certificate is self signed.
18274
18275   *Steve Henson*
18276
18277 * Add d2i,i2d bio/fp functions for PrivateKey: these convert the
18278   traditional format into an EVP_PKEY structure.
18279
18280   *Steve Henson*
18281
18282 * Add a password callback function PEM_cb() which either prompts for
18283   a password if usr_data is NULL or otherwise assumes it is a null
18284   terminated password. Allow passwords to be passed on command line
18285   environment or config files in a few more utilities.
18286
18287   *Steve Henson*
18288
18289 * Add a bunch of DER and PEM functions to handle PKCS#8 format private
18290   keys. Add some short names for PKCS#8 PBE algorithms and allow them
18291   to be specified on the command line for the pkcs8 and pkcs12 utilities.
18292   Update documentation.
18293
18294   *Steve Henson*
18295
18296 * Support for ASN1 "NULL" type. This could be handled before by using
18297   ASN1_TYPE but there wasn't any function that would try to read a NULL
18298   and produce an error if it couldn't. For compatibility we also have
18299   ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
18300   don't allocate anything because they don't need to.
18301
18302   *Steve Henson*
18303
18304 * Initial support for MacOS is now provided. Examine INSTALL.MacOS
18305   for details.
18306
18307   *Andy Polyakov, Roy Woods <roy@centicsystems.ca>*
18308
18309 * Rebuild of the memory allocation routines used by OpenSSL code and
18310   possibly others as well.  The purpose is to make an interface that
18311   provide hooks so anyone can build a separate set of allocation and
18312   deallocation routines to be used by OpenSSL, for example memory
18313   pool implementations, or something else, which was previously hard
18314   since Malloc(), Realloc() and Free() were defined as macros having
18315   the values malloc, realloc and free, respectively (except for Win32
18316   compilations).  The same is provided for memory debugging code.
18317   OpenSSL already comes with functionality to find memory leaks, but
18318   this gives people a chance to debug other memory problems.
18319
18320   With these changes, a new set of functions and macros have appeared:
18321
18322     CRYPTO_set_mem_debug_functions()         [F]
18323     CRYPTO_get_mem_debug_functions()         [F]
18324     CRYPTO_dbg_set_options()                 [F]
18325     CRYPTO_dbg_get_options()                 [F]
18326     CRYPTO_malloc_debug_init()               [M]
18327
18328   The memory debug functions are NULL by default, unless the library
18329   is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
18330   wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
18331   gives the standard debugging functions that come with OpenSSL) or
18332   CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
18333   provided by the library user) must be used.  When the standard
18334   debugging functions are used, CRYPTO_dbg_set_options can be used to
18335   request additional information:
18336   CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
18337   the CRYPTO_MDEBUG_xxx macro when compiling the library.
18338
18339   Also, things like CRYPTO_set_mem_functions will always give the
18340   expected result (the new set of functions is used for allocation
18341   and deallocation) at all times, regardless of platform and compiler
18342   options.
18343
18344   To finish it up, some functions that were never use in any other
18345   way than through macros have a new API and new semantic:
18346
18347     CRYPTO_dbg_malloc()
18348     CRYPTO_dbg_realloc()
18349     CRYPTO_dbg_free()
18350
18351   All macros of value have retained their old syntax.
18352
18353   *Richard Levitte and Bodo Moeller*
18354
18355 * Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
18356   ordering of SMIMECapabilities wasn't in "strength order" and there
18357   was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
18358   algorithm.
18359
18360   *Steve Henson*
18361
18362 * Some ASN1 types with illegal zero length encoding (INTEGER,
18363   ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
18364
18365   *Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson*
18366
18367 * Merge in my S/MIME library for OpenSSL. This provides a simple
18368   S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
18369   functionality to handle multipart/signed properly) and a utility
18370   called 'smime' to call all this stuff. This is based on code I
18371   originally wrote for Celo who have kindly allowed it to be
18372   included in OpenSSL.
18373
18374   *Steve Henson*
18375
18376 * Add variants des_set_key_checked and des_set_key_unchecked of
18377   des_set_key (aka des_key_sched).  Global variable des_check_key
18378   decides which of these is called by des_set_key; this way
18379   des_check_key behaves as it always did, but applications and
18380   the library itself, which was buggy for des_check_key == 1,
18381   have a cleaner way to pick the version they need.
18382
18383   *Bodo Moeller*
18384
18385 * New function PKCS12_newpass() which changes the password of a
18386   PKCS12 structure.
18387
18388   *Steve Henson*
18389
18390 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and
18391   dynamic mix. In both cases the ids can be used as an index into the
18392   table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
18393   functions so they accept a list of the field values and the
18394   application doesn't need to directly manipulate the X509_TRUST
18395   structure.
18396
18397   *Steve Henson*
18398
18399 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
18400   need initialising.
18401
18402   *Steve Henson*
18403
18404 * Modify the way the V3 extension code looks up extensions. This now
18405   works in a similar way to the object code: we have some "standard"
18406   extensions in a static table which is searched with OBJ_bsearch()
18407   and the application can add dynamic ones if needed. The file
18408   crypto/x509v3/ext_dat.h now has the info: this file needs to be
18409   updated whenever a new extension is added to the core code and kept
18410   in ext_nid order. There is a simple program 'tabtest.c' which checks
18411   this. New extensions are not added too often so this file can readily
18412   be maintained manually.
18413
18414   There are two big advantages in doing things this way. The extensions
18415   can be looked up immediately and no longer need to be "added" using
18416   X509V3_add_standard_extensions(): this function now does nothing.
18417   Side note: I get *lots* of email saying the extension code doesn't
18418   work because people forget to call this function.
18419   Also no dynamic allocation is done unless new extensions are added:
18420   so if we don't add custom extensions there is no need to call
18421   X509V3_EXT_cleanup().
18422
18423   *Steve Henson*
18424
18425 * Modify enc utility's salting as follows: make salting the default. Add a
18426   magic header, so unsalted files fail gracefully instead of just decrypting
18427   to garbage. This is because not salting is a big security hole, so people
18428   should be discouraged from doing it.
18429
18430   *Ben Laurie*
18431
18432 * Fixes and enhancements to the 'x509' utility. It allowed a message
18433   digest to be passed on the command line but it only used this
18434   parameter when signing a certificate. Modified so all relevant
18435   operations are affected by the digest parameter including the
18436   -fingerprint and -x509toreq options. Also -x509toreq choked if a
18437   DSA key was used because it didn't fix the digest.
18438
18439   *Steve Henson*
18440
18441 * Initial certificate chain verify code. Currently tests the untrusted
18442   certificates for consistency with the verify purpose (which is set
18443   when the X509_STORE_CTX structure is set up) and checks the pathlength.
18444
18445   There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
18446   this is because it will reject chains with invalid extensions whereas
18447   every previous version of OpenSSL and SSLeay made no checks at all.
18448
18449   Trust code: checks the root CA for the relevant trust settings. Trust
18450   settings have an initial value consistent with the verify purpose: e.g.
18451   if the verify purpose is for SSL client use it expects the CA to be
18452   trusted for SSL client use. However the default value can be changed to
18453   permit custom trust settings: one example of this would be to only trust
18454   certificates from a specific "secure" set of CAs.
18455
18456   Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
18457   which should be used for version portability: especially since the
18458   verify structure is likely to change more often now.
18459
18460   SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
18461   to set them. If not set then assume SSL clients will verify SSL servers
18462   and vice versa.
18463
18464   Two new options to the verify program: -untrusted allows a set of
18465   untrusted certificates to be passed in and -purpose which sets the
18466   intended purpose of the certificate. If a purpose is set then the
18467   new chain verify code is used to check extension consistency.
18468
18469   *Steve Henson*
18470
18471 * Support for the authority information access extension.
18472
18473   *Steve Henson*
18474
18475 * Modify RSA and DSA PEM read routines to transparently handle
18476   PKCS#8 format private keys. New *_PUBKEY_* functions that handle
18477   public keys in a format compatible with certificate
18478   SubjectPublicKeyInfo structures. Unfortunately there were already
18479   functions called *_PublicKey_* which used various odd formats so
18480   these are retained for compatibility: however the DSA variants were
18481   never in a public release so they have been deleted. Changed dsa/rsa
18482   utilities to handle the new format: note no releases ever handled public
18483   keys so we should be OK.
18484
18485   The primary motivation for this change is to avoid the same fiasco
18486   that dogs private keys: there are several incompatible private key
18487   formats some of which are standard and some OpenSSL specific and
18488   require various evil hacks to allow partial transparent handling and
18489   even then it doesn't work with DER formats. Given the option anything
18490   other than PKCS#8 should be dumped: but the other formats have to
18491   stay in the name of compatibility.
18492
18493   With public keys and the benefit of hindsight one standard format
18494   is used which works with EVP_PKEY, RSA or DSA structures: though
18495   it clearly returns an error if you try to read the wrong kind of key.
18496
18497   Added a -pubkey option to the 'x509' utility to output the public key.
18498   Also rename the `EVP_PKEY_get_*()` to `EVP_PKEY_rget_*()`
18499   (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add
18500   `EVP_PKEY_rset_*()` functions (renamed to `EVP_PKEY_set1_*()`)
18501   that do the same as the `EVP_PKEY_assign_*()` except they up the
18502   reference count of the added key (they don't "swallow" the
18503   supplied key).
18504
18505   *Steve Henson*
18506
18507 * Fixes to crypto/x509/by_file.c the code to read in certificates and
18508   CRLs would fail if the file contained no certificates or no CRLs:
18509   added a new function to read in both types and return the number
18510   read: this means that if none are read it will be an error. The
18511   DER versions of the certificate and CRL reader would always fail
18512   because it isn't possible to mix certificates and CRLs in DER format
18513   without choking one or the other routine. Changed this to just read
18514   a certificate: this is the best we can do. Also modified the code
18515   in `apps/verify.c` to take notice of return codes: it was previously
18516   attempting to read in certificates from NULL pointers and ignoring
18517   any errors: this is one reason why the cert and CRL reader seemed
18518   to work. It doesn't check return codes from the default certificate
18519   routines: these may well fail if the certificates aren't installed.
18520
18521   *Steve Henson*
18522
18523 * Code to support otherName option in GeneralName.
18524
18525   *Steve Henson*
18526
18527 * First update to verify code. Change the verify utility
18528   so it warns if it is passed a self signed certificate:
18529   for consistency with the normal behaviour. X509_verify
18530   has been modified to it will now verify a self signed
18531   certificate if *exactly* the same certificate appears
18532   in the store: it was previously impossible to trust a
18533   single self signed certificate. This means that:
18534   openssl verify ss.pem
18535   now gives a warning about a self signed certificate but
18536   openssl verify -CAfile ss.pem ss.pem
18537   is OK.
18538
18539   *Steve Henson*
18540
18541 * For servers, store verify_result in SSL_SESSION data structure
18542   (and add it to external session representation).
18543   This is needed when client certificate verifications fails,
18544   but an application-provided verification callback (set by
18545   SSL_CTX_set_cert_verify_callback) allows accepting the session
18546   anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
18547   but returns 1): When the session is reused, we have to set
18548   ssl->verify_result to the appropriate error code to avoid
18549   security holes.
18550
18551   *Bodo Moeller, problem pointed out by Lutz Jaenicke*
18552
18553 * Fix a bug in the new PKCS#7 code: it didn't consider the
18554   case in PKCS7_dataInit() where the signed PKCS7 structure
18555   didn't contain any existing data because it was being created.
18556
18557   *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
18558
18559 * Add a salt to the key derivation routines in enc.c. This
18560   forms the first 8 bytes of the encrypted file. Also add a
18561   -S option to allow a salt to be input on the command line.
18562
18563   *Steve Henson*
18564
18565 * New function X509_cmp(). Oddly enough there wasn't a function
18566   to compare two certificates. We do this by working out the SHA1
18567   hash and comparing that. X509_cmp() will be needed by the trust
18568   code.
18569
18570   *Steve Henson*
18571
18572 * SSL_get1_session() is like SSL_get_session(), but increments
18573   the reference count in the SSL_SESSION returned.
18574
18575   *Geoff Thorpe <geoff@eu.c2.net>*
18576
18577 * Fix for 'req': it was adding a null to request attributes.
18578   Also change the X509_LOOKUP and X509_INFO code to handle
18579   certificate auxiliary information.
18580
18581   *Steve Henson*
18582
18583 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document
18584   the 'enc' command.
18585
18586   *Steve Henson*
18587
18588 * Add the possibility to add extra information to the memory leak
18589   detecting output, to form tracebacks, showing from where each
18590   allocation was originated: CRYPTO_push_info("constant string") adds
18591   the string plus current file name and line number to a per-thread
18592   stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
18593   is like calling CYRPTO_pop_info() until the stack is empty.
18594   Also updated memory leak detection code to be multi-thread-safe.
18595
18596   *Richard Levitte*
18597
18598 * Add options -text and -noout to pkcs7 utility and delete the
18599   encryption options which never did anything. Update docs.
18600
18601   *Steve Henson*
18602
18603 * Add options to some of the utilities to allow the pass phrase
18604   to be included on either the command line (not recommended on
18605   OSes like Unix) or read from the environment. Update the
18606   manpages and fix a few bugs.
18607
18608   *Steve Henson*
18609
18610 * Add a few manpages for some of the openssl commands.
18611
18612   *Steve Henson*
18613
18614 * Fix the -revoke option in ca. It was freeing up memory twice,
18615   leaking and not finding already revoked certificates.
18616
18617   *Steve Henson*
18618
18619 * Extensive changes to support certificate auxiliary information.
18620   This involves the use of X509_CERT_AUX structure and X509_AUX
18621   functions. An X509_AUX function such as PEM_read_X509_AUX()
18622   can still read in a certificate file in the usual way but it
18623   will also read in any additional "auxiliary information". By
18624   doing things this way a fair degree of compatibility can be
18625   retained: existing certificates can have this information added
18626   using the new 'x509' options.
18627
18628   Current auxiliary information includes an "alias" and some trust
18629   settings. The trust settings will ultimately be used in enhanced
18630   certificate chain verification routines: currently a certificate
18631   can only be trusted if it is self signed and then it is trusted
18632   for all purposes.
18633
18634   *Steve Henson*
18635
18636 * Fix assembler for Alpha (tested only on DEC OSF not Linux or `*BSD`).
18637   The problem was that one of the replacement routines had not been working
18638   since SSLeay releases.  For now the offending routine has been replaced
18639   with non-optimised assembler.  Even so, this now gives around 95%
18640   performance improvement for 1024 bit RSA signs.
18641
18642   *Mark Cox*
18643
18644 * Hack to fix PKCS#7 decryption when used with some unorthodox RC2
18645   handling. Most clients have the effective key size in bits equal to
18646   the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
18647   A few however don't do this and instead use the size of the decrypted key
18648   to determine the RC2 key length and the AlgorithmIdentifier to determine
18649   the effective key length. In this case the effective key length can still
18650   be 40 bits but the key length can be 168 bits for example. This is fixed
18651   by manually forcing an RC2 key into the EVP_PKEY structure because the
18652   EVP code can't currently handle unusual RC2 key sizes: it always assumes
18653   the key length and effective key length are equal.
18654
18655   *Steve Henson*
18656
18657 * Add a bunch of functions that should simplify the creation of
18658   X509_NAME structures. Now you should be able to do:
18659   X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
18660   and have it automatically work out the correct field type and fill in
18661   the structures. The more adventurous can try:
18662   X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
18663   and it will (hopefully) work out the correct multibyte encoding.
18664
18665   *Steve Henson*
18666
18667 * Change the 'req' utility to use the new field handling and multibyte
18668   copy routines. Before the DN field creation was handled in an ad hoc
18669   way in req, ca, and x509 which was rather broken and didn't support
18670   BMPStrings or UTF8Strings. Since some software doesn't implement
18671   BMPStrings or UTF8Strings yet, they can be enabled using the config file
18672   using the dirstring_type option. See the new comment in the default
18673   openssl.cnf for more info.
18674
18675   *Steve Henson*
18676
18677 * Make crypto/rand/md_rand.c more robust:
18678   - Assure unique random numbers after fork().
18679   - Make sure that concurrent threads access the global counter and
18680     md serializably so that we never lose entropy in them
18681     or use exactly the same state in multiple threads.
18682     Access to the large state is not always serializable because
18683     the additional locking could be a performance killer, and
18684     md should be large enough anyway.
18685
18686   *Bodo Moeller*
18687
18688 * New file `apps/app_rand.c` with commonly needed functionality
18689   for handling the random seed file.
18690
18691   Use the random seed file in some applications that previously did not:
18692           ca,
18693           dsaparam -genkey (which also ignored its '-rand' option),
18694           s_client,
18695           s_server,
18696           x509 (when signing).
18697   Except on systems with /dev/urandom, it is crucial to have a random
18698   seed file at least for key creation, DSA signing, and for DH exchanges;
18699   for RSA signatures we could do without one.
18700
18701   gendh and gendsa (unlike genrsa) used to read only the first byte
18702   of each file listed in the '-rand' option.  The function as previously
18703   found in genrsa is now in app_rand.c and is used by all programs
18704   that support '-rand'.
18705
18706   *Bodo Moeller*
18707
18708 * In RAND_write_file, use mode 0600 for creating files;
18709   don't just chmod when it may be too late.
18710
18711   *Bodo Moeller*
18712
18713 * Report an error from X509_STORE_load_locations
18714   when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
18715
18716   *Bill Perry*
18717
18718 * New function ASN1_mbstring_copy() this copies a string in either
18719   ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
18720   into an ASN1_STRING type. A mask of permissible types is passed
18721   and it chooses the "minimal" type to use or an error if not type
18722   is suitable.
18723
18724   *Steve Henson*
18725
18726 * Add function equivalents to the various macros in asn1.h. The old
18727   macros are retained with an `M_` prefix. Code inside the library can
18728   use the `M_` macros. External code (including the openssl utility)
18729   should *NOT* in order to be "shared library friendly".
18730
18731   *Steve Henson*
18732
18733 * Add various functions that can check a certificate's extensions
18734   to see if it usable for various purposes such as SSL client,
18735   server or S/MIME and CAs of these types. This is currently
18736   VERY EXPERIMENTAL but will ultimately be used for certificate chain
18737   verification. Also added a -purpose flag to x509 utility to
18738   print out all the purposes.
18739
18740   *Steve Henson*
18741
18742 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated
18743   functions.
18744
18745   *Steve Henson*
18746
18747 * New `X509V3_{X509,CRL,REVOKED}_get_d2i()` functions. These will search
18748   for, obtain and decode and extension and obtain its critical flag.
18749   This allows all the necessary extension code to be handled in a
18750   single function call.
18751
18752   *Steve Henson*
18753
18754 * RC4 tune-up featuring 30-40% performance improvement on most RISC
18755   platforms. See crypto/rc4/rc4_enc.c for further details.
18756
18757   *Andy Polyakov*
18758
18759 * New -noout option to asn1parse. This causes no output to be produced
18760   its main use is when combined with -strparse and -out to extract data
18761   from a file (which may not be in ASN.1 format).
18762
18763   *Steve Henson*
18764
18765 * Fix for pkcs12 program. It was hashing an invalid certificate pointer
18766   when producing the local key id.
18767
18768   *Richard Levitte <levitte@stacken.kth.se>*
18769
18770 * New option -dhparam in s_server. This allows a DH parameter file to be
18771   stated explicitly. If it is not stated then it tries the first server
18772   certificate file. The previous behaviour hard coded the filename
18773   "server.pem".
18774
18775   *Steve Henson*
18776
18777 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
18778   a public key to be input or output. For example:
18779   openssl rsa -in key.pem -pubout -out pubkey.pem
18780   Also added necessary DSA public key functions to handle this.
18781
18782   *Steve Henson*
18783
18784 * Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
18785   in the message. This was handled by allowing
18786   X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
18787
18788   *Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>*
18789
18790 * Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
18791   to the end of the strings whereas this didn't. This would cause problems
18792   if strings read with d2i_ASN1_bytes() were later modified.
18793
18794   *Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>*
18795
18796 * Fix for base64 decode bug. When a base64 bio reads only one line of
18797   data and it contains EOF it will end up returning an error. This is
18798   caused by input 46 bytes long. The cause is due to the way base64
18799   BIOs find the start of base64 encoded data. They do this by trying a
18800   trial decode on each line until they find one that works. When they
18801   do a flag is set and it starts again knowing it can pass all the
18802   data directly through the decoder. Unfortunately it doesn't reset
18803   the context it uses. This means that if EOF is reached an attempt
18804   is made to pass two EOFs through the context and this causes the
18805   resulting error. This can also cause other problems as well. As is
18806   usual with these problems it takes *ages* to find and the fix is
18807   trivial: move one line.
18808
18809   *Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer)*
18810
18811 * Ugly workaround to get s_client and s_server working under Windows. The
18812   old code wouldn't work because it needed to select() on sockets and the
18813   tty (for keypresses and to see if data could be written). Win32 only
18814   supports select() on sockets so we select() with a 1s timeout on the
18815   sockets and then see if any characters are waiting to be read, if none
18816   are present then we retry, we also assume we can always write data to
18817   the tty. This isn't nice because the code then blocks until we've
18818   received a complete line of data and it is effectively polling the
18819   keyboard at 1s intervals: however it's quite a bit better than not
18820   working at all :-) A dedicated Windows application might handle this
18821   with an event loop for example.
18822
18823   *Steve Henson*
18824
18825 * Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
18826   and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
18827   will be called when RSA_sign() and RSA_verify() are used. This is useful
18828   if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
18829   For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
18830   should *not* be used: RSA_sign() and RSA_verify() must be used instead.
18831   This necessitated the support of an extra signature type NID_md5_sha1
18832   for SSL signatures and modifications to the SSL library to use it instead
18833   of calling RSA_public_decrypt() and RSA_private_encrypt().
18834
18835   *Steve Henson*
18836
18837 * Add new -verify -CAfile and -CApath options to the crl program, these
18838   will lookup a CRL issuers certificate and verify the signature in a
18839   similar way to the verify program. Tidy up the crl program so it
18840   no longer accesses structures directly. Make the ASN1 CRL parsing a bit
18841   less strict. It will now permit CRL extensions even if it is not
18842   a V2 CRL: this will allow it to tolerate some broken CRLs.
18843
18844   *Steve Henson*
18845
18846 * Initialize all non-automatic variables each time one of the openssl
18847   sub-programs is started (this is necessary as they may be started
18848   multiple times from the "OpenSSL>" prompt).
18849
18850   *Lennart Bang, Bodo Moeller*
18851
18852 * Preliminary compilation option RSA_NULL which disables RSA crypto without
18853   removing all other RSA functionality (this is what NO_RSA does). This
18854   is so (for example) those in the US can disable those operations covered
18855   by the RSA patent while allowing storage and parsing of RSA keys and RSA
18856   key generation.
18857
18858   *Steve Henson*
18859
18860 * Non-copying interface to BIO pairs.
18861   (still largely untested)
18862
18863   *Bodo Moeller*
18864
18865 * New function ASN1_tag2str() to convert an ASN1 tag to a descriptive
18866   ASCII string. This was handled independently in various places before.
18867
18868   *Steve Henson*
18869
18870 * New functions UTF8_getc() and UTF8_putc() that parse and generate
18871   UTF8 strings a character at a time.
18872
18873   *Steve Henson*
18874
18875 * Use client_version from client hello to select the protocol
18876   (s23_srvr.c) and for RSA client key exchange verification
18877   (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
18878
18879   *Bodo Moeller*
18880
18881 * Add various utility functions to handle SPKACs, these were previously
18882   handled by poking round in the structure internals. Added new function
18883   NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
18884   print, verify and generate SPKACs. Based on an original idea from
18885   Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
18886
18887   *Steve Henson*
18888
18889 * RIPEMD160 is operational on all platforms and is back in 'make test'.
18890
18891   *Andy Polyakov*
18892
18893 * Allow the config file extension section to be overwritten on the
18894   command line. Based on an original idea from Massimiliano Pala
18895   <madwolf@comune.modena.it>. The new option is called -extensions
18896   and can be applied to ca, req and x509. Also -reqexts to override
18897   the request extensions in req and -crlexts to override the crl extensions
18898   in ca.
18899
18900   *Steve Henson*
18901
18902 * Add new feature to the SPKAC handling in ca.  Now you can include
18903   the same field multiple times by preceding it by "XXXX." for example:
18904   1.OU="Unit name 1"
18905   2.OU="Unit name 2"
18906   this is the same syntax as used in the req config file.
18907
18908   *Steve Henson*
18909
18910 * Allow certificate extensions to be added to certificate requests. These
18911   are specified in a 'req_extensions' option of the req section of the
18912   config file. They can be printed out with the -text option to req but
18913   are otherwise ignored at present.
18914
18915   *Steve Henson*
18916
18917 * Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
18918   data read consists of only the final block it would not decrypted because
18919   EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
18920   A misplaced 'break' also meant the decrypted final block might not be
18921   copied until the next read.
18922
18923   *Steve Henson*
18924
18925 * Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
18926   a few extra parameters to the DH structure: these will be useful if
18927   for example we want the value of 'q' or implement X9.42 DH.
18928
18929   *Steve Henson*
18930
18931 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and
18932   provides hooks that allow the default DSA functions or functions on a
18933   "per key" basis to be replaced. This allows hardware acceleration and
18934   hardware key storage to be handled without major modification to the
18935   library. Also added low-level modexp hooks and CRYPTO_EX structure and
18936   associated functions.
18937
18938   *Steve Henson*
18939
18940 * Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
18941   as "read only": it can't be written to and the buffer it points to will
18942   not be freed. Reading from a read only BIO is much more efficient than
18943   a normal memory BIO. This was added because there are several times when
18944   an area of memory needs to be read from a BIO. The previous method was
18945   to create a memory BIO and write the data to it, this results in two
18946   copies of the data and an O(n^2) reading algorithm. There is a new
18947   function BIO_new_mem_buf() which creates a read only memory BIO from
18948   an area of memory. Also modified the PKCS#7 routines to use read only
18949   memory BIOs.
18950
18951   *Steve Henson*
18952
18953 * Bugfix: ssl23_get_client_hello did not work properly when called in
18954   state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
18955   an SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
18956   but a retry condition occurred while trying to read the rest.
18957
18958   *Bodo Moeller*
18959
18960 * The PKCS7_ENC_CONTENT_new() function was setting the content type as
18961   NID_pkcs7_encrypted by default: this was wrong since this should almost
18962   always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
18963   the encrypted data type: this is a more sensible place to put it and it
18964   allows the PKCS#12 code to be tidied up that duplicated this
18965   functionality.
18966
18967   *Steve Henson*
18968
18969 * Changed obj_dat.pl script so it takes its input and output files on
18970   the command line. This should avoid shell escape redirection problems
18971   under Win32.
18972
18973   *Steve Henson*
18974
18975 * Initial support for certificate extension requests, these are included
18976   in things like Xenroll certificate requests. Included functions to allow
18977   extensions to be obtained and added.
18978
18979   *Steve Henson*
18980
18981 * -crlf option to s_client and s_server for sending newlines as
18982   CRLF (as required by many protocols).
18983
18984   *Bodo Moeller*
18985
18986### Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
18987
18988 * Install libRSAglue.a when OpenSSL is built with RSAref.
18989
18990   *Ralf S. Engelschall*
18991
18992 * A few more `#ifndef NO_FP_API / #endif` pairs for consistency.
18993
18994   *Andrija Antonijevic <TheAntony2@bigfoot.com>*
18995
18996 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
18997   program.
18998
18999   *Steve Henson*
19000
19001 * New function DSA_dup_DH, which duplicates DSA parameters/keys as
19002   DH parameters/keys (q is lost during that conversion, but the resulting
19003   DH parameters contain its length).
19004
19005   For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
19006   much faster than DH_generate_parameters (which creates parameters
19007   where `p = 2*q + 1`), and also the smaller q makes DH computations
19008   much more efficient (160-bit exponentiation instead of 1024-bit
19009   exponentiation); so this provides a convenient way to support DHE
19010   ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
19011   utter importance to use
19012           SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
19013   or
19014           SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
19015   when such DH parameters are used, because otherwise small subgroup
19016   attacks may become possible!
19017
19018   *Bodo Moeller*
19019
19020 * Avoid memory leak in i2d_DHparams.
19021
19022   *Bodo Moeller*
19023
19024 * Allow the -k option to be used more than once in the enc program:
19025   this allows the same encrypted message to be read by multiple recipients.
19026
19027   *Steve Henson*
19028
19029 * New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
19030   an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
19031   it will always use the numerical form of the OID, even if it has a short
19032   or long name.
19033
19034   *Steve Henson*
19035
19036 * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
19037   method only got called if p,q,dmp1,dmq1,iqmp components were present,
19038   otherwise bn_mod_exp was called. In the case of hardware keys for example
19039   no private key components need be present and it might store extra data
19040   in the RSA structure, which cannot be accessed from bn_mod_exp.
19041   By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
19042   private key operations.
19043
19044   *Steve Henson*
19045
19046 * Added support for SPARC Linux.
19047
19048   *Andy Polyakov*
19049
19050 * pem_password_cb function type incompatibly changed from
19051           typedef int pem_password_cb(char *buf, int size, int rwflag);
19052   to
19053           ....(char *buf, int size, int rwflag, void *userdata);
19054   so that applications can pass data to their callbacks:
19055   The `PEM[_ASN1]_{read,write}...` functions and macros now take an
19056   additional void * argument, which is just handed through whenever
19057   the password callback is called.
19058
19059   *Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller*
19060
19061   New function SSL_CTX_set_default_passwd_cb_userdata.
19062
19063   Compatibility note: As many C implementations push function arguments
19064   onto the stack in reverse order, the new library version is likely to
19065   interoperate with programs that have been compiled with the old
19066   pem_password_cb definition (PEM_whatever takes some data that
19067   happens to be on the stack as its last argument, and the callback
19068   just ignores this garbage); but there is no guarantee whatsoever that
19069   this will work.
19070
19071 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
19072   (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
19073   problems not only on Windows, but also on some Unix platforms.
19074   To avoid problematic command lines, these definitions are now in an
19075   auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
19076   for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
19077
19078   *Bodo Moeller*
19079
19080 * MIPS III/IV assembler module is reimplemented.
19081
19082   *Andy Polyakov*
19083
19084 * More DES library cleanups: remove references to srand/rand and
19085   delete an unused file.
19086
19087   *Ulf Möller*
19088
19089 * Add support for the free Netwide assembler (NASM) under Win32,
19090   since not many people have MASM (ml) and it can be hard to obtain.
19091   This is currently experimental but it seems to work OK and pass all
19092   the tests. Check out INSTALL.W32 for info.
19093
19094   *Steve Henson*
19095
19096 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
19097   without temporary keys kept an extra copy of the server key,
19098   and connections with temporary keys did not free everything in case
19099   of an error.
19100
19101   *Bodo Moeller*
19102
19103 * New function RSA_check_key and new openssl rsa option -check
19104   for verifying the consistency of RSA keys.
19105
19106   *Ulf Moeller, Bodo Moeller*
19107
19108 * Various changes to make Win32 compile work:
19109   1. Casts to avoid "loss of data" warnings in p5_crpt2.c
19110   2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
19111      comparison" warnings.
19112   3. Add `sk_<TYPE>_sort` to DEF file generator and do make update.
19113
19114   *Steve Henson*
19115
19116 * Add a debugging option to PKCS#5 v2 key generation function: when
19117   you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
19118   derived keys are printed to stderr.
19119
19120   *Steve Henson*
19121
19122 * Copy the flags in ASN1_STRING_dup().
19123
19124   *Roman E. Pavlov <pre@mo.msk.ru>*
19125
19126 * The x509 application mishandled signing requests containing DSA
19127   keys when the signing key was also DSA and the parameters didn't match.
19128
19129   It was supposed to omit the parameters when they matched the signing key:
19130   the verifying software was then supposed to automatically use the CA's
19131   parameters if they were absent from the end user certificate.
19132
19133   Omitting parameters is no longer recommended. The test was also
19134   the wrong way round! This was probably due to unusual behaviour in
19135   EVP_cmp_parameters() which returns 1 if the parameters match.
19136   This meant that parameters were omitted when they *didn't* match and
19137   the certificate was useless. Certificates signed with 'ca' didn't have
19138   this bug.
19139
19140   *Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>*
19141
19142 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
19143   The interface is as follows:
19144   Applications can use
19145           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
19146           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
19147   "off" is now the default.
19148   The library internally uses
19149           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
19150           CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
19151   to disable memory-checking temporarily.
19152
19153   Some inconsistent states that previously were possible (and were
19154   even the default) are now avoided.
19155
19156   -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
19157   with each memory chunk allocated; this is occasionally more helpful
19158   than just having a counter.
19159
19160   -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
19161
19162   -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
19163   extensions.
19164
19165   *Bodo Moeller*
19166
19167 * Introduce "mode" for SSL structures (with defaults in SSL_CTX),
19168   which largely parallels "options", but is for changing API behaviour,
19169   whereas "options" are about protocol behaviour.
19170   Initial "mode" flags are:
19171
19172   SSL_MODE_ENABLE_PARTIAL_WRITE   Allow SSL_write to report success when
19173                                   a single record has been written.
19174   SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER  Don't insist that SSL_write
19175                                   retries use the same buffer location.
19176                                   (But all of the contents must be
19177                                   copied!)
19178
19179   *Bodo Moeller*
19180
19181 * Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options
19182   worked.
19183
19184 * Fix problems with no-hmac etc.
19185
19186   *Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>*
19187
19188 * New functions RSA_get_default_method(), RSA_set_method() and
19189   RSA_get_method(). These allows replacement of RSA_METHODs without having
19190   to mess around with the internals of an RSA structure.
19191
19192   *Steve Henson*
19193
19194 * Fix memory leaks in DSA_do_sign and DSA_is_prime.
19195   Also really enable memory leak checks in openssl.c and in some
19196   test programs.
19197
19198   *Chad C. Mulligan, Bodo Moeller*
19199
19200 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
19201   up the length of negative integers. This has now been simplified to just
19202   store the length when it is first determined and use it later, rather
19203   than trying to keep track of where data is copied and updating it to
19204   point to the end.
19205   *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
19206
19207 * Add a new function PKCS7_signatureVerify. This allows the verification
19208   of a PKCS#7 signature but with the signing certificate passed to the
19209   function itself. This contrasts with PKCS7_dataVerify which assumes the
19210   certificate is present in the PKCS#7 structure. This isn't always the
19211   case: certificates can be omitted from a PKCS#7 structure and be
19212   distributed by "out of band" means (such as a certificate database).
19213
19214   *Steve Henson*
19215
19216 * Complete the `PEM_*` macros with DECLARE_PEM versions to replace the
19217   function prototypes in pem.h, also change util/mkdef.pl to add the
19218   necessary function names.
19219
19220   *Steve Henson*
19221
19222 * mk1mf.pl (used by Windows builds) did not properly read the
19223   options set by Configure in the top level Makefile, and Configure
19224   was not even able to write more than one option correctly.
19225   Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
19226
19227   *Bodo Moeller*
19228
19229 * New functions CONF_load_bio() and CONF_load_fp() to allow a config
19230   file to be loaded from a BIO or FILE pointer. The BIO version will
19231   for example allow memory BIOs to contain config info.
19232
19233   *Steve Henson*
19234
19235 * New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
19236   Whoever hopes to achieve shared-library compatibility across versions
19237   must use this, not the compile-time macro.
19238   (Exercise 0.9.4: Which is the minimum library version required by
19239   such programs?)
19240   Note: All this applies only to multi-threaded programs, others don't
19241   need locks.
19242
19243   *Bodo Moeller*
19244
19245 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
19246   through a BIO pair triggered the default case, i.e.
19247   SSLerr(...,SSL_R_UNKNOWN_STATE).
19248
19249   *Bodo Moeller*
19250
19251 * New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
19252   can use the SSL library even if none of the specific BIOs is
19253   appropriate.
19254
19255   *Bodo Moeller*
19256
19257 * Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
19258   for the encoded length.
19259
19260   *Jeon KyoungHo <khjeon@sds.samsung.co.kr>*
19261
19262 * Add initial documentation of the X509V3 functions.
19263
19264   *Steve Henson*
19265
19266 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and
19267   PEM_write_bio_PKCS8PrivateKey() that are equivalent to
19268   PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
19269   secure PKCS#8 private key format with a high iteration count.
19270
19271   *Steve Henson*
19272
19273 * Fix determination of Perl interpreter: A perl or perl5
19274   *directory* in $PATH was also accepted as the interpreter.
19275
19276   *Ralf S. Engelschall*
19277
19278 * Fix demos/sign/sign.c: well there wasn't anything strictly speaking
19279   wrong with it but it was very old and did things like calling
19280   PEM_ASN1_read() directly and used MD5 for the hash not to mention some
19281   unusual formatting.
19282
19283   *Steve Henson*
19284
19285 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed
19286   to use the new extension code.
19287
19288   *Steve Henson*
19289
19290 * Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
19291   with macros. This should make it easier to change their form, add extra
19292   arguments etc. Fix a few PEM prototypes which didn't have cipher as a
19293   constant.
19294
19295   *Steve Henson*
19296
19297 * Add to configuration table a new entry that can specify an alternative
19298   name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
19299   according to Mark Crispin <MRC@Panda.COM>.
19300
19301   *Bodo Moeller*
19302
19303 * DES CBC did not update the IV. Weird.
19304
19305   *Ben Laurie*
19306lse
19307   des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
19308   Changing the behaviour of the former might break existing programs --
19309   where IV updating is needed, des_ncbc_encrypt can be used.
19310ndif
19311
19312 * When bntest is run from "make test" it drives bc to check its
19313   calculations, as well as internally checking them. If an internal check
19314   fails, it needs to cause bc to give a non-zero result or make test carries
19315   on without noticing the failure. Fixed.
19316
19317   *Ben Laurie*
19318
19319 * DES library cleanups.
19320
19321   *Ulf Möller*
19322
19323 * Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
19324   used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
19325   ciphers. NOTE: although the key derivation function has been verified
19326   against some published test vectors it has not been extensively tested
19327   yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
19328   of v2.0.
19329
19330   *Steve Henson*
19331
19332 * Instead of "mkdir -p", which is not fully portable, use new
19333   Perl script "util/mkdir-p.pl".
19334
19335   *Bodo Moeller*
19336
19337 * Rewrite the way password based encryption (PBE) is handled. It used to
19338   assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
19339   structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
19340   but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
19341   the 'parameter' field of the AlgorithmIdentifier is passed to the
19342   underlying key generation function so it must do its own ASN1 parsing.
19343   This has also changed the EVP_PBE_CipherInit() function which now has a
19344   'parameter' argument instead of literal salt and iteration count values
19345   and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
19346
19347   *Steve Henson*
19348
19349 * Support for PKCS#5 v1.5 compatible password based encryption algorithms
19350   and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
19351   Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
19352   KEY" because this clashed with PKCS#8 unencrypted string. Since this
19353   value was just used as a "magic string" and not used directly its
19354   value doesn't matter.
19355
19356   *Steve Henson*
19357
19358 * Introduce some semblance of const correctness to BN. Shame C doesn't
19359   support mutable.
19360
19361   *Ben Laurie*
19362
19363 * "linux-sparc64" configuration (ultrapenguin).
19364
19365   *Ray Miller <ray.miller@oucs.ox.ac.uk>*
19366   "linux-sparc" configuration.
19367
19368   *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
19369
19370 * config now generates no-xxx options for missing ciphers.
19371
19372   *Ulf Möller*
19373
19374 * Support the EBCDIC character set (work in progress).
19375   File ebcdic.c not yet included because it has a different license.
19376
19377   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
19378
19379 * Support BS2000/OSD-POSIX.
19380
19381   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>*
19382
19383 * Make callbacks for key generation use `void *` instead of `char *`.
19384
19385   *Ben Laurie*
19386
19387 * Make S/MIME samples compile (not yet tested).
19388
19389   *Ben Laurie*
19390
19391 * Additional typesafe stacks.
19392
19393   *Ben Laurie*
19394
19395 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
19396
19397   *Bodo Moeller*
19398
19399### Changes between 0.9.3 and 0.9.3a  [29 May 1999]
19400
19401 * New configuration variant "sco5-gcc".
19402
19403 * Updated some demos.
19404
19405   *Sean O Riordain, Wade Scholine*
19406
19407 * Add missing BIO_free at exit of pkcs12 application.
19408
19409   *Wu Zhigang*
19410
19411 * Fix memory leak in conf.c.
19412
19413   *Steve Henson*
19414
19415 * Updates for Win32 to assembler version of MD5.
19416
19417   *Steve Henson*
19418
19419 * Set #! path to perl in `apps/der_chop` to where we found it
19420   instead of using a fixed path.
19421
19422   *Bodo Moeller*
19423
19424 * SHA library changes for irix64-mips4-cc.
19425
19426   *Andy Polyakov*
19427
19428 * Improvements for VMS support.
19429
19430   *Richard Levitte*
19431
19432### Changes between 0.9.2b and 0.9.3  [24 May 1999]
19433
19434 * Bignum library bug fix. IRIX 6 passes "make test" now!
19435   This also avoids the problems with SC4.2 and unpatched SC5.
19436
19437   *Andy Polyakov <appro@fy.chalmers.se>*
19438
19439 * New functions sk_num, sk_value and sk_set to replace the previous macros.
19440   These are required because of the typesafe stack would otherwise break
19441   existing code. If old code used a structure member which used to be STACK
19442   and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
19443   sk_num or sk_value it would produce an error because the num, data members
19444   are not present in STACK_OF. Now it just produces a warning. sk_set
19445   replaces the old method of assigning a value to sk_value
19446   (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
19447   that does this will no longer work (and should use sk_set instead) but
19448   this could be regarded as a "questionable" behaviour anyway.
19449
19450   *Steve Henson*
19451
19452 * Fix most of the other PKCS#7 bugs. The "experimental" code can now
19453   correctly handle encrypted S/MIME data.
19454
19455   *Steve Henson*
19456
19457 * Change type of various DES function arguments from des_cblock
19458   (which means, in function argument declarations, pointer to char)
19459   to des_cblock * (meaning pointer to array with 8 char elements),
19460   which allows the compiler to do more typechecking; it was like
19461   that back in SSLeay, but with lots of ugly casts.
19462
19463   Introduce new type const_des_cblock.
19464
19465   *Bodo Moeller*
19466
19467 * Reorganise the PKCS#7 library and get rid of some of the more obvious
19468   problems: find RecipientInfo structure that matches recipient certificate
19469   and initialise the ASN1 structures properly based on passed cipher.
19470
19471   *Steve Henson*
19472
19473 * Belatedly make the BN tests actually check the results.
19474
19475   *Ben Laurie*
19476
19477 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
19478   to and from BNs: it was completely broken. New compilation option
19479   NEG_PUBKEY_BUG to allow for some broken certificates that encode public
19480   key elements as negative integers.
19481
19482   *Steve Henson*
19483
19484 * Reorganize and speed up MD5.
19485
19486   *Andy Polyakov <appro@fy.chalmers.se>*
19487
19488 * VMS support.
19489
19490   *Richard Levitte <richard@levitte.org>*
19491
19492 * New option -out to asn1parse to allow the parsed structure to be
19493   output to a file. This is most useful when combined with the -strparse
19494   option to examine the output of things like OCTET STRINGS.
19495
19496   *Steve Henson*
19497
19498 * Make SSL library a little more fool-proof by not requiring any longer
19499   that `SSL_set_{accept,connect}_state` be called before
19500   `SSL_{accept,connect}` may be used (`SSL_set_..._state` is omitted
19501   in many applications because usually everything *appeared* to work as
19502   intended anyway -- now it really works as intended).
19503
19504   *Bodo Moeller*
19505
19506 * Move openssl.cnf out of lib/.
19507
19508   *Ulf Möller*
19509
19510 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
19511   -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
19512   -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
19513
19514   *Ralf S. Engelschall*
19515
19516 * Various fixes to the EVP and PKCS#7 code. It may now be able to
19517   handle PKCS#7 enveloped data properly.
19518
19519   *Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve*
19520
19521 * Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
19522   copying pointers.  The cert_st handling is changed by this in
19523   various ways (and thus what used to be known as ctx->default_cert
19524   is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
19525   any longer when s->cert does not give us what we need).
19526   ssl_cert_instantiate becomes obsolete by this change.
19527   As soon as we've got the new code right (possibly it already is?),
19528   we have solved a couple of bugs of the earlier code where s->cert
19529   was used as if it could not have been shared with other SSL structures.
19530
19531   Note that using the SSL API in certain dirty ways now will result
19532   in different behaviour than observed with earlier library versions:
19533   Changing settings for an `SSL_CTX *ctx` after having done s = SSL_new(ctx)
19534   does not influence s as it used to.
19535
19536   In order to clean up things more thoroughly, inside SSL_SESSION
19537   we don't use CERT any longer, but a new structure SESS_CERT
19538   that holds per-session data (if available); currently, this is
19539   the peer's certificate chain and, for clients, the server's certificate
19540   and temporary key.  CERT holds only those values that can have
19541   meaningful defaults in an SSL_CTX.
19542
19543   *Bodo Moeller*
19544
19545 * New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
19546   from the internal representation. Various PKCS#7 fixes: remove some
19547   evil casts and set the enc_dig_alg field properly based on the signing
19548   key type.
19549
19550   *Steve Henson*
19551
19552 * Allow PKCS#12 password to be set from the command line or the
19553   environment. Let 'ca' get its config file name from the environment
19554   variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
19555   and 'x509').
19556
19557   *Steve Henson*
19558
19559 * Allow certificate policies extension to use an IA5STRING for the
19560   organization field. This is contrary to the PKIX definition but
19561   VeriSign uses it and IE5 only recognises this form. Document 'x509'
19562   extension option.
19563
19564   *Steve Henson*
19565
19566 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
19567   without disallowing inline assembler and the like for non-pedantic builds.
19568
19569   *Ben Laurie*
19570
19571 * Support Borland C++ builder.
19572
19573   *Janez Jere <jj@void.si>, modified by Ulf Möller*
19574
19575 * Support Mingw32.
19576
19577   *Ulf Möller*
19578
19579 * SHA-1 cleanups and performance enhancements.
19580
19581   *Andy Polyakov <appro@fy.chalmers.se>*
19582
19583 * Sparc v8plus assembler for the bignum library.
19584
19585   *Andy Polyakov <appro@fy.chalmers.se>*
19586
19587 * Accept any -xxx and +xxx compiler options in Configure.
19588
19589   *Ulf Möller*
19590
19591 * Update HPUX configuration.
19592
19593   *Anonymous*
19594
19595 * Add missing `sk_<type>_unshift()` function to safestack.h
19596
19597   *Ralf S. Engelschall*
19598
19599 * New function SSL_CTX_use_certificate_chain_file that sets the
19600   "extra_cert"s in addition to the certificate.  (This makes sense
19601   only for "PEM" format files, as chains as a whole are not
19602   DER-encoded.)
19603
19604   *Bodo Moeller*
19605
19606 * Support verify_depth from the SSL API.
19607   x509_vfy.c had what can be considered an off-by-one-error:
19608   Its depth (which was not part of the external interface)
19609   was actually counting the number of certificates in a chain;
19610   now it really counts the depth.
19611
19612   *Bodo Moeller*
19613
19614 * Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
19615   instead of X509err, which often resulted in confusing error
19616   messages since the error codes are not globally unique
19617   (e.g. an alleged error in ssl3_accept when a certificate
19618   didn't match the private key).
19619
19620 * New function SSL_CTX_set_session_id_context that allows to set a default
19621   value (so that you don't need SSL_set_session_id_context for each
19622   connection using the SSL_CTX).
19623
19624   *Bodo Moeller*
19625
19626 * OAEP decoding bug fix.
19627
19628   *Ulf Möller*
19629
19630 * Support INSTALL_PREFIX for package builders, as proposed by
19631   David Harris.
19632
19633   *Bodo Moeller*
19634
19635 * New Configure options "threads" and "no-threads".  For systems
19636   where the proper compiler options are known (currently Solaris
19637   and Linux), "threads" is the default.
19638
19639   *Bodo Moeller*
19640
19641 * New script util/mklink.pl as a faster substitute for util/mklink.sh.
19642
19643   *Bodo Moeller*
19644
19645 * Install various scripts to $(OPENSSLDIR)/misc, not to
19646   $(INSTALLTOP)/bin -- they shouldn't clutter directories
19647   such as /usr/local/bin.
19648
19649   *Bodo Moeller*
19650
19651 * "make linux-shared" to build shared libraries.
19652
19653   *Niels Poppe <niels@netbox.org>*
19654
19655 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
19656
19657   *Ulf Möller*
19658
19659 * Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
19660   extension adding in x509 utility.
19661
19662   *Steve Henson*
19663
19664 * Remove NOPROTO sections and error code comments.
19665
19666   *Ulf Möller*
19667
19668 * Partial rewrite of the DEF file generator to now parse the ANSI
19669   prototypes.
19670
19671   *Steve Henson*
19672
19673 * New Configure options --prefix=DIR and --openssldir=DIR.
19674
19675   *Ulf Möller*
19676
19677 * Complete rewrite of the error code script(s). It is all now handled
19678   by one script at the top level which handles error code gathering,
19679   header rewriting and C source file generation. It should be much better
19680   than the old method: it now uses a modified version of Ulf's parser to
19681   read the ANSI prototypes in all header files (thus the old K&R definitions
19682   aren't needed for error creation any more) and do a better job of
19683   translating function codes into names. The old 'ASN1 error code embedded
19684   in a comment' is no longer necessary and it doesn't use .err files which
19685   have now been deleted. Also the error code call doesn't have to appear all
19686   on one line (which resulted in some large lines...).
19687
19688   *Steve Henson*
19689
19690 * Change #include filenames from `<foo.h>` to `<openssl/foo.h>`.
19691
19692   *Bodo Moeller*
19693
19694 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
19695   0 (which usually indicates a closed connection), but continue reading.
19696
19697   *Bodo Moeller*
19698
19699 * Fix some race conditions.
19700
19701   *Bodo Moeller*
19702
19703 * Add support for CRL distribution points extension. Add Certificate
19704   Policies and CRL distribution points documentation.
19705
19706   *Steve Henson*
19707
19708 * Move the autogenerated header file parts to crypto/opensslconf.h.
19709
19710   *Ulf Möller*
19711
19712 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
19713   8 of keying material. Merlin has also confirmed interop with this fix
19714   between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
19715
19716   *Merlin Hughes <merlin@baltimore.ie>*
19717
19718 * Fix lots of warnings.
19719
19720   *Richard Levitte <levitte@stacken.kth.se>*
19721
19722 * In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
19723   the directory spec didn't end with a LIST_SEPARATOR_CHAR.
19724
19725   *Richard Levitte <levitte@stacken.kth.se>*
19726
19727 * Fix problems with sizeof(long) == 8.
19728
19729   *Andy Polyakov <appro@fy.chalmers.se>*
19730
19731 * Change functions to ANSI C.
19732
19733   *Ulf Möller*
19734
19735 * Fix typos in error codes.
19736
19737   *Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller*
19738
19739 * Remove defunct assembler files from Configure.
19740
19741   *Ulf Möller*
19742
19743 * SPARC v8 assembler BIGNUM implementation.
19744
19745   *Andy Polyakov <appro@fy.chalmers.se>*
19746
19747 * Support for Certificate Policies extension: both print and set.
19748   Various additions to support the r2i method this uses.
19749
19750   *Steve Henson*
19751
19752 * A lot of constification, and fix a bug in X509_NAME_oneline() that could
19753   return a const string when you are expecting an allocated buffer.
19754
19755   *Ben Laurie*
19756
19757 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
19758   types DirectoryString and DisplayText.
19759
19760   *Steve Henson*
19761
19762 * Add code to allow r2i extensions to access the configuration database,
19763   add an LHASH database driver and add several ctx helper functions.
19764
19765   *Steve Henson*
19766
19767 * Fix an evil bug in bn_expand2() which caused various BN functions to
19768   fail when they extended the size of a BIGNUM.
19769
19770   *Steve Henson*
19771
19772 * Various utility functions to handle SXNet extension. Modify mkdef.pl to
19773   support typesafe stack.
19774
19775   *Steve Henson*
19776
19777 * Fix typo in SSL_[gs]et_options().
19778
19779   *Nils Frostberg <nils@medcom.se>*
19780
19781 * Delete various functions and files that belonged to the (now obsolete)
19782   old X509V3 handling code.
19783
19784   *Steve Henson*
19785
19786 * New Configure option "rsaref".
19787
19788   *Ulf Möller*
19789
19790 * Don't auto-generate pem.h.
19791
19792   *Bodo Moeller*
19793
19794 * Introduce type-safe ASN.1 SETs.
19795
19796   *Ben Laurie*
19797
19798 * Convert various additional casted stacks to type-safe STACK_OF() variants.
19799
19800   *Ben Laurie, Ralf S. Engelschall, Steve Henson*
19801
19802 * Introduce type-safe STACKs. This will almost certainly break lots of code
19803   that links with OpenSSL (well at least cause lots of warnings), but fear
19804   not: the conversion is trivial, and it eliminates loads of evil casts. A
19805   few STACKed things have been converted already. Feel free to convert more.
19806   In the fullness of time, I'll do away with the STACK type altogether.
19807
19808   *Ben Laurie*
19809
19810 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
19811   specified in `<certfile>` by updating the entry in the index.txt file.
19812   This way one no longer has to edit the index.txt file manually for
19813   revoking a certificate. The -revoke option does the gory details now.
19814
19815   *Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall*
19816
19817 * Fix `openssl crl -noout -text` combination where `-noout` killed the
19818   `-text` option at all and this way the `-noout -text` combination was
19819   inconsistent in `openssl crl` with the friends in `openssl x509|rsa|dsa`.
19820
19821   *Ralf S. Engelschall*
19822
19823 * Make sure a corresponding plain text error message exists for the
19824   X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
19825   verify callback function determined that a certificate was revoked.
19826
19827   *Ralf S. Engelschall*
19828
19829 * Bugfix: In test/testenc, don't test `openssl <cipher>` for
19830   ciphers that were excluded, e.g. by -DNO_IDEA.  Also, test
19831   all available ciphers including rc5, which was forgotten until now.
19832   In order to let the testing shell script know which algorithms
19833   are available, a new (up to now undocumented) command
19834   `openssl list-cipher-commands` is used.
19835
19836   *Bodo Moeller*
19837
19838 * Bugfix: s_client occasionally would sleep in select() when
19839   it should have checked SSL_pending() first.
19840
19841   *Bodo Moeller*
19842
19843 * New functions DSA_do_sign and DSA_do_verify to provide access to
19844   the raw DSA values prior to ASN.1 encoding.
19845
19846   *Ulf Möller*
19847
19848 * Tweaks to Configure
19849
19850   *Niels Poppe <niels@netbox.org>*
19851
19852 * Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
19853   yet...
19854
19855   *Steve Henson*
19856
19857 * New variables $(RANLIB) and $(PERL) in the Makefiles.
19858
19859   *Ulf Möller*
19860
19861 * New config option to avoid instructions that are illegal on the 80386.
19862   The default code is faster, but requires at least a 486.
19863
19864   *Ulf Möller*
19865
19866 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
19867   SSL2_SERVER_VERSION (not used at all) macros, which are now the
19868   same as SSL2_VERSION anyway.
19869
19870   *Bodo Moeller*
19871
19872 * New "-showcerts" option for s_client.
19873
19874   *Bodo Moeller*
19875
19876 * Still more PKCS#12 integration. Add pkcs12 application to openssl
19877   application. Various cleanups and fixes.
19878
19879   *Steve Henson*
19880
19881 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
19882   modify error routines to work internally. Add error codes and PBE init
19883   to library startup routines.
19884
19885   *Steve Henson*
19886
19887 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and
19888   packing functions to asn1 and evp. Changed function names and error
19889   codes along the way.
19890
19891   *Steve Henson*
19892
19893 * PKCS12 integration: and so it begins... First of several patches to
19894   slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
19895   objects to objects.h
19896
19897   *Steve Henson*
19898
19899 * Add a new 'indent' option to some X509V3 extension code. Initial ASN1
19900   and display support for Thawte strong extranet extension.
19901
19902   *Steve Henson*
19903
19904 * Add LinuxPPC support.
19905
19906   *Jeff Dubrule <igor@pobox.org>*
19907
19908 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
19909   bn_div_words in alpha.s.
19910
19911   *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie*
19912
19913 * Make sure the RSA OAEP test is skipped under -DRSAref because
19914   OAEP isn't supported when OpenSSL is built with RSAref.
19915
19916   *Ulf Moeller <ulf@fitug.de>*
19917
19918 * Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
19919   so they no longer are missing under -DNOPROTO.
19920
19921   *Soren S. Jorvang <soren@t.dk>*
19922
19923### Changes between 0.9.1c and 0.9.2b  [22 Mar 1999]
19924
19925 * Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
19926   doesn't work when the session is reused. Coming soon!
19927
19928   *Ben Laurie*
19929
19930 * Fix a security hole, that allows sessions to be reused in the wrong
19931   context thus bypassing client cert protection! All software that uses
19932   client certs and session caches in multiple contexts NEEDS PATCHING to
19933   allow session reuse! A fuller solution is in the works.
19934
19935   *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)*
19936
19937 * Some more source tree cleanups (removed obsolete files
19938   crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
19939   permission on "config" script to be executable) and a fix for the INSTALL
19940   document.
19941
19942   *Ulf Moeller <ulf@fitug.de>*
19943
19944 * Remove some legacy and erroneous uses of malloc, free instead of
19945   Malloc, Free.
19946
19947   *Lennart Bang <lob@netstream.se>, with minor changes by Steve*
19948
19949 * Make rsa_oaep_test return non-zero on error.
19950
19951   *Ulf Moeller <ulf@fitug.de>*
19952
19953 * Add support for native Solaris shared libraries. Configure
19954   solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
19955   if someone would make that last step automatic.
19956
19957   *Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>*
19958
19959 * ctx_size was not built with the right compiler during "make links". Fixed.
19960
19961   *Ben Laurie*
19962
19963 * Change the meaning of 'ALL' in the cipher list. It now means "everything
19964   except NULL ciphers". This means the default cipher list will no longer
19965   enable NULL ciphers. They need to be specifically enabled e.g. with
19966   the string "DEFAULT:eNULL".
19967
19968   *Steve Henson*
19969
19970 * Fix to RSA private encryption routines: if p < q then it would
19971   occasionally produce an invalid result. This will only happen with
19972   externally generated keys because OpenSSL (and SSLeay) ensure p > q.
19973
19974   *Steve Henson*
19975
19976 * Be less restrictive and allow also `perl util/perlpath.pl
19977   /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`,
19978   because this way one can also use an interpreter named `perl5` (which is
19979   usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
19980   installed as `perl`).
19981
19982   *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
19983
19984 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
19985
19986   *Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
19987
19988 * Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
19989   advapi32.lib to Win32 build and change the pem test comparison
19990   to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
19991   suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
19992   and crypto/des/ede_cbcm_enc.c.
19993
19994   *Steve Henson*
19995
19996 * DES quad checksum was broken on big-endian architectures. Fixed.
19997
19998   *Ben Laurie*
19999
20000 * Comment out two functions in bio.h that aren't implemented. Fix up the
20001   Win32 test batch file so it (might) work again. The Win32 test batch file
20002   is horrible: I feel ill....
20003
20004   *Steve Henson*
20005
20006 * Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
20007   in e_os.h. Audit of header files to check ANSI and non ANSI
20008   sections: 10 functions were absent from non ANSI section and not exported
20009   from Windows DLLs. Fixed up libeay.num for new functions.
20010
20011   *Steve Henson*
20012
20013 * Make `openssl version` output lines consistent.
20014
20015   *Ralf S. Engelschall*
20016
20017 * Fix Win32 symbol export lists for BIO functions: Added
20018   BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
20019   to ms/libeay{16,32}.def.
20020
20021   *Ralf S. Engelschall*
20022
20023 * Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
20024   fine under Unix and passes some trivial tests I've now added. But the
20025   whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
20026   added to make sure no one expects that this stuff really works in the
20027   OpenSSL 0.9.2 release.  Additionally I've started to clean the XS sources
20028   up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
20029   openssl_bio.xs.
20030
20031   *Ralf S. Engelschall*
20032
20033 * Fix the generation of two part addresses in perl.
20034
20035   *Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie*
20036
20037 * Add config entry for Linux on MIPS.
20038
20039   *John Tobey <jtobey@channel1.com>*
20040
20041 * Make links whenever Configure is run, unless we are on Windoze.
20042
20043   *Ben Laurie*
20044
20045 * Permit extensions to be added to CRLs using crl_section in openssl.cnf.
20046   Currently only issuerAltName and AuthorityKeyIdentifier make any sense
20047   in CRLs.
20048
20049   *Steve Henson*
20050
20051 * Add a useful kludge to allow package maintainers to specify compiler and
20052   other platforms details on the command line without having to patch the
20053   Configure script every time: One now can use
20054   `perl Configure <id>:<details>`,
20055   i.e. platform ids are allowed to have details appended
20056   to them (separated by colons). This is treated as there would be a static
20057   pre-configured entry in Configure's %table under key `<id>` with value
20058   `<details>` and `perl Configure <id>` is called.  So, when you want to
20059   perform a quick test-compile under FreeBSD 3.1 with pgcc and without
20060   assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
20061   now, which overrides the FreeBSD-elf entry on-the-fly.
20062
20063   *Ralf S. Engelschall*
20064
20065 * Disable new TLS1 ciphersuites by default: they aren't official yet.
20066
20067   *Ben Laurie*
20068
20069 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
20070   on the `perl Configure ...` command line. This way one can compile
20071   OpenSSL libraries with Position Independent Code (PIC) which is needed
20072   for linking it into DSOs.
20073
20074   *Ralf S. Engelschall*
20075
20076 * Remarkably, export ciphers were totally broken and no-one had noticed!
20077   Fixed.
20078
20079   *Ben Laurie*
20080
20081 * Cleaned up the LICENSE document: The official contact for any license
20082   questions now is the OpenSSL core team under openssl-core@openssl.org.
20083   And add a paragraph about the dual-license situation to make sure people
20084   recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
20085   to the OpenSSL toolkit.
20086
20087   *Ralf S. Engelschall*
20088
20089 * General source tree makefile cleanups: Made `making xxx in yyy...`
20090   display consistent in the source tree and replaced `/bin/rm` by `rm`.
20091   Additionally cleaned up the `make links` target: Remove unnecessary
20092   semicolons, subsequent redundant removes, inline point.sh into mklink.sh
20093   to speed processing and no longer clutter the display with confusing
20094   stuff. Instead only the actually done links are displayed.
20095
20096   *Ralf S. Engelschall*
20097
20098 * Permit null encryption ciphersuites, used for authentication only. It used
20099   to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
20100   It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
20101   encryption.
20102
20103   *Ben Laurie*
20104
20105 * Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
20106   signed attributes when verifying signatures (this would break them),
20107   the detached data encoding was wrong and public keys obtained using
20108   X509_get_pubkey() weren't freed.
20109
20110   *Steve Henson*
20111
20112 * Add text documentation for the BUFFER functions. Also added a work around
20113   to a Win95 console bug. This was triggered by the password read stuff: the
20114   last character typed gets carried over to the next fread(). If you were
20115   generating a new cert request using 'req' for example then the last
20116   character of the passphrase would be CR which would then enter the first
20117   field as blank.
20118
20119   *Steve Henson*
20120
20121 * Added the new 'Includes OpenSSL Cryptography Software' button as
20122   doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
20123   button and can be used by applications based on OpenSSL to show the
20124   relationship to the OpenSSL project.
20125
20126   *Ralf S. Engelschall*
20127
20128 * Remove confusing variables in function signatures in files
20129   ssl/ssl_lib.c and ssl/ssl.h.
20130
20131   *Lennart Bong <lob@kulthea.stacken.kth.se>*
20132
20133 * Don't install bss_file.c under PREFIX/include/
20134
20135   *Lennart Bong <lob@kulthea.stacken.kth.se>*
20136
20137 * Get the Win32 compile working again. Modify mkdef.pl so it can handle
20138   functions that return function pointers and has support for NT specific
20139   stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
20140   #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
20141   unsigned to signed types: this was killing the Win32 compile.
20142
20143   *Steve Henson*
20144
20145 * Add new certificate file to stack functions,
20146   SSL_add_dir_cert_subjects_to_stack() and
20147   SSL_add_file_cert_subjects_to_stack().  These largely supplant
20148   SSL_load_client_CA_file(), and can be used to add multiple certs easily
20149   to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
20150   This means that Apache-SSL and similar packages don't have to mess around
20151   to add as many CAs as they want to the preferred list.
20152
20153   *Ben Laurie*
20154
20155 * Experiment with doxygen documentation. Currently only partially applied to
20156   ssl/ssl_lib.c.
20157   See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with
20158   openssl.doxy as the configuration file.
20159
20160   *Ben Laurie*
20161
20162 * Get rid of remaining C++-style comments which strict C compilers hate.
20163
20164   *Ralf S. Engelschall, pointed out by Carlos Amengual*
20165
20166 * Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
20167   compiled in by default: it has problems with large keys.
20168
20169   *Steve Henson*
20170
20171 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
20172   DH private keys and/or callback functions which directly correspond to
20173   their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
20174   is needed for applications which have to configure certificates on a
20175   per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
20176   (e.g. s_server).
20177      For the RSA certificate situation is makes no difference, but
20178   for the DSA certificate situation this fixes the "no shared cipher"
20179   problem where the OpenSSL cipher selection procedure failed because the
20180   temporary keys were not overtaken from the context and the API provided
20181   no way to reconfigure them.
20182      The new functions now let applications reconfigure the stuff and they
20183   are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
20184   SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback.  Additionally a new
20185   non-public-API function ssl_cert_instantiate() is used as a helper
20186   function and also to reduce code redundancy inside ssl_rsa.c.
20187
20188   *Ralf S. Engelschall*
20189
20190 * Move s_server -dcert and -dkey options out of the undocumented feature
20191   area because they are useful for the DSA situation and should be
20192   recognized by the users.
20193
20194   *Ralf S. Engelschall*
20195
20196 * Fix the cipher decision scheme for export ciphers: the export bits are
20197   *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
20198   SSL_EXP_MASK.  So, the original variable has to be used instead of the
20199   already masked variable.
20200
20201   *Richard Levitte <levitte@stacken.kth.se>*
20202
20203 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c
20204
20205   *Richard Levitte <levitte@stacken.kth.se>*
20206
20207 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
20208   from `int` to `unsigned int` because it is a length and initialized by
20209   EVP_DigestFinal() which expects an `unsigned int *`.
20210
20211   *Richard Levitte <levitte@stacken.kth.se>*
20212
20213 * Don't hard-code path to Perl interpreter on shebang line of Configure
20214   script. Instead use the usual Shell->Perl transition trick.
20215
20216   *Ralf S. Engelschall*
20217
20218 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
20219   (in addition to RSA certificates) to match the behaviour of `openssl dsa
20220   -noout -modulus` as it's already the case for `openssl rsa -noout
20221   -modulus`.  For RSA the -modulus is the real "modulus" while for DSA
20222   currently the public key is printed (a decision which was already done by
20223   `openssl dsa -modulus` in the past) which serves a similar purpose.
20224   Additionally the NO_RSA no longer completely removes the whole -modulus
20225   option; it now only avoids using the RSA stuff. Same applies to NO_DSA
20226   now, too.
20227
20228   *Ralf S.  Engelschall*
20229
20230 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
20231   BIO. See the source (crypto/evp/bio_ok.c) for more info.
20232
20233   *Arne Ansper <arne@ats.cyber.ee>*
20234
20235 * Dump the old yucky req code that tried (and failed) to allow raw OIDs
20236   to be added. Now both 'req' and 'ca' can use new objects defined in the
20237   config file.
20238
20239   *Steve Henson*
20240
20241 * Add cool BIO that does syslog (or event log on NT).
20242
20243   *Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie*
20244
20245 * Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
20246   TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
20247   TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
20248   Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
20249
20250   *Ben Laurie*
20251
20252 * Add preliminary config info for new extension code.
20253
20254   *Steve Henson*
20255
20256 * Make RSA_NO_PADDING really use no padding.
20257
20258   *Ulf Moeller <ulf@fitug.de>*
20259
20260 * Generate errors when private/public key check is done.
20261
20262   *Ben Laurie*
20263
20264 * Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
20265   for some CRL extensions and new objects added.
20266
20267   *Steve Henson*
20268
20269 * Really fix the ASN1 IMPLICIT bug this time... Partial support for private
20270   key usage extension and fuller support for authority key id.
20271
20272   *Steve Henson*
20273
20274 * Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
20275   padding method for RSA, which is recommended for new applications in PKCS
20276   #1 v2.0 (RFC 2437, October 1998).
20277   OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
20278   foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
20279   against Bleichbacher's attack on RSA.
20280   *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
20281   Ben Laurie*
20282
20283 * Updates to the new SSL compression code
20284
20285   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
20286
20287 * Fix so that the version number in the master secret, when passed
20288   via RSA, checks that if TLS was proposed, but we roll back to SSLv3
20289   (because the server will not accept higher), that the version number
20290   is 0x03,0x01, not 0x03,0x00
20291
20292   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
20293
20294 * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory
20295   leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes
20296   in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`.
20297
20298   *Steve Henson*
20299
20300 * Support for RAW extensions where an arbitrary extension can be
20301   created by including its DER encoding. See `apps/openssl.cnf` for
20302   an example.
20303
20304   *Steve Henson*
20305
20306 * Make sure latest Perl versions don't interpret some generated C array
20307   code as Perl array code in the crypto/err/err_genc.pl script.
20308
20309   *Lars Weber <3weber@informatik.uni-hamburg.de>*
20310
20311 * Modify ms/do_ms.bat to not generate assembly language makefiles since
20312   not many people have the assembler. Various Win32 compilation fixes and
20313   update to the INSTALL.W32 file with (hopefully) more accurate Win32
20314   build instructions.
20315
20316   *Steve Henson*
20317
20318 * Modify configure script 'Configure' to automatically create crypto/date.h
20319   file under Win32 and also build pem.h from pem.org. New script
20320   util/mkfiles.pl to create the MINFO file on environments that can't do a
20321   'make files': perl util/mkfiles.pl >MINFO should work.
20322
20323   *Steve Henson*
20324
20325 * Major rework of DES function declarations, in the pursuit of correctness
20326   and purity. As a result, many evil casts evaporated, and some weirdness,
20327   too. You may find this causes warnings in your code. Zapping your evil
20328   casts will probably fix them. Mostly.
20329
20330   *Ben Laurie*
20331
20332 * Fix for a typo in asn1.h. Bug fix to object creation script
20333   obj_dat.pl. It considered a zero in an object definition to mean
20334   "end of object": none of the objects in objects.h have any zeros
20335   so it wasn't spotted.
20336
20337   *Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>*
20338
20339 * Add support for Triple DES Cipher Block Chaining with Output Feedback
20340   Masking (CBCM). In the absence of test vectors, the best I have been able
20341   to do is check that the decrypt undoes the encrypt, so far. Send me test
20342   vectors if you have them.
20343
20344   *Ben Laurie*
20345
20346 * Correct calculation of key length for export ciphers (too much space was
20347   allocated for null ciphers). This has not been tested!
20348
20349   *Ben Laurie*
20350
20351 * Modifications to the mkdef.pl for Win32 DEF file creation. The usage
20352   message is now correct (it understands "crypto" and "ssl" on its
20353   command line). There is also now an "update" option. This will update
20354   the util/ssleay.num and util/libeay.num files with any new functions.
20355   If you do a:
20356   perl util/mkdef.pl crypto ssl update
20357   it will update them.
20358
20359   *Steve Henson*
20360
20361 * Overhauled the Perl interface:
20362   - ported BN stuff to OpenSSL's different BN library
20363   - made the perl/ source tree CVS-aware
20364   - renamed the package from SSLeay to OpenSSL (the files still contain
20365     their history because I've copied them in the repository)
20366   - removed obsolete files (the test scripts will be replaced
20367     by better Test::Harness variants in the future)
20368
20369   *Ralf S. Engelschall*
20370
20371 * First cut for a very conservative source tree cleanup:
20372   1. merge various obsolete readme texts into doc/ssleay.txt
20373   where we collect the old documents and readme texts.
20374   2. remove the first part of files where I'm already sure that we no
20375   longer need them because of three reasons: either they are just temporary
20376   files which were left by Eric or they are preserved original files where
20377   I've verified that the diff is also available in the CVS via "cvs diff
20378   -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
20379   the crypto/md/ stuff).
20380
20381   *Ralf S. Engelschall*
20382
20383 * More extension code. Incomplete support for subject and issuer alt
20384   name, issuer and authority key id. Change the i2v function parameters
20385   and add an extra 'crl' parameter in the X509V3_CTX structure: guess
20386   what that's for :-) Fix to ASN1 macro which messed up
20387   IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
20388
20389   *Steve Henson*
20390
20391 * Preliminary support for ENUMERATED type. This is largely copied from the
20392   INTEGER code.
20393
20394   *Steve Henson*
20395
20396 * Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
20397
20398   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
20399
20400 * Make sure `make rehash` target really finds the `openssl` program.
20401
20402   *Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
20403
20404 * Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
20405   like to hear about it if this slows down other processors.
20406
20407   *Ben Laurie*
20408
20409 * Add CygWin32 platform information to Configure script.
20410
20411   *Alan Batie <batie@aahz.jf.intel.com>*
20412
20413 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
20414
20415   *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
20416
20417 * New program nseq to manipulate netscape certificate sequences
20418
20419   *Steve Henson*
20420
20421 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
20422   few typos.
20423
20424   *Steve Henson*
20425
20426 * Fixes to BN code.  Previously the default was to define BN_RECURSION
20427   but the BN code had some problems that would cause failures when
20428   doing certificate verification and some other functions.
20429
20430   *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*
20431
20432 * Add ASN1 and PEM code to support netscape certificate sequences.
20433
20434   *Steve Henson*
20435
20436 * Add ASN1 and PEM code to support netscape certificate sequences.
20437
20438   *Steve Henson*
20439
20440 * Add several PKIX and private extended key usage OIDs.
20441
20442   *Steve Henson*
20443
20444 * Modify the 'ca' program to handle the new extension code. Modify
20445   openssl.cnf for new extension format, add comments.
20446
20447   *Steve Henson*
20448
20449 * More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
20450   and add a sample to openssl.cnf so req -x509 now adds appropriate
20451   CA extensions.
20452
20453   *Steve Henson*
20454
20455 * Continued X509 V3 changes. Add to other makefiles, integrate with the
20456   error code, add initial support to X509_print() and x509 application.
20457
20458   *Steve Henson*
20459
20460 * Takes a deep breath and start adding X509 V3 extension support code. Add
20461   files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
20462   stuff is currently isolated and isn't even compiled yet.
20463
20464   *Steve Henson*
20465
20466 * Continuing patches for GeneralizedTime. Fix up certificate and CRL
20467   ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
20468   Removed the versions check from X509 routines when loading extensions:
20469   this allows certain broken certificates that don't set the version
20470   properly to be processed.
20471
20472   *Steve Henson*
20473
20474 * Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
20475   Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
20476   can still be regenerated with "make depend".
20477
20478   *Ben Laurie*
20479
20480 * Spelling mistake in C version of CAST-128.
20481
20482   *Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>*
20483
20484 * Changes to the error generation code. The perl script err-code.pl
20485   now reads in the old error codes and retains the old numbers, only
20486   adding new ones if necessary. It also only changes the .err files if new
20487   codes are added. The makefiles have been modified to only insert errors
20488   when needed (to avoid needlessly modifying header files). This is done
20489   by only inserting errors if the .err file is newer than the auto generated
20490   C file. To rebuild all the error codes from scratch (the old behaviour)
20491   either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
20492   or delete all the .err files.
20493
20494   *Steve Henson*
20495
20496 * CAST-128 was incorrectly implemented for short keys. The C version has
20497   been fixed, but is untested. The assembler versions are also fixed, but
20498   new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
20499   to regenerate it if needed.
20500   *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
20501    Hagino <itojun@kame.net>*
20502
20503 * File was opened incorrectly in randfile.c.
20504
20505   *Ulf Möller <ulf@fitug.de>*
20506
20507 * Beginning of support for GeneralizedTime. d2i, i2d, check and print
20508   functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
20509   GeneralizedTime. ASN1_TIME is the proper type used in certificates et
20510   al: it's just almost always a UTCTime. Note this patch adds new error
20511   codes so do a "make errors" if there are problems.
20512
20513   *Steve Henson*
20514
20515 * Correct Linux 1 recognition in config.
20516
20517   *Ulf Möller <ulf@fitug.de>*
20518
20519 * Remove pointless MD5 hash when using DSA keys in ca.
20520
20521   *Anonymous <nobody@replay.com>*
20522
20523 * Generate an error if given an empty string as a cert directory. Also
20524   generate an error if handed NULL (previously returned 0 to indicate an
20525   error, but didn't set one).
20526
20527   *Ben Laurie, reported by Anonymous <nobody@replay.com>*
20528
20529 * Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
20530
20531   *Ben Laurie*
20532
20533 * Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
20534   parameters. This was causing a warning which killed off the Win32 compile.
20535
20536   *Steve Henson*
20537
20538 * Remove C++ style comments from crypto/bn/bn_local.h.
20539
20540   *Neil Costigan <neil.costigan@celocom.com>*
20541
20542 * The function OBJ_txt2nid was broken. It was supposed to return a nid
20543   based on a text string, looking up short and long names and finally
20544   "dot" format. The "dot" format stuff didn't work. Added new function
20545   OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
20546   OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
20547   OID is not part of the table.
20548
20549   *Steve Henson*
20550
20551 * Add prototypes to X509 lookup/verify methods, fixing a bug in
20552   X509_LOOKUP_by_alias().
20553
20554   *Ben Laurie*
20555
20556 * Sort openssl functions by name.
20557
20558   *Ben Laurie*
20559
20560 * Get the `gendsa` command working and add it to the `list` command. Remove
20561   encryption from sample DSA keys (in case anyone is interested the password
20562   was "1234").
20563
20564   *Steve Henson*
20565
20566 * Make *all* `*_free` functions accept a NULL pointer.
20567
20568   *Frans Heymans <fheymans@isaserver.be>*
20569
20570 * If a DH key is generated in s3_srvr.c, don't blow it by trying to use
20571   NULL pointers.
20572
20573   *Anonymous <nobody@replay.com>*
20574
20575 * s_server should send the CAfile as acceptable CAs, not its own cert.
20576
20577   *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
20578
20579 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
20580
20581   *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
20582
20583 * Temp key "for export" tests were wrong in s3_srvr.c.
20584
20585   *Anonymous <nobody@replay.com>*
20586
20587 * Add prototype for temp key callback functions
20588   SSL_CTX_set_tmp_{rsa,dh}_callback().
20589
20590   *Ben Laurie*
20591
20592 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
20593   DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
20594
20595   *Steve Henson*
20596
20597 * X509_name_add_entry() freed the wrong thing after an error.
20598
20599   *Arne Ansper <arne@ats.cyber.ee>*
20600
20601 * rsa_eay.c would attempt to free a NULL context.
20602
20603   *Arne Ansper <arne@ats.cyber.ee>*
20604
20605 * BIO_s_socket() had a broken should_retry() on Windoze.
20606
20607   *Arne Ansper <arne@ats.cyber.ee>*
20608
20609 * BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
20610
20611   *Arne Ansper <arne@ats.cyber.ee>*
20612
20613 * Make sure the already existing X509_STORE->depth variable is initialized
20614   in X509_STORE_new(), but document the fact that this variable is still
20615   unused in the certificate verification process.
20616
20617   *Ralf S. Engelschall*
20618
20619 * Fix the various library and `apps/` files to free up pkeys obtained from
20620   X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
20621
20622   *Steve Henson*
20623
20624 * Fix reference counting in X509_PUBKEY_get(). This makes
20625   demos/maurice/example2.c work, amongst others, probably.
20626
20627   *Steve Henson and Ben Laurie*
20628
20629 * First cut of a cleanup for `apps/`. First the `ssleay` program is now named
20630   `openssl` and second, the shortcut symlinks for the `openssl <command>`
20631   are no longer created. This way we have a single and consistent command
20632   line interface `openssl <command>`, similar to `cvs <command>`.
20633
20634   *Ralf S. Engelschall, Paul Sutton and Ben Laurie*
20635
20636 * ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
20637   BIT STRING wrapper always have zero unused bits.
20638
20639   *Steve Henson*
20640
20641 * Add CA.pl, perl version of CA.sh, add extended key usage OID.
20642
20643   *Steve Henson*
20644
20645 * Make the top-level INSTALL documentation easier to understand.
20646
20647   *Paul Sutton*
20648
20649 * Makefiles updated to exit if an error occurs in a sub-directory
20650   make (including if user presses ^C) [Paul Sutton]
20651
20652 * Make Montgomery context stuff explicit in RSA data structure.
20653
20654   *Ben Laurie*
20655
20656 * Fix build order of pem and err to allow for generated pem.h.
20657
20658   *Ben Laurie*
20659
20660 * Fix renumbering bug in X509_NAME_delete_entry().
20661
20662   *Ben Laurie*
20663
20664 * Enhanced the err-ins.pl script so it makes the error library number
20665   global and can add a library name. This is needed for external ASN1 and
20666   other error libraries.
20667
20668   *Steve Henson*
20669
20670 * Fixed sk_insert which never worked properly.
20671
20672   *Steve Henson*
20673
20674 * Fix ASN1 macros so they can handle indefinite length constructed
20675   EXPLICIT tags. Some non standard certificates use these: they can now
20676   be read in.
20677
20678   *Steve Henson*
20679
20680 * Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
20681   into a single doc/ssleay.txt bundle. This way the information is still
20682   preserved but no longer messes up this directory. Now it's new room for
20683   the new set of documentation files.
20684
20685   *Ralf S. Engelschall*
20686
20687 * SETs were incorrectly DER encoded. This was a major pain, because they
20688   shared code with SEQUENCEs, which aren't coded the same. This means that
20689   almost everything to do with SETs or SEQUENCEs has either changed name or
20690   number of arguments.
20691
20692   *Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>*
20693
20694 * Fix test data to work with the above.
20695
20696   *Ben Laurie*
20697
20698 * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
20699   was already fixed by Eric for 0.9.1 it seems.
20700
20701   *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
20702
20703 * Autodetect FreeBSD3.
20704
20705   *Ben Laurie*
20706
20707 * Fix various bugs in Configure. This affects the following platforms:
20708   nextstep
20709   ncr-scde
20710   unixware-2.0
20711   unixware-2.0-pentium
20712   sco5-cc.
20713
20714   *Ben Laurie*
20715
20716 * Eliminate generated files from CVS. Reorder tests to regenerate files
20717   before they are needed.
20718
20719   *Ben Laurie*
20720
20721 * Generate Makefile.ssl from Makefile.org (to keep CVS happy).
20722
20723   *Ben Laurie*
20724
20725### Changes between 0.9.1b and 0.9.1c  [23-Dec-1998]
20726
20727 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
20728   changed SSLeay to OpenSSL in version strings.
20729
20730   *Ralf S. Engelschall*
20731
20732 * Some fixups to the top-level documents.
20733
20734   *Paul Sutton*
20735
20736 * Fixed the nasty bug where rsaref.h was not found under compile-time
20737   because the symlink to include/ was missing.
20738
20739   *Ralf S. Engelschall*
20740
20741 * Incorporated the popular no-RSA/DSA-only patches
20742   which allow to compile an RSA-free SSLeay.
20743
20744   *Andrew Cooke / Interrader Ldt., Ralf S. Engelschall*
20745
20746 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
20747   when "ssleay" is still not found.
20748
20749   *Ralf S. Engelschall*
20750
20751 * Added more platforms to Configure: Cray T3E, HPUX 11,
20752
20753   *Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>*
20754
20755 * Updated the README file.
20756
20757   *Ralf S. Engelschall*
20758
20759 * Added various .cvsignore files in the CVS repository subdirs
20760   to make a "cvs update" really silent.
20761
20762   *Ralf S. Engelschall*
20763
20764 * Recompiled the error-definition header files and added
20765   missing symbols to the Win32 linker tables.
20766
20767   *Ralf S. Engelschall*
20768
20769 * Cleaned up the top-level documents;
20770   o new files: CHANGES and LICENSE
20771   o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
20772   o merged COPYRIGHT into LICENSE
20773   o removed obsolete TODO file
20774   o renamed MICROSOFT to INSTALL.W32
20775
20776   *Ralf S. Engelschall*
20777
20778 * Removed dummy files from the 0.9.1b source tree:
20779   crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
20780   crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
20781   crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
20782   crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
20783   util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
20784
20785   *Ralf S. Engelschall*
20786
20787 * Added various platform portability fixes.
20788
20789   *Mark J. Cox*
20790
20791 * The Genesis of the OpenSSL rpject:
20792   We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
20793   Young and Tim J. Hudson created while they were working for C2Net until
20794   summer 1998.
20795
20796   *The OpenSSL Project*
20797
20798### Changes between 0.9.0b and 0.9.1b  [not released]
20799
20800 * Updated a few CA certificates under certs/
20801
20802   *Eric A. Young*
20803
20804 * Changed some BIGNUM api stuff.
20805
20806   *Eric A. Young*
20807
20808 * Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
20809   DGUX x86, Linux Alpha, etc.
20810
20811   *Eric A. Young*
20812
20813 * New COMP library [crypto/comp/] for SSL Record Layer Compression:
20814   RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
20815   available).
20816
20817   *Eric A. Young*
20818
20819 * Add -strparse option to asn1pars program which parses nested
20820   binary structures
20821
20822   *Dr Stephen Henson <shenson@bigfoot.com>*
20823
20824 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
20825
20826   *Eric A. Young*
20827
20828 * DSA fix for "ca" program.
20829
20830   *Eric A. Young*
20831
20832 * Added "-genkey" option to "dsaparam" program.
20833
20834   *Eric A. Young*
20835
20836 * Added RIPE MD160 (rmd160) message digest.
20837
20838   *Eric A. Young*
20839
20840 * Added -a (all) option to "ssleay version" command.
20841
20842   *Eric A. Young*
20843
20844 * Added PLATFORM define which is the id given to Configure.
20845
20846   *Eric A. Young*
20847
20848 * Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
20849
20850   *Eric A. Young*
20851
20852 * Extended the ASN.1 parser routines.
20853
20854   *Eric A. Young*
20855
20856 * Extended BIO routines to support REUSEADDR, seek, tell, etc.
20857
20858   *Eric A. Young*
20859
20860 * Added a BN_CTX to the BN library.
20861
20862   *Eric A. Young*
20863
20864 * Fixed the weak key values in DES library
20865
20866   *Eric A. Young*
20867
20868 * Changed API in EVP library for cipher aliases.
20869
20870   *Eric A. Young*
20871
20872 * Added support for RC2/64bit cipher.
20873
20874   *Eric A. Young*
20875
20876 * Converted the lhash library to the crypto/mem.c functions.
20877
20878   *Eric A. Young*
20879
20880 * Added more recognized ASN.1 object ids.
20881
20882   *Eric A. Young*
20883
20884 * Added more RSA padding checks for SSL/TLS.
20885
20886   *Eric A. Young*
20887
20888 * Added BIO proxy/filter functionality.
20889
20890   *Eric A. Young*
20891
20892 * Added extra_certs to SSL_CTX which can be used
20893   send extra CA certificates to the client in the CA cert chain sending
20894   process. It can be configured with SSL_CTX_add_extra_chain_cert().
20895
20896   *Eric A. Young*
20897
20898 * Now Fortezza is denied in the authentication phase because
20899   this is key exchange mechanism is not supported by SSLeay at all.
20900
20901   *Eric A. Young*
20902
20903 * Additional PKCS1 checks.
20904
20905   *Eric A. Young*
20906
20907 * Support the string "TLSv1" for all TLS v1 ciphers.
20908
20909   *Eric A. Young*
20910
20911 * Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
20912   ex_data index of the SSL context in the X509_STORE_CTX ex_data.
20913
20914   *Eric A. Young*
20915
20916 * Fixed a few memory leaks.
20917
20918   *Eric A. Young*
20919
20920 * Fixed various code and comment typos.
20921
20922   *Eric A. Young*
20923
20924 * A minor bug in ssl/s3_clnt.c where there would always be 4 0
20925   bytes sent in the client random.
20926
20927   *Edward Bishop <ebishop@spyglass.com>*
20928
20929<!-- Links -->
20930
20931[CVE-2024-9143]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
20932[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
20933[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
20934[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
20935[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
20936[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
20937[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
20938[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
20939[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
20940[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
20941[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
20942[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
20943[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
20944[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
20945[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
20946[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
20947[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
20948[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
20949[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
20950[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
20951[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
20952[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
20953[CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
20954[CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
20955[CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
20956[CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
20957[CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
20958[CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
20959[CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
20960[CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
20961[CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
20962[CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
20963[CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
20964[CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
20965[CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
20966[CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
20967[CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
20968[CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
20969[CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
20970[CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
20971[CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
20972[CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
20973[CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
20974[CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
20975[CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
20976[CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
20977[CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
20978[CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
20979[CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
20980[CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
20981[CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
20982[CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
20983[CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
20984[CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
20985[CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
20986[CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
20987[CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
20988[CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
20989[CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
20990[CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
20991[CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
20992[CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
20993[CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
20994[CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
20995[CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
20996[CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
20997[CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
20998[CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
20999[CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
21000[CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
21001[CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
21002[CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
21003[CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
21004[CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
21005[CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
21006[CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
21007[CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
21008[CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
21009[CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
21010[CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
21011[CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
21012[CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
21013[CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
21014[CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
21015[CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
21016[CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
21017[CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
21018[CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
21019[CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
21020[CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
21021[CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
21022[CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
21023[CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
21024[CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
21025[CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
21026[CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
21027[CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
21028[CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
21029[CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
21030[CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
21031[CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
21032[CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
21033[CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
21034[CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
21035[CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
21036[CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
21037[CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
21038[CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
21039[CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
21040[CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
21041[CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
21042[CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
21043[CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
21044[CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
21045[CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
21046[CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
21047[CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
21048[CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
21049[CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
21050[CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
21051[CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
21052[CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
21053[CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
21054[CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
21055[CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
21056[CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
21057[CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
21058[CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
21059[CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
21060[CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
21061[CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
21062[CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
21063[CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
21064[CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
21065[CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
21066[CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
21067[CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
21068[CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
21069[CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
21070[CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
21071[CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
21072[CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
21073[CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
21074[CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
21075[CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
21076[CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
21077[CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
21078[CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
21079[CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
21080[CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
21081[CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
21082[CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
21083[CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
21084[CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
21085[CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
21086[CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
21087[CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
21088[CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
21089[CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
21090[CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
21091[CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
21092[CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
21093[CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
21094[CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
21095[CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
21096[CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
21097[CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
21098[CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
21099[CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
21100[CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
21101[CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
21102[CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
21103[CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
21104[CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
21105[CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
21106[CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
21107[CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
21108[CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
21109[CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
21110[CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
21111[CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
21112[CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
21113[CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
21114[CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
21115[CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
21116[CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
21117[CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
21118[CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
21119[CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
21120[CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
21121[CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
21122[CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
21123[CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
21124[CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655
21125[CMVP]: https://csrc.nist.gov/projects/cryptographic-module-validation-program
21126[ESV]: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations
21127