Skip to content
CHANGES 440 KiB
Newer Older
7001 7002 7003 7004 7005 7006 7007 7008 7009 7010 7011 7012 7013 7014 7015 7016 7017 7018 7019 7020 7021 7022 7023 7024 7025 7026 7027 7028 7029 7030 7031 7032 7033 7034 7035 7036 7037 7038 7039 7040 7041 7042 7043 7044 7045 7046 7047 7048 7049 7050 7051 7052 7053 7054 7055 7056 7057 7058 7059 7060 7061 7062 7063 7064 7065 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7078 7079 7080 7081 7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7113 7114 7115 7116 7117 7118 7119 7120 7121 7122 7123 7124 7125 7126 7127 7128 7129 7130 7131 7132 7133 7134 7135 7136 7137 7138 7139 7140 7141 7142 7143 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7156 7157 7158 7159 7160 7161 7162 7163 7164 7165 7166 7167 7168 7169 7170 7171 7172 7173 7174 7175 7176 7177 7178 7179 7180 7181 7182 7183 7184 7185 7186 7187 7188 7189 7190 7191 7192 7193 7194 7195 7196 7197 7198 7199 7200 7201 7202 7203 7204 7205 7206 7207 7208 7209 7210 7211 7212 7213 7214 7215 7216 7217 7218 7219 7220 7221 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7322 7323 7324 7325 7326 7327 7328 7329 7330 7331 7332 7333 7334 7335 7336 7337 7338 7339 7340 7341 7342 7343 7344 7345 7346 7347 7348 7349 7350 7351 7352 7353 7354 7355 7356 7357 7358 7359 7360 7361 7362 7363 7364 7365 7366 7367 7368 7369 7370 7371 7372 7373 7374 7375 7376 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 7388 7389 7390 7391 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 7413 7414 7415 7416 7417 7418 7419 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 7440 7441 7442 7443 7444 7445 7446 7447 7448 7449 7450 7451 7452 7453 7454 7455 7456 7457 7458 7459 7460 7461 7462 7463 7464 7465 7466 7467 7468 7469 7470 7471 7472 7473 7474 7475 7476 7477 7478 7479 7480 7481 7482 7483 7484 7485 7486 7487 7488 7489 7490 7491 7492 7493 7494 7495 7496 7497 7498 7499 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 7510 7511 7512 7513 7514 7515 7516 7517 7518 7519 7520 7521 7522 7523 7524 7525 7526 7527 7528 7529 7530 7531 7532 7533 7534 7535 7536 7537 7538 7539 7540 7541 7542 7543 7544 7545 7546 7547 7548 7549 7550 7551 7552 7553 7554 7555 7556 7557 7558 7559 7560 7561 7562 7563 7564 7565 7566 7567 7568 7569 7570 7571 7572 7573 7574 7575 7576 7577 7578 7579 7580 7581 7582 7583 7584 7585 7586 7587 7588 7589 7590 7591 7592 7593 7594 7595 7596 7597 7598 7599 7600 7601 7602 7603 7604 7605 7606 7607 7608 7609 7610 7611 7612 7613 7614 7615 7616 7617 7618 7619 7620 7621 7622 7623 7624 7625 7626 7627 7628 7629 7630 7631 7632 7633 7634 7635 7636 7637 7638 7639 7640 7641 7642 7643 7644 7645 7646 7647 7648 7649 7650 7651 7652 7653 7654 7655 7656 7657 7658 7659 7660 7661 7662 7663 7664 7665 7666 7667 7668 7669 7670 7671 7672 7673 7674 7675 7676 7677 7678 7679 7680 7681 7682 7683 7684 7685 7686 7687 7688 7689 7690 7691 7692 7693 7694 7695 7696 7697 7698 7699 7700 7701 7702 7703 7704 7705 7706 7707 7708 7709 7710 7711 7712 7713 7714 7715 7716 7717 7718 7719 7720 7721 7722 7723 7724 7725 7726 7727 7728 7729 7730 7731 7732 7733 7734 7735 7736 7737 7738 7739 7740 7741 7742 7743 7744 7745 7746 7747 7748 7749 7750 7751 7752 7753 7754 7755 7756 7757 7758 7759 7760 7761 7762 7763 7764 7765 7766 7767 7768 7769 7770 7771 7772 7773 7774 7775 7776 7777 7778 7779 7780 7781 7782 7783 7784 7785 7786 7787 7788 7789 7790 7791 7792 7793 7794 7795 7796 7797 7798 7799 7800 7801 7802 7803 7804 7805 7806 7807 7808 7809 7810 7811 7812 7813 7814 7815 7816 7817 7818 7819 7820 7821 7822 7823 7824 7825 7826 7827 7828 7829 7830 7831 7832 7833 7834 7835 7836 7837 7838 7839 7840 7841 7842 7843 7844 7845 7846 7847 7848 7849 7850 7851 7852 7853 7854 7855 7856 7857 7858 7859 7860 7861 7862 7863 7864 7865 7866 7867 7868 7869 7870 7871 7872 7873 7874 7875 7876 7877 7878 7879 7880 7881 7882 7883 7884 7885 7886 7887 7888 7889 7890 7891 7892 7893 7894 7895 7896 7897 7898 7899 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 7921 7922 7923 7924 7925 7926 7927 7928 7929 7930 7931 7932 7933 7934 7935 7936 7937 7938 7939 7940 7941 7942 7943 7944 7945 7946 7947 7948 7949 7950 7951 7952 7953 7954 7955 7956 7957 7958 7959 7960 7961 7962 7963 7964 7965 7966 7967 7968 7969 7970 7971 7972 7973 7974 7975 7976 7977 7978 7979 7980 7981 7982 7983 7984 7985 7986 7987 7988 7989 7990 7991 7992 7993 7994 7995 7996 7997 7998 7999 8000
     [Sven Uszpelkat <su@celocom.de>]

  *) Major change in util/mkdef.pl to include extra information
     about each symbol, as well as presentig variables as well
     as functions.  This change means that there's n more need
     to rebuild the .num files when some algorithms are excluded.
     [Richard Levitte]

  *) Allow the verify time to be set by an application,
     rather than always using the current time.
     [Steve Henson]
  
  *) Phase 2 verify code reorganisation. The certificate
     verify code now looks up an issuer certificate by a
     number of criteria: subject name, authority key id
     and key usage. It also verifies self signed certificates
     by the same criteria. The main comparison function is
     X509_check_issued() which performs these checks.
 
     Lot of changes were necessary in order to support this
     without completely rewriting the lookup code.
 
     Authority and subject key identifier are now cached.
 
     The LHASH 'certs' is X509_STORE has now been replaced
     by a STACK_OF(X509_OBJECT). This is mainly because an
     LHASH can't store or retrieve multiple objects with
     the same hash value.

     As a result various functions (which were all internal
     use only) have changed to handle the new X509_STORE
     structure. This will break anything that messed round
     with X509_STORE internally.
 
     The functions X509_STORE_add_cert() now checks for an
     exact match, rather than just subject name.
 
     The X509_STORE API doesn't directly support the retrieval
     of multiple certificates matching a given criteria, however
     this can be worked round by performing a lookup first
     (which will fill the cache with candidate certificates)
     and then examining the cache for matches. This is probably
     the best we can do without throwing out X509_LOOKUP
     entirely (maybe later...).
 
     The X509_VERIFY_CTX structure has been enhanced considerably.
 
     All certificate lookup operations now go via a get_issuer()
     callback. Although this currently uses an X509_STORE it
     can be replaced by custom lookups. This is a simple way
     to bypass the X509_STORE hackery necessary to make this
     work and makes it possible to use more efficient techniques
     in future. A very simple version which uses a simple
     STACK for its trusted certificate store is also provided
     using X509_STORE_CTX_trusted_stack().
 
     The verify_cb() and verify() callbacks now have equivalents
     in the X509_STORE_CTX structure.
 
     X509_STORE_CTX also has a 'flags' field which can be used
     to customise the verify behaviour.
     [Steve Henson]
 
  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
     excludes S/MIME capabilities.
     [Steve Henson]

  *) When a certificate request is read in keep a copy of the
     original encoding of the signed data and use it when outputing
     again. Signatures then use the original encoding rather than
     a decoded, encoded version which may cause problems if the
     request is improperly encoded.
     [Steve Henson]

  *) For consistency with other BIO_puts implementations, call
     buffer_write(b, ...) directly in buffer_puts instead of calling
     BIO_write(b, ...).

     In BIO_puts, increment b->num_write as in BIO_write.
     [Peter.Sylvester@EdelWeb.fr]

  *) Fix BN_mul_word for the case where the word is 0. (We have to use
     BN_zero, we may not return a BIGNUM with an array consisting of
     words set to zero.)
     [Bodo Moeller]

  *) Avoid calling abort() from within the library when problems are
     detected, except if preprocessor symbols have been defined
     (such as REF_CHECK, BN_DEBUG etc.).
     [Bodo Moeller]

  *) New openssl application 'rsautl'. This utility can be
     used for low level RSA operations. DER public key
     BIO/fp routines also added.
     [Steve Henson]

  *) New Configure entry and patches for compiling on QNX 4.
     [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]

  *) A demo state-machine implementation was sponsored by
     Nuron (http://www.nuron.com/) and is now available in
     demos/state_machine.
     [Ben Laurie]

  *) New options added to the 'dgst' utility for signature
     generation and verification.
     [Steve Henson]

  *) Unrecognized PKCS#7 content types are now handled via a
     catch all ASN1_TYPE structure. This allows unsupported
     types to be stored as a "blob" and an application can
     encode and decode it manually.
     [Steve Henson]

  *) Fix various signed/unsigned issues to make a_strex.c
     compile under VC++.
     [Oscar Jacobsson <oscar.jacobsson@celocom.com>]

  *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
     length if passed a buffer. ASN1_INTEGER_to_BN failed
     if passed a NULL BN and its argument was negative.
     [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]

  *) Modification to PKCS#7 encoding routines to output definite
     length encoding. Since currently the whole structures are in
     memory there's not real point in using indefinite length 
     constructed encoding. However if OpenSSL is compiled with
     the flag PKCS7_INDEFINITE_ENCODING the old form is used.
     [Steve Henson]

  *) Added BIO_vprintf() and BIO_vsnprintf().
     [Richard Levitte]

  *) Added more prefixes to parse for in the the strings written
     through a logging bio, to cover all the levels that are available
     through syslog.  The prefixes are now:

	PANIC, EMERG, EMR	=>	LOG_EMERG
	ALERT, ALR		=>	LOG_ALERT
	CRIT, CRI		=>	LOG_CRIT
	ERROR, ERR		=>	LOG_ERR
	WARNING, WARN, WAR	=>	LOG_WARNING
	NOTICE, NOTE, NOT	=>	LOG_NOTICE
	INFO, INF		=>	LOG_INFO
	DEBUG, DBG		=>	LOG_DEBUG

     and as before, if none of those prefixes are present at the
     beginning of the string, LOG_ERR is chosen.

     On Win32, the LOG_* levels are mapped according to this:

	LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR	=> EVENTLOG_ERROR_TYPE
	LOG_WARNING				=> EVENTLOG_WARNING_TYPE
	LOG_NOTICE, LOG_INFO, LOG_DEBUG		=> EVENTLOG_INFORMATION_TYPE

     [Richard Levitte]

  *) Made it possible to reconfigure with just the configuration
     argument "reconf" or "reconfigure".  The command line arguments
     are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
     and are retrieved from there when reconfiguring.
     [Richard Levitte]

  *) MD4 implemented.
     [Assar Westerlund <assar@sics.se>, Richard Levitte]

  *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
     [Richard Levitte]

  *) The obj_dat.pl script was messing up the sorting of object
     names. The reason was that it compared the quoted version
     of strings as a result "OCSP" > "OCSP Signing" because
     " > SPACE. Changed script to store unquoted versions of
     names and add quotes on output. It was also omitting some
     names from the lookup table if they were given a default
     value (that is if SN is missing it is given the same
     value as LN and vice versa), these are now added on the
     grounds that if an object has a name we should be able to
     look it up. Finally added warning output when duplicate
     short or long names are found.
     [Steve Henson]

  *) Changes needed for Tandem NSK.
     [Scott Uroff <scott@xypro.com>]

  *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
     RSA_padding_check_SSLv23(), special padding was never detected
     and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
     version rollback attacks was not effective.

     In s23_clnt.c, don't use special rollback-attack detection padding
     (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
     client; similarly, in s23_srvr.c, don't do the rollback check if
     SSL 2.0 is the only protocol enabled in the server.
     [Bodo Moeller]

  *) Make it possible to get hexdumps of unprintable data with 'openssl
     asn1parse'.  By implication, the functions ASN1_parse_dump() and
     BIO_dump_indent() are added.
     [Richard Levitte]

  *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
     these print out strings and name structures based on various
     flags including RFC2253 support and proper handling of
     multibyte characters. Added options to the 'x509' utility 
     to allow the various flags to be set.
     [Steve Henson]

  *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
     Also change the functions X509_cmp_current_time() and
     X509_gmtime_adj() work with an ASN1_TIME structure,
     this will enable certificates using GeneralizedTime in validity
     dates to be checked.
     [Steve Henson]

  *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
     negative public key encodings) on by default,
     NO_NEG_PUBKEY_BUG can be set to disable it.
     [Steve Henson]

  *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
     content octets. An i2c_ASN1_OBJECT is unnecessary because
     the encoding can be trivially obtained from the structure.
     [Steve Henson]

  *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
     not read locks (CRYPTO_r_[un]lock).
     [Bodo Moeller]

  *) A first attempt at creating official support for shared
     libraries through configuration.  I've kept it so the
     default is static libraries only, and the OpenSSL programs
     are always statically linked for now, but there are
     preparations for dynamic linking in place.
     This has been tested on Linux and Tru64.
     [Richard Levitte]

  *) Randomness polling function for Win9x, as described in:
     Peter Gutmann, Software Generation of Practically Strong
     Random Numbers.
     [Ulf Möller]

  *) Fix so PRNG is seeded in req if using an already existing
     DSA key.
     [Steve Henson]

  *) New options to smime application. -inform and -outform
     allow alternative formats for the S/MIME message including
     PEM and DER. The -content option allows the content to be
     specified separately. This should allow things like Netscape
     form signing output easier to verify.
     [Steve Henson]

  *) Fix the ASN1 encoding of tags using the 'long form'.
     [Steve Henson]

  *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
     STRING types. These convert content octets to and from the
     underlying type. The actual tag and length octets are
     already assumed to have been read in and checked. These
     are needed because all other string types have virtually
     identical handling apart from the tag. By having versions
     of the ASN1 functions that just operate on content octets
     IMPLICIT tagging can be handled properly. It also allows
     the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
     and ASN1_INTEGER are identical apart from the tag.
     [Steve Henson]

  *) Change the handling of OID objects as follows:

     - New object identifiers are inserted in objects.txt, following
       the syntax given in objects.README.
     - objects.pl is used to process obj_mac.num and create a new
       obj_mac.h.
     - obj_dat.pl is used to create a new obj_dat.h, using the data in
       obj_mac.h.

     This is currently kind of a hack, and the perl code in objects.pl
     isn't very elegant, but it works as I intended.  The simplest way
     to check that it worked correctly is to look in obj_dat.h and
     check the array nid_objs and make sure the objects haven't moved
     around (this is important!).  Additions are OK, as well as
     consistent name changes. 
     [Richard Levitte]

  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

  *) Addition of the command line parameter '-rand file' to 'openssl req'.
     The given file adds to whatever has already been seeded into the
     random pool through the RANDFILE configuration file option or
     environment variable, or the default random state file.
     [Richard Levitte]

  *) mkstack.pl now sorts each macro group into lexical order.
     Previously the output order depended on the order the files
     appeared in the directory, resulting in needless rewriting
     of safestack.h .
     [Steve Henson]

  *) Patches to make OpenSSL compile under Win32 again. Mostly
     work arounds for the VC++ problem that it treats func() as
     func(void). Also stripped out the parts of mkdef.pl that
     added extra typesafe functions: these no longer exist.
     [Steve Henson]

  *) Reorganisation of the stack code. The macros are now all 
     collected in safestack.h . Each macro is defined in terms of
     a "stack macro" of the form SKM_<name>(type, a, b). The 
     DEBUG_SAFESTACK is now handled in terms of function casts,
     this has the advantage of retaining type safety without the
     use of additional functions. If DEBUG_SAFESTACK is not defined
     then the non typesafe macros are used instead. Also modified the
     mkstack.pl script to handle the new form. Needs testing to see
     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
     the default if no major problems. Similar behaviour for ASN1_SET_OF
     and PKCS12_STACK_OF.
     [Steve Henson]

  *) When some versions of IIS use the 'NET' form of private key the
     key derivation algorithm is different. Normally MD5(password) is
     used as a 128 bit RC4 key. In the modified case
     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
     new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
     as the old Netscape_RSA functions except they have an additional
     'sgckey' parameter which uses the modified algorithm. Also added
     an -sgckey command line option to the rsa utility. Thanks to 
     Adrian Peck <bertie@ncipher.com> for posting details of the modified
     algorithm to openssl-dev.
     [Steve Henson]

  *) The evp_local.h macros were using 'c.##kname' which resulted in
     invalid expansion on some systems (SCO 5.0.5 for example).
     Corrected to 'c.kname'.
     [Phillip Porch <root@theporch.com>]

  *) New X509_get1_email() and X509_REQ_get1_email() functions that return
     a STACK of email addresses from a certificate or request, these look
     in the subject name and the subject alternative name extensions and 
     omit any duplicate addresses.
     [Steve Henson]

  *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
     This makes DSA verification about 2 % faster.
     [Bodo Moeller]

  *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
     (meaning that now 2^5 values will be precomputed, which is only 4 KB
     plus overhead for 1024 bit moduli).
     This makes exponentiations about 0.5 % faster for 1024 bit
     exponents (as measured by "openssl speed rsa2048").
     [Bodo Moeller]

  *) Rename memory handling macros to avoid conflicts with other
     software:
          Malloc         =>  OPENSSL_malloc
          Malloc_locked  =>  OPENSSL_malloc_locked
          Realloc        =>  OPENSSL_realloc
          Free           =>  OPENSSL_free
     [Richard Levitte]

  *) New function BN_mod_exp_mont_word for small bases (roughly 15%
     faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
     [Bodo Moeller]

  *) CygWin32 support.
     [John Jarvie <jjarvie@newsguy.com>]

  *) The type-safe stack code has been rejigged. It is now only compiled
     in when OpenSSL is configured with the DEBUG_SAFESTACK option and
     by default all type-specific stack functions are "#define"d back to
     standard stack functions. This results in more streamlined output
     but retains the type-safety checking possibilities of the original
     approach.
     [Geoff Thorpe]

  *) The STACK code has been cleaned up, and certain type declarations
     that didn't make a lot of sense have been brought in line. This has
     also involved a cleanup of sorts in safestack.h to more correctly
     map type-safe stack functions onto their plain stack counterparts.
     This work has also resulted in a variety of "const"ifications of
     lots of the code, especially "_cmp" operations which should normally
     be prototyped with "const" parameters anyway.
     [Geoff Thorpe]

  *) When generating bytes for the first time in md_rand.c, 'stir the pool'
     by seeding with STATE_SIZE dummy bytes (with zero entropy count).
     (The PRNG state consists of two parts, the large pool 'state' and 'md',
     where all of 'md' is used each time the PRNG is used, but 'state'
     is used only indexed by a cyclic counter. As entropy may not be
     well distributed from the beginning, 'md' is important as a
     chaining variable. However, the output function chains only half
     of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
     all of 'md', and seeding with STATE_SIZE dummy bytes will result
     in all of 'state' being rewritten, with the new values depending
     on virtually all of 'md'.  This overcomes the 80 bit limitation.)
     [Bodo Moeller]

  *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
     the handshake is continued after ssl_verify_cert_chain();
     otherwise, if SSL_VERIFY_NONE is set, remaining error codes
     can lead to 'unexplainable' connection aborts later.
     [Bodo Moeller; problem tracked down by Lutz Jaenicke]

  *) Major EVP API cipher revision.
     Add hooks for extra EVP features. This allows various cipher
     parameters to be set in the EVP interface. Support added for variable
     key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
     setting of RC2 and RC5 parameters.

     Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
     ciphers.

     Remove lots of duplicated code from the EVP library. For example *every*
     cipher init() function handles the 'iv' in the same way according to the
     cipher mode. They also all do nothing if the 'key' parameter is NULL and
     for CFB and OFB modes they zero ctx->num.

     New functionality allows removal of S/MIME code RC2 hack.

     Most of the routines have the same form and so can be declared in terms
     of macros.

     By shifting this to the top level EVP_CipherInit() it can be removed from
     all individual ciphers. If the cipher wants to handle IVs or keys
     differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
     flags.

     Change lots of functions like EVP_EncryptUpdate() to now return a
     value: although software versions of the algorithms cannot fail
     any installed hardware versions can.
     [Steve Henson]

  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
     this option is set, tolerate broken clients that send the negotiated
     protocol version number instead of the requested protocol version
     number.
     [Bodo Moeller]

  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
     i.e. non-zero for export ciphersuites, zero otherwise.
     Previous versions had this flag inverted, inconsistent with
     rsa_tmp_cb (..._TMP_RSA_CB).
     [Bodo Moeller; problem reported by Amit Chopra]

  *) Add missing DSA library text string. Work around for some IIS
     key files with invalid SEQUENCE encoding.
     [Steve Henson]

  *) Add a document (doc/standards.txt) that list all kinds of standards
     and so on that are implemented in OpenSSL.
     [Richard Levitte]

  *) Enhance c_rehash script. Old version would mishandle certificates
     with the same subject name hash and wouldn't handle CRLs at all.
     Added -fingerprint option to crl utility, to support new c_rehash
     features.
     [Steve Henson]

  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
     [Ulf Möller]

  *) Fix for SSL server purpose checking. Server checking was
     rejecting certificates which had extended key usage present
     but no ssl client purpose.
     [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]

  *) Make PKCS#12 code work with no password. The PKCS#12 spec
     is a little unclear about how a blank password is handled.
     Since the password in encoded as a BMPString with terminating
     double NULL a zero length password would end up as just the
     double NULL. However no password at all is different and is
     handled differently in the PKCS#12 key generation code. NS
     treats a blank password as zero length. MSIE treats it as no
     password on export: but it will try both on import. We now do
     the same: PKCS12_parse() tries zero length and no password if
     the password is set to "" or NULL (NULL is now a valid password:
     it wasn't before) as does the pkcs12 application.
     [Steve Henson]

  *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
     perror when PEM_read_bio_X509_REQ fails, the error message must
     be obtained from the error queue.
     [Bodo Moeller]

  *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
     it in ERR_remove_state if appropriate, and change ERR_get_state
     accordingly to avoid race conditions (this is necessary because
     thread_hash is no longer constant once set).
     [Bodo Moeller]

  *) Bugfix for linux-elf makefile.one.
     [Ulf Möller]

  *) RSA_get_default_method() will now cause a default
     RSA_METHOD to be chosen if one doesn't exist already.
     Previously this was only set during a call to RSA_new()
     or RSA_new_method(NULL) meaning it was possible for
     RSA_get_default_method() to return NULL.
     [Geoff Thorpe]

  *) Added native name translation to the existing DSO code
     that will convert (if the flag to do so is set) filenames
     that are sufficiently small and have no path information
     into a canonical native form. Eg. "blah" converted to
     "libblah.so" or "blah.dll" etc.
     [Geoff Thorpe]

  *) New function ERR_error_string_n(e, buf, len) which is like
     ERR_error_string(e, buf), but writes at most 'len' bytes
     including the 0 terminator.  For ERR_error_string_n, 'buf'
     may not be NULL.
     [Damien Miller <djm@mindrot.org>, Bodo Moeller]

  *) CONF library reworked to become more general.  A new CONF
     configuration file reader "class" is implemented as well as a
     new functions (NCONF_*, for "New CONF") to handle it.  The now
     old CONF_* functions are still there, but are reimplemented to
     work in terms of the new functions.  Also, a set of functions
     to handle the internal storage of the configuration data is
     provided to make it easier to write new configuration file
     reader "classes" (I can definitely see something reading a
     configuration file in XML format, for example), called _CONF_*,
     or "the configuration storage API"...

     The new configuration file reading functions are:

        NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
        NCONF_get_section, NCONF_get_string, NCONF_get_numbre

        NCONF_default, NCONF_WIN32

        NCONF_dump_fp, NCONF_dump_bio

     NCONF_default and NCONF_WIN32 are method (or "class") choosers,
     NCONF_new creates a new CONF object.  This works in the same way
     as other interfaces in OpenSSL, like the BIO interface.
     NCONF_dump_* dump the internal storage of the configuration file,
     which is useful for debugging.  All other functions take the same
     arguments as the old CONF_* functions wth the exception of the
     first that must be a `CONF *' instead of a `LHASH *'.

     To make it easer to use the new classes with the old CONF_* functions,
     the function CONF_set_default_method is provided.
     [Richard Levitte]

  *) Add '-tls1' option to 'openssl ciphers', which was already
     mentioned in the documentation but had not been implemented.
     (This option is not yet really useful because even the additional
     experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
     [Bodo Moeller]

  *) Initial DSO code added into libcrypto for letting OpenSSL (and
     OpenSSL-based applications) load shared libraries and bind to
     them in a portable way.
     [Geoff Thorpe, with contributions from Richard Levitte]

 Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]

  *) Make sure _lrotl and _lrotr are only used with MSVC.

  *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
     (the default implementation of RAND_status).

  *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
     to '-clrext' (= clear extensions), as intended and documented.
     [Bodo Moeller; inconsistency pointed out by Michael Attili
     <attili@amaxo.com>]

  *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
     was larger than the MD block size.      
     [Steve Henson, pointed out by Yost William <YostW@tce.com>]

  *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
     fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
     using the passed key: if the passed key was a private key the result
     of X509_print(), for example, would be to print out all the private key
     components.
     [Steve Henson]

  *) des_quad_cksum() byte order bug fix.
     [Ulf Möller, using the problem description in krb4-0.9.7, where
      the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]

  *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
     discouraged.
     [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]

  *) For easily testing in shell scripts whether some command
     'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
     returns with exit code 0 iff no command of the given name is available.
     'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
     the output goes to stdout and nothing is printed to stderr.
     Additional arguments are always ignored.

     Since for each cipher there is a command of the same name,
     the 'no-cipher' compilation switches can be tested this way.

     ('openssl no-XXX' is not able to detect pseudo-commands such
     as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
     [Bodo Moeller]

  *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
     [Bodo Moeller]

  *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
     is set; it will be thrown away anyway because each handshake creates
     its own key.
     ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
     to parameters -- in previous versions (since OpenSSL 0.9.3) the
     'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
     you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
     [Bodo Moeller]

  *) New s_client option -ign_eof: EOF at stdin is ignored, and
     'Q' and 'R' lose their special meanings (quit/renegotiate).
     This is part of what -quiet does; unlike -quiet, -ign_eof
     does not suppress any output.
     [Richard Levitte]

  *) Add compatibility options to the purpose and trust code. The
     purpose X509_PURPOSE_ANY is "any purpose" which automatically
     accepts a certificate or CA, this was the previous behaviour,
     with all the associated security issues.

     X509_TRUST_COMPAT is the old trust behaviour: only and
     automatically trust self signed roots in certificate store. A
     new trust setting X509_TRUST_DEFAULT is used to specify that
     a purpose has no associated trust setting and it should instead
     use the value in the default purpose.
     [Steve Henson]

  *) Fix the PKCS#8 DSA private key code so it decodes keys again
     and fix a memory leak.
     [Steve Henson]

  *) In util/mkerr.pl (which implements 'make errors'), preserve
     reason strings from the previous version of the .c file, as
     the default to have only downcase letters (and digits) in
     automatically generated reasons codes is not always appropriate.
     [Bodo Moeller]

  *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
     using strerror.  Previously, ERR_reason_error_string() returned
     library names as reason strings for SYSerr; but SYSerr is a special
     case where small numbers are errno values, not library numbers.
     [Bodo Moeller]

  *) Add '-dsaparam' option to 'openssl dhparam' application.  This
     converts DSA parameters into DH parameters. (When creating parameters,
     DSA_generate_parameters is used.)
     [Bodo Moeller]

  *) Include 'length' (recommended exponent length) in C code generated
     by 'openssl dhparam -C'.
     [Bodo Moeller]

  *) The second argument to set_label in perlasm was already being used
     so couldn't be used as a "file scope" flag. Moved to third argument
     which was free.
     [Steve Henson]

  *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
     instead of RAND_bytes for encryption IVs and salts.
     [Bodo Moeller]

  *) Include RAND_status() into RAND_METHOD instead of implementing
     it only for md_rand.c  Otherwise replacing the PRNG by calling
     RAND_set_rand_method would be impossible.
     [Bodo Moeller]

  *) Don't let DSA_generate_key() enter an infinite loop if the random
     number generation fails.
     [Bodo Moeller]

  *) New 'rand' application for creating pseudo-random output.
     [Bodo Moeller]

  *) Added configuration support for Linux/IA64
     [Rolf Haberrecker <rolf@suse.de>]

  *) Assembler module support for Mingw32.
     [Ulf Möller]

  *) Shared library support for HPUX (in shlib/).
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]

  *) Shared library support for Solaris gcc.
     [Lutz Behnke <behnke@trustcenter.de>]

 Changes between 0.9.4 and 0.9.5  [28 Feb 2000]

  *) PKCS7_encrypt() was adding text MIME headers twice because they
     were added manually and by SMIME_crlf_copy().
     [Steve Henson]

  *) In bntest.c don't call BN_rand with zero bits argument.
     [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]

  *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
     case was implemented. This caused BN_div_recp() to fail occasionally.
     [Ulf Möller]

  *) Add an optional second argument to the set_label() in the perl
     assembly language builder. If this argument exists and is set
     to 1 it signals that the assembler should use a symbol whose 
     scope is the entire file, not just the current function. This
     is needed with MASM which uses the format label:: for this scope.
     [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]

  *) Change the ASN1 types so they are typedefs by default. Before
     almost all types were #define'd to ASN1_STRING which was causing
     STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
     for example.
     [Steve Henson]

  *) Change names of new functions to the new get1/get0 naming
     convention: After 'get1', the caller owns a reference count
     and has to call ..._free; 'get0' returns a pointer to some
     data structure without incrementing reference counters.
     (Some of the existing 'get' functions increment a reference
     counter, some don't.)
     Similarly, 'set1' and 'add1' functions increase reference
     counters or duplicate objects.
     [Steve Henson]

  *) Allow for the possibility of temp RSA key generation failure:
     the code used to assume it always worked and crashed on failure.
     [Steve Henson]

  *) Fix potential buffer overrun problem in BIO_printf().
     [Ulf Möller, using public domain code by Patrick Powell; problem
      pointed out by David Sacerdote <das33@cornell.edu>]

  *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
     RAND_egd() and RAND_status().  In the command line application,
     the EGD socket can be specified like a seed file using RANDFILE
     or -rand.
     [Ulf Möller]

  *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
     Some CAs (e.g. Verisign) distribute certificates in this form.
     [Steve Henson]

  *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
     list to exclude them. This means that no special compilation option
     is needed to use anonymous DH: it just needs to be included in the
     cipher list.
     [Steve Henson]

  *) Change the EVP_MD_CTX_type macro so its meaning consistent with
     EVP_MD_type. The old functionality is available in a new macro called
     EVP_MD_md(). Change code that uses it and update docs.
     [Steve Henson]

  *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
     where the 'void *' argument is replaced by a function pointer argument.
     Previously 'void *' was abused to point to functions, which works on
     many platforms, but is not correct.  As these functions are usually
     called by macros defined in OpenSSL header files, most source code
     should work without changes.
     [Richard Levitte]

  *) <openssl/opensslconf.h> (which is created by Configure) now contains
     sections with information on -D... compiler switches used for
     compiling the library so that applications can see them.  To enable
     one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
     must be defined.  E.g.,
        #define OPENSSL_ALGORITHM_DEFINES
        #include <openssl/opensslconf.h>
     defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
     [Richard Levitte, Ulf and Bodo Möller]

  *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
     record layer.
     [Bodo Moeller]

  *) Change the 'other' type in certificate aux info to a STACK_OF
     X509_ALGOR. Although not an AlgorithmIdentifier as such it has
     the required ASN1 format: arbitrary types determined by an OID.
     [Steve Henson]

  *) Add some PEM_write_X509_REQ_NEW() functions and a command line
     argument to 'req'. This is not because the function is newer or
     better than others it just uses the work 'NEW' in the certificate
     request header lines. Some software needs this.
     [Steve Henson]

  *) Reorganise password command line arguments: now passwords can be
     obtained from various sources. Delete the PEM_cb function and make
     it the default behaviour: i.e. if the callback is NULL and the
     usrdata argument is not NULL interpret it as a null terminated pass
     phrase. If usrdata and the callback are NULL then the pass phrase
     is prompted for as usual.
     [Steve Henson]

  *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
     the support is automatically enabled. The resulting binaries will
     autodetect the card and use it if present.
     [Ben Laurie and Compaq Inc.]

  *) Work around for Netscape hang bug. This sends certificate request
     and server done in one record. Since this is perfectly legal in the
     SSL/TLS protocol it isn't a "bug" option and is on by default. See
     the bugs/SSLv3 entry for more info.
     [Steve Henson]

  *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
     [Andy Polyakov]

  *) Add -rand argument to smime and pkcs12 applications and read/write
     of seed file.
     [Steve Henson]

  *) New 'passwd' tool for crypt(3) and apr1 password hashes.
     [Bodo Moeller]

  *) Add command line password options to the remaining applications.
     [Steve Henson]

  *) Bug fix for BN_div_recp() for numerators with an even number of
     bits.
     [Ulf Möller]

  *) More tests in bntest.c, and changed test_bn output.
     [Ulf Möller]

  *) ./config recognizes MacOS X now.
     [Andy Polyakov]

  *) Bug fix for BN_div() when the first words of num and divsor are
     equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
     [Ulf Möller]

  *) Add support for various broken PKCS#8 formats, and command line
     options to produce them.
     [Steve Henson]

  *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
     get temporary BIGNUMs from a BN_CTX.
     [Ulf Möller]

  *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
     for p == 0.
     [Ulf Möller]

  *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
     include a #define from the old name to the new. The original intent
     was that statically linked binaries could for example just call
     SSLeay_add_all_ciphers() to just add ciphers to the table and not
     link with digests. This never worked becayse SSLeay_add_all_digests()
     and SSLeay_add_all_ciphers() were in the same source file so calling
     one would link with the other. They are now in separate source files.
     [Steve Henson]

  *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
     [Steve Henson]

  *) Use a less unusual form of the Miller-Rabin primality test (it used
     a binary algorithm for exponentiation integrated into the Miller-Rabin
     loop, our standard modexp algorithms are faster).
     [Bodo Moeller]

  *) Support for the EBCDIC character set completed.
     [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]

  *) Source code cleanups: use const where appropriate, eliminate casts,
     use void * instead of char * in lhash.
     [Ulf Möller] 

  *) Bugfix: ssl3_send_server_key_exchange was not restartable
     (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
     this the server could overwrite ephemeral keys that the client
     has already seen).
     [Bodo Moeller]

  *) Turn DSA_is_prime into a macro that calls BN_is_prime,
     using 50 iterations of the Rabin-Miller test.

     DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
     iterations of the Rabin-Miller test as required by the appendix
     to FIPS PUB 186[-1]) instead of DSA_is_prime.
     As BN_is_prime_fasttest includes trial division, DSA parameter
     generation becomes much faster.

     This implies a change for the callback functions in DSA_is_prime
     and DSA_generate_parameters: The callback function is called once
     for each positive witness in the Rabin-Miller test, not just
     occasionally in the inner loop; and the parameters to the
     callback function now provide an iteration count for the outer
     loop rather than for the current invocation of the inner loop.
     DSA_generate_parameters additionally can call the callback
     function with an 'iteration count' of -1, meaning that a
     candidate has passed the trial division test (when q is generated 
     from an application-provided seed, trial division is skipped).
     [Bodo Moeller]

  *) New function BN_is_prime_fasttest that optionally does trial
     division before starting the Rabin-Miller test and has
     an additional BN_CTX * argument (whereas BN_is_prime always
     has to allocate at least one BN_CTX).
     'callback(1, -1, cb_arg)' is called when a number has passed the
     trial division stage.
     [Bodo Moeller]

  *) Fix for bug in CRL encoding. The validity dates weren't being handled
     as ASN1_TIME.
     [Steve Henson]

  *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
     [Steve Henson]

  *) New function BN_pseudo_rand().
     [Ulf Möller]

  *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
     bignum version of BN_from_montgomery() with the working code from
     SSLeay 0.9.0 (the word based version is faster anyway), and clean up
     the comments.
     [Ulf Möller]

  *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
     made it impossible to use the same SSL_SESSION data structure in
     SSL2 clients in multiple threads.
     [Bodo Moeller]

  *) The return value of RAND_load_file() no longer counts bytes obtained
     by stat().  RAND_load_file(..., -1) is new and uses the complete file
     to seed the PRNG (previously an explicit byte count was required).
     [Ulf Möller, Bodo Möller]

  *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
     used (char *) instead of (void *) and had casts all over the place.
     [Steve Henson]

  *) Make BN_generate_prime() return NULL on error if ret!=NULL.
     [Ulf Möller]

  *) Retain source code compatibility for BN_prime_checks macro:
     BN_is_prime(..., BN_prime_checks, ...) now uses
     BN_prime_checks_for_size to determine the appropriate number of
     Rabin-Miller iterations.
     [Ulf Möller]

  *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
     DH_CHECK_P_NOT_SAFE_PRIME.
     (Check if this is true? OpenPGP calls them "strong".)
     [Ulf Möller]

  *) Merge the functionality of "dh" and "gendh" programs into a new program
     "dhparam". The old programs are retained for now but will handle DH keys
     (instead of parameters) in future.
     [Steve Henson]

  *) Make the ciphers, s_server and s_client programs check the return values
     when a new cipher list is set.
     [Steve Henson]

  *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
     ciphers. Before when the 56bit ciphers were enabled the sorting was
     wrong.

     The syntax for the cipher sorting has been extended to support sorting by
     cipher-strength (using the strength_bits hard coded in the tables).
     The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).

     Fix a bug in the cipher-command parser: when supplying a cipher command
     string with an "undefined" symbol (neither command nor alphanumeric
     [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
     an error is flagged.

     Due to the strength-sorting extension, the code of the
     ssl_create_cipher_list() function was completely rearranged. I hope that
     the readability was also increased :-)
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]

  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
     for the first serial number and places 2 in the serial number file. This
     avoids problems when the root CA is created with serial number zero and
     the first user certificate has the same issuer name and serial number
     as the root CA.
     [Steve Henson]

  *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
     the new code. Add documentation for this stuff.
     [Steve Henson]

  *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
     X509_*() to X509at_*() on the grounds that they don't handle X509
     structures and behave in an analagous way to the X509v3 functions:
     they shouldn't be called directly but wrapper functions should be used
     instead.

     So we also now have some wrapper functions that call the X509at functions
     when passed certificate requests. (TO DO: similar things can be done with
     PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
     things. Some of these need some d2i or i2d and print functionality
     because they handle more complex structures.)
     [Steve Henson]