[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]

     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  

     Change log entries are tagged as follows:
         -) applies to 0.9.6a/0.9.6b/0.9.6c only
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

  +) Prelminary ENGINE config module.
     [Steve Henson]

  *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
     ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
     variable as an indication that a ClientHello message has been
     received.  As the flag value will be lost between multiple
     invocations of ssl3_accept when using non-blocking I/O, the
     function may not be aware that a handshake has actually taken
     place, thus preventing a new session from being added to the
     session cache.

     To avoid this problem, we now set s->new_session to 2 instead of
     using a local variable.
     [Lutz Jaenicke, Bodo Moeller]

  *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
     if the SSL_R_LENGTH_MISMATCH error is detected.
     [Geoff Thorpe, Bodo Moeller]

  +) New experimental application configuration code.
     [Steve Henson]

  *) New 'shared_ldflag' column in Configure platform table.
     [Richard Levitte]

  *) Fix EVP_CIPHER_mode macro.
     ["Dan S. Camper" <dan@bti.net>]

  +) Change the AES code to follow the same name structure as all other
     symmetric ciphers, and behave the same way.  Move everything to
     the directory crypto/aes, thereby obsoleting crypto/rijndael.
     [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]

  *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
     type, we must throw them away by setting rr->length to 0.
     [D P Chang <dpc@qualys.com>]

  -) OpenSSL 0.9.6c released [21 dec 2001]

  +) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
     [Ben Laurie and Theo de Raadt]

  *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
     <Dominikus.Scherkl@biodata.com>.  (The previous implementation
     worked incorrectly for those cases where  range = 10..._2  and
     3*range  is two bits longer than  range.)
     [Bodo Moeller]

  *) Only add signing time to PKCS7 structures if it is not already
     present.
     [Steve Henson]

  *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
     OBJ_ld_ce should be OBJ_id_ce.
     Also some ip-pda OIDs in crypto/objects/objects.txt were
     incorrect (cf. RFC 3039).
     [Matt Cooper, Frederic Giudicelli, Bodo Moeller]

  +) Add option to output public keys in req command.
     [Massimiliano Pala madwolf@openca.org]

  *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
     returns early because it has nothing to do.
     [Andy Schneider <andy.schneider@bjss.co.uk>]

  *) [In 0.9.6c-engine and 0.9.7 release:]
     Fix mutex callback return values in crypto/engine/hw_ncipher.c.
     [Andy Schneider <andy.schneider@bjss.co.uk>]

  -) [In 0.9.6c-engine release:]
     Add support for Cryptographic Appliance's keyserver technology.
     (Use engine 'keyclient')
     [Cryptographic Appliances and Geoff Thorpe]

  *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
     is called via tools/c89.sh because arguments have to be
     rearranged (all '-L' options must appear before the first object
     modules).
     [Richard Shapiro <rshapiro@abinitio.com>]

  +) Use wNAFs in EC_POINTs_mul() for improved efficiency
     (up to about 10% better than before for P-192 and P-224).
     [Bodo Moeller]

  -) [In 0.9.6c-engine release:]
     Add support for Broadcom crypto accelerator cards, backported
     from 0.9.7.
     [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]

  -) [In 0.9.6c-engine release:]
     Add support for SureWare crypto accelerator cards from 
     Baltimore Technologies.  (Use engine 'sureware')
     [Baltimore Technologies and Mark Cox]

  -) [In 0.9.6c-engine release:]
     Add support for crypto accelerator cards from Accelerated
     Encryption Processing, www.aep.ie.  (Use engine 'aep')
     [AEP Inc. and Mark Cox]

  *) Add a configuration entry for gcc on UnixWare.
     [Gary Benson <gbenson@redhat.com>]

  +) New functions/macros

          SSL_CTX_set_msg_callback(ctx, cb)
          SSL_CTX_set_msg_callback_arg(ctx, arg)
          SSL_set_msg_callback(ssl, cb)
          SSL_set_msg_callback_arg(ssl, arg)

     to request calling a callback function

          void cb(int write_p, int version, int content_type,
                  const void *buf, size_t len, SSL *ssl, void *arg)

     whenever a protocol message has been completely received
     (write_p == 0) or sent (write_p == 1).  Here 'version' is the
     protocol version  according to which the SSL library interprets
     the current protocol message (SSL2_VERSION, SSL3_VERSION, or
     TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
     the content type as defined in the SSL 3.0/TLS 1.0 protocol
     specification (change_cipher_spec(20), alert(21), handshake(22)).
     'buf' and 'len' point to the actual message, 'ssl' to the
     SSL object, and 'arg' is the application-defined value set by
     SSL[_CTX]_set_msg_callback_arg().

     'openssl s_client' and 'openssl s_server' have new '-msg' options
     to enable a callback that displays all protocol messages.
     [Bodo Moeller]

  *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
     messages are stored in a single piece (fixed-length part and
     variable-length part combined) and fix various bugs found on the way.
     [Bodo Moeller]

  +) Change the shared library support so shared libraries are built as
     soon as the corresponding static library is finished, and thereby get
     openssl and the test programs linked against the shared library.
     This still only happens when the keyword "shard" has been given to
     the configuration scripts.

     NOTE: shared library support is still an experimental thing, and
     backward binary compatibility is still not guaranteed.
     ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]

  +) Add support for Subject Information Access extension.
     [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]

  +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
     additional bytes when new memory had to be allocated, not just
     when reusing an existing buffer.
     [Bodo Moeller]

  *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
     instead.  BIO_gethostbyname() does not know what timeouts are
     appropriate, so entries would stay in cache even when they have
     become invalid.
     [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>

  +) New command line and configuration option 'utf8' for the req command.
     This allows field values to be specified as UTF8 strings.
     [Steve Henson]

  +) Add -multi and -mr options to "openssl speed" - giving multiple parallel
     runs for the former and machine-readable output for the latter.
     [Ben Laurie]

  +) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
     of the e-mail address in the DN (i.e., it will go into a certificate
     extension only).  The new configuration file option 'email_in_dn = no'
     has the same effect.
     [Massimiliano Pala madwolf@openca.org]

  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
     faced with a pathologically small ClientHello fragment that does
     not contain client_version: Instead of aborting with an error,
     simply choose the highest available protocol version (i.e.,
     TLS 1.0 unless it is disabled).  In practice, ClientHello
     messages are never sent like this, but this change gives us
     strictly correct behaviour at least for TLS.
     [Bodo Moeller]

  +) Change all functions with names starting with des_ to be starting
     with DES_ instead.  This because there are increasing clashes with
     libdes and other des libraries that are currently used by other
     projects.  The old libdes interface is provided, as well as crypt(),
     if openssl/des_old.h is included.  Note that crypt() is no longer
     declared in openssl/des.h.

     NOTE: This is a major break of an old API into a new one.  Software
     authors are encouraged to switch to the DES_ style functions.  Some
     time in the future, des_old.h and the libdes compatibility functions
     will be completely removed.
     [Richard Levitte]

  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
     never resets s->method to s->ctx->method when called from within
     one of the SSL handshake functions.
     [Bodo Moeller; problem pointed out by Niko Baric]

  +) Test for certificates which contain unsupported critical extensions.
     If such a certificate is found during a verify operation it is 
     rejected by default: this behaviour can be overridden by either
     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
     X509_supported_extension() has also been added which returns 1 if a
     particular extension is supported.
     [Steve Henson]

  *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
     (sent using the client's version number) if client_version is
     smaller than the protocol version in use.  Also change
     ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
     the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
     the client will at least see that alert.
     [Bodo Moeller]

  +) Modify the behaviour of EVP cipher functions in similar way to digests
     to retain compatibility with existing code.
     [Steve Henson]

  +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
     compatibility with existing code. In particular the 'ctx' parameter does
     not have to be to be initialized before the call to EVP_DigestInit() and
     it is tidied up after a call to EVP_DigestFinal(). New function
     EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
     EVP_MD_CTX_copy() changed to not require the destination to be
     initialized valid and new function EVP_MD_CTX_copy_ex() added which
     requires the destination to be valid.

     Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
     EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
     [Steve Henson]

  +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
     so that complete 'Handshake' protocol structures are kept in memory
     instead of overwriting 'msg_type' and 'length' with 'body' data.
     [Bodo Moeller]

  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
     [Bodo Moeller]

  +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
     [Massimo Santin via Richard Levitte]

  +) Major restructuring to the underlying ENGINE code. This includes
     reduction of linker bloat, separation of pure "ENGINE" manipulation
     (initialisation, etc) from functionality dealing with implementations
     of specific crypto iterfaces. This change also introduces integrated
     support for symmetric ciphers and digest implementations - so ENGINEs
     can now accelerate these by providing EVP_CIPHER and EVP_MD
     implementations of their own. This is detailed in crypto/engine/README
     as it couldn't be adequately described here. However, there are a few
     API changes worth noting - some RSA, DSA, DH, and RAND functions that
     were changed in the original introduction of ENGINE code have now
     reverted back - the hooking from this code to ENGINE is now a good
     deal more passive and at run-time, operations deal directly with
     RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
     dereferencing through an ENGINE pointer any more. Also, the ENGINE
     functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
     they were not being used by the framework as there is no concept of a
     BIGNUM_METHOD and they could not be generalised to the new
     'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
     ENGINE_cpy() has been removed as it cannot be consistently defined in
     the new code.
     [Geoff Thorpe]

  +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
     [Steve Henson]

  +) Change mkdef.pl to sort symbols that get the same entry number,
     and make sure the automatically generated functions ERR_load_*
     become part of libeay.num as well.
     [Richard Levitte]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  +) New function SSL_renegotiate_pending().  This returns true once
     renegotiation has been requested (either SSL_renegotiate() call
     or HelloRequest/ClientHello receveived from the peer) and becomes
     false once a handshake has been completed.
     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
     sends a HelloRequest, but does not ensure that a handshake takes
     place.  SSL_renegotiate_pending() is useful for checking if the
     client has followed the request.)
     [Bodo Moeller]

  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     [Bodo Moeller]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  +) Add some demos for certificate and certificate request creation.
     [Steve Henson]

  +) Make maximum certificate chain size accepted from the peer application
     settable (SSL*_get/set_max_cert_list()), as proposed by
     "Douglas E. Engert" <deengert@anl.gov>.
     [Lutz Jaenicke]

  +) Add support for shared libraries for Unixware-7
     (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  *) Add OpenUNIX-8 support including shared libraries
     (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
     encoding parameters and hence was not vulnerable.
     [Bodo Moeller]

  +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
     be done prior to destruction. Use this to unload error strings from
     ENGINEs that load their own error strings. NB: This adds two new API
     functions to "get" and "set" this destroy handler in an ENGINE.
     [Geoff Thorpe]

  +) Alter all existing ENGINE implementations (except "openssl" and
     "openbsd") to dynamically instantiate their own error strings. This
     makes them more flexible to be built both as statically-linked ENGINEs
     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
     Also, add stub code to each that makes building them as self-contained
     shared-libraries easier (see README.ENGINE).
     [Geoff Thorpe]

  +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
     implementations into applications that are completely implemented in
     self-contained shared-libraries. The "dynamic" ENGINE exposes control
     commands that can be used to configure what shared-library to load and
     to control aspects of the way it is handled. Also, made an update to
     the README.ENGINE file that brings its information up-to-date and
     provides some information and instructions on the "dynamic" ENGINE
     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
     [Geoff Thorpe]

  *) BN_sqr() bug fix.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
a9d2bc49	5	Changes between 0.9.6 and 0.9.7 [xx XXX 2001]
a43cf9fa	6
e9ad0d2c	7	OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
e3fefbfd	8	and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.
e9ad0d2c	9
a9d2bc49	10	Change log entries are tagged as follows:
daba492c BM	11	-) applies to 0.9.6a/0.9.6b/0.9.6c only
daba492c BM	12	*) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
a9d2bc49 BM	13	+) applies to 0.9.7 only
a9d2bc49 BM	14
c9501c22 DSH	15	+) Prelminary ENGINE config module.
	16	[Steve Henson]
	17
8c74b5e5 BM	18	*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
	19	ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
	20	variable as an indication that a ClientHello message has been
	21	received. As the flag value will be lost between multiple
	22	invocations of ssl3_accept when using non-blocking I/O, the
	23	function may not be aware that a handshake has actually taken
	24	place, thus preventing a new session from being added to the
	25	session cache.
	26
	27	To avoid this problem, we now set s->new_session to 2 instead of
	28	using a local variable.
	29	[Lutz Jaenicke, Bodo Moeller]
	30
c59ba5b5 BM	31	*) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
	32	if the SSL_R_LENGTH_MISMATCH error is detected.
	33	[Geoff Thorpe, Bodo Moeller]
	34
bc37d996 DSH	35	+) New experimental application configuration code.
	36	[Steve Henson]
	37
d59fb0dd BM	38	*) New 'shared_ldflag' column in Configure platform table.
	39	[Richard Levitte]
	40
e5d6528a BM	41	*) Fix EVP_CIPHER_mode macro.
	42	["Dan S. Camper" <dan@bti.net>]
	43
6f9079fd RL	44	+) Change the AES code to follow the same name structure as all other
	45	symmetric ciphers, and behave the same way. Move everything to
	46	the directory crypto/aes, thereby obsoleting crypto/rijndael.
	47	[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
	48
dcbbf83d UM	49	*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
	50	type, we must throw them away by setting rr->length to 0.
	51	[D P Chang <dpc@qualys.com>]
	52
3c89d78d BM	53	-) OpenSSL 0.9.6c released [21 dec 2001]
3c89d78d BM	54
7c517a04 BL	55	+) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
	56	[Ben Laurie and Theo de Raadt]
	57
66df02fd BM	58	*) Fix BN_rand_range bug pointed out by Dominikus Scherkl
	59	<Dominikus.Scherkl@biodata.com>. (The previous implementation
	60	worked incorrectly for those cases where range = 10..._2 and
	61	3*range is two bits longer than range.)
	62	[Bodo Moeller]
	63
b5348a09 BM	64	*) Only add signing time to PKCS7 structures if it is not already
b5348a09 BM	65	present.
f3e24bad DSH	66	[Steve Henson]
f3e24bad DSH	67
35e25255 BM	68	*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
	69	OBJ_ld_ce should be OBJ_id_ce.
	70	Also some ip-pda OIDs in crypto/objects/objects.txt were
	71	incorrect (cf. RFC 3039).
	72	[Matt Cooper, Frederic Giudicelli, Bodo Moeller]
	73
21a85f19 DSH	74	+) Add option to output public keys in req command.
	75	[Massimiliano Pala madwolf@openca.org]
	76
883b0c22 BM	77	*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
	78	returns early because it has nothing to do.
	79	[Andy Schneider <andy.schneider@bjss.co.uk>]
	80
	81	*) [In 0.9.6c-engine and 0.9.7 release:]
	82	Fix mutex callback return values in crypto/engine/hw_ncipher.c.
	83	[Andy Schneider <andy.schneider@bjss.co.uk>]
	84
898f856c BM	85	-) [In 0.9.6c-engine release:]
	86	Add support for Cryptographic Appliance's keyserver technology.
	87	(Use engine 'keyclient')
	88	[Cryptographic Appliances and Geoff Thorpe]
	89
1d4581c2 BM	90	*) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
	91	is called via tools/c89.sh because arguments have to be
	92	rearranged (all '-L' options must appear before the first object
	93	modules).
	94	[Richard Shapiro <rshapiro@abinitio.com>]
	95
76c4336c BM	96	+) Use wNAFs in EC_POINTs_mul() for improved efficiency
76c4336c BM	97	(up to about 10% better than before for P-192 and P-224).
3ba1f111 BM	98	[Bodo Moeller]
3ba1f111 BM	99
83978bd3 BM	100	-) [In 0.9.6c-engine release:]
	101	Add support for Broadcom crypto accelerator cards, backported
	102	from 0.9.7.
	103	[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
	104
	105	-) [In 0.9.6c-engine release:]
	106	Add support for SureWare crypto accelerator cards from
	107	Baltimore Technologies. (Use engine 'sureware')
	108	[Baltimore Technologies and Mark Cox]
	109
	110	-) [In 0.9.6c-engine release:]
	111	Add support for crypto accelerator cards from Accelerated
	112	Encryption Processing, www.aep.ie. (Use engine 'aep')
	113	[AEP Inc. and Mark Cox]
	114
c5571db0 BM	115	*) Add a configuration entry for gcc on UnixWare.
	116	[Gary Benson <gbenson@redhat.com>]
	117
7aa983c6 BM	118	+) New functions/macros
	119
	120	SSL_CTX_set_msg_callback(ctx, cb)
	121	SSL_CTX_set_msg_callback_arg(ctx, arg)
	122	SSL_set_msg_callback(ssl, cb)
	123	SSL_set_msg_callback_arg(ssl, arg)
	124
	125	to request calling a callback function
	126
	127	void cb(int write_p, int version, int content_type,
	128	const void buf, size_t len, SSL ssl, void *arg)
	129
	130	whenever a protocol message has been completely received
	131	(write_p == 0) or sent (write_p == 1). Here 'version' is the
	132	protocol version according to which the SSL library interprets
	133	the current protocol message (SSL2_VERSION, SSL3_VERSION, or
	134	TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or
	135	the content type as defined in the SSL 3.0/TLS 1.0 protocol
	136	specification (change_cipher_spec(20), alert(21), handshake(22)).
	137	'buf' and 'len' point to the actual message, 'ssl' to the
	138	SSL object, and 'arg' is the application-defined value set by
	139	SSL[_CTX]_set_msg_callback_arg().
	140
	141	'openssl s_client' and 'openssl s_server' have new '-msg' options
	142	to enable a callback that displays all protocol messages.
	143	[Bodo Moeller]
	144
	145	*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
	146	messages are stored in a single piece (fixed-length part and
	147	variable-length part combined) and fix various bugs found on the way.
	148	[Bodo Moeller]
	149
a7b42009 RL	150	+) Change the shared library support so shared libraries are built as
	151	soon as the corresponding static library is finished, and thereby get
	152	openssl and the test programs linked against the shared library.
	153	This still only happens when the keyword "shard" has been given to
	154	the configuration scripts.
	155
	156	NOTE: shared library support is still an experimental thing, and
	157	backward binary compatibility is still not guaranteed.
	158	["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
	159
7d5b04db DSH	160	+) Add support for Subject Information Access extension.
	161	[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
	162
48b0cf8b BM	163	+) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
	164	additional bytes when new memory had to be allocated, not just
	165	when reusing an existing buffer.
	166	[Bodo Moeller]
	167
c602e7f4 BM	168	*) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
c602e7f4 BM	169	instead. BIO_gethostbyname() does not know what timeouts are
48b0cf8b	170	appropriate, so entries would stay in cache even when they have
c602e7f4 BM	171	become invalid.
	172	[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
	173
1fc6d41b DSH	174	+) New command line and configuration option 'utf8' for the req command.
	175	This allows field values to be specified as UTF8 strings.
	176	[Steve Henson]
	177
0e211563 BL	178	+) Add -multi and -mr options to "openssl speed" - giving multiple parallel
	179	runs for the former and machine-readable output for the latter.
	180	[Ben Laurie]
	181
89da653f BM	182	+) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
	183	of the e-mail address in the DN (i.e., it will go into a certificate
	184	extension only). The new configuration file option 'email_in_dn = no'
	185	has the same effect.
	186	[Massimiliano Pala madwolf@openca.org]
	187
ba1c6022 BM	188	*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
	189	faced with a pathologically small ClientHello fragment that does
	190	not contain client_version: Instead of aborting with an error,
	191	simply choose the highest available protocol version (i.e.,
	192	TLS 1.0 unless it is disabled). In practice, ClientHello
	193	messages are never sent like this, but this change gives us
	194	strictly correct behaviour at least for TLS.
	195	[Bodo Moeller]
	196
c2e4f17c RL	197	+) Change all functions with names starting with des_ to be starting
	198	with DES_ instead. This because there are increasing clashes with
	199	libdes and other des libraries that are currently used by other
	200	projects. The old libdes interface is provided, as well as crypt(),
	201	if openssl/des_old.h is included. Note that crypt() is no longer
	202	declared in openssl/des.h.
	203
	204	NOTE: This is a major break of an old API into a new one. Software
	205	authors are encouraged to switch to the DES_ style functions. Some
	206	time in the future, des_old.h and the libdes compatibility functions
	207	will be completely removed.
	208	[Richard Levitte]
	209
979689aa BM	210	*) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
	211	never resets s->method to s->ctx->method when called from within
	212	one of the SSL handshake functions.
	213	[Bodo Moeller; problem pointed out by Niko Baric]
	214
f1558bb4 DSH	215	+) Test for certificates which contain unsupported critical extensions.
	216	If such a certificate is found during a verify operation it is
	217	rejected by default: this behaviour can be overridden by either
	218	handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
	219	by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
	220	X509_supported_extension() has also been added which returns 1 if a
	221	particular extension is supported.
	222	[Steve Henson]
	223
a661b653 BM	224	*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
	225	(sent using the client's version number) if client_version is
	226	smaller than the protocol version in use. Also change
	227	ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
	228	the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
	229	the client will at least see that alert.
	230	[Bodo Moeller]
	231
581f1c84 DSH	232	+) Modify the behaviour of EVP cipher functions in similar way to digests
	233	to retain compatibility with existing code.
	234	[Steve Henson]
	235
20d2186c	236	+) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
50d194af DSH	237	compatibility with existing code. In particular the 'ctx' parameter does
	238	not have to be to be initialized before the call to EVP_DigestInit() and
	239	it is tidied up after a call to EVP_DigestFinal(). New function
	240	EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
	241	EVP_MD_CTX_copy() changed to not require the destination to be
	242	initialized valid and new function EVP_MD_CTX_copy_ex() added which
	243	requires the destination to be valid.
	244
	245	Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
	246	EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
20d2186c DSH	247	[Steve Henson]
20d2186c DSH	248
48948d53 BM	249	+) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
	250	so that complete 'Handshake' protocol structures are kept in memory
	251	instead of overwriting 'msg_type' and 'length' with 'body' data.
	252	[Bodo Moeller]
	253
	254	*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
	255	correctly.
	256	[Bodo Moeller]
	257
285046ec RL	258	+) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
	259	[Massimo Santin via Richard Levitte]
	260
07cee702 GT	261	+) Major restructuring to the underlying ENGINE code. This includes
	262	reduction of linker bloat, separation of pure "ENGINE" manipulation
	263	(initialisation, etc) from functionality dealing with implementations
	264	of specific crypto iterfaces. This change also introduces integrated
	265	support for symmetric ciphers and digest implementations - so ENGINEs
	266	can now accelerate these by providing EVP_CIPHER and EVP_MD
	267	implementations of their own. This is detailed in crypto/engine/README
	268	as it couldn't be adequately described here. However, there are a few
	269	API changes worth noting - some RSA, DSA, DH, and RAND functions that
	270	were changed in the original introduction of ENGINE code have now
	271	reverted back - the hooking from this code to ENGINE is now a good
	272	deal more passive and at run-time, operations deal directly with
	273	RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
	274	dereferencing through an ENGINE pointer any more. Also, the ENGINE
	275	functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
	276	they were not being used by the framework as there is no concept of a
	277	BIGNUM_METHOD and they could not be generalised to the new
	278	'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
	279	ENGINE_cpy() has been removed as it cannot be consistently defined in
	280	the new code.
	281	[Geoff Thorpe]
	282
d46c1a81 DSH	283	+) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
	284	[Steve Henson]
	285
89eeccac RL	286	+) Change mkdef.pl to sort symbols that get the same entry number,
	287	and make sure the automatically generated functions ERR_load_*
	288	become part of libeay.num as well.
	289	[Richard Levitte]
	290
3b0b5aba BM	291	*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
	292	client receives HelloRequest while in a handshake.
	293	[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
	294
6b0e9fac BM	295	+) New function SSL_renegotiate_pending(). This returns true once
	296	renegotiation has been requested (either SSL_renegotiate() call
	297	or HelloRequest/ClientHello receveived from the peer) and becomes
	298	false once a handshake has been completed.
	299	(For servers, SSL_renegotiate() followed by SSL_do_handshake()
	300	sends a HelloRequest, but does not ensure that a handshake takes
	301	place. SSL_renegotiate_pending() is useful for checking if the
	302	client has followed the request.)
	303	[Bodo Moeller]
	304
	305	+) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
	306	By default, clients may request session resumption even during
	307	renegotiation (if session ID contexts permit); with this option,
	308	session resumption is possible only in the first handshake.
	309	[Bodo Moeller]
	310
2260ad21 BM	311	*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
2260ad21 BM	312	should end in 'break', not 'goto end' which circuments various
b49124f6 BM	313	cleanups done in state SSL_ST_OK. But session related stuff
	314	must be disabled for SSL_ST_OK in the case that we just sent a
	315	HelloRequest.
2260ad21 BM	316
	317	Also avoid some overhead by not calling ssl_init_wbio_buffer()
	318	before just sending a HelloRequest.
b49124f6	319	[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
8e2f6b79	320
ee60d9fb BM	321	*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
	322	reveal whether illegal block cipher padding was found or a MAC
	323	verification error occured. (Neither SSLerr() codes nor alerts
	324	are directly visible to potential attackers, but the information
	325	may leak via logfiles.)
	326
	327	Similar changes are not required for the SSL 2.0 implementation
	328	because the number of padding bytes is sent in clear for SSL 2.0,
	329	and the extra bytes are just ignored. However ssl/s2_pkt.c
	330	failed to verify that the purported number of padding bytes is in
	331	the legal range.
	332	[Bodo Moeller]
	333
96bd6f73 DSH	334	+) Add some demos for certificate and certificate request creation.
	335	[Steve Henson]
	336
c0f5dd07 LJ	337	+) Make maximum certificate chain size accepted from the peer application
	338	settable (SSL*_get/set_max_cert_list()), as proposed by
	339	"Douglas E. Engert" <deengert@anl.gov>.
	340	[Lutz Jaenicke]
	341
b26ca340 BM	342	+) Add support for shared libraries for Unixware-7
b26ca340 BM	343	(Boyd Lynn Gerber <gerberb@zenez.com>).
6c36f7a9 LJ	344	[Lutz Jaenicke]
6c36f7a9 LJ	345
b26ca340 BM	346	*) Add OpenUNIX-8 support including shared libraries
b26ca340 BM	347	(Boyd Lynn Gerber <gerberb@zenez.com>).
c5571db0 BM	348	[Lutz Jaenicke]
c5571db0 BM	349
a9ed4da8 BM	350	*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
	351	'wristwatch attack' using huge encoding parameters (cf.
	352	James H. Manger's CRYPTO 2001 paper). Note that the
	353	RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
e3fefbfd	354	encoding parameters and hence was not vulnerable.
a9ed4da8 BM	355	[Bodo Moeller]
a9ed4da8 BM	356
4450107a	357	+) Add a "destroy" handler to ENGINEs that allows structural cleanup to
908efd3b GT	358	be done prior to destruction. Use this to unload error strings from
	359	ENGINEs that load their own error strings. NB: This adds two new API
	360	functions to "get" and "set" this destroy handler in an ENGINE.
a9ed4da8	361	[Geoff Thorpe]
908efd3b	362
4450107a	363	+) Alter all existing ENGINE implementations (except "openssl" and
541814c4 GT	364	"openbsd") to dynamically instantiate their own error strings. This
	365	makes them more flexible to be built both as statically-linked ENGINEs
	366	and self-contained shared-libraries loadable via the "dynamic" ENGINE.
	367	Also, add stub code to each that makes building them as self-contained
	368	shared-libraries easier (see README.ENGINE).
	369	[Geoff Thorpe]
	370
4450107a	371	+) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
541814c4 GT	372	implementations into applications that are completely implemented in
	373	self-contained shared-libraries. The "dynamic" ENGINE exposes control
	374	commands that can be used to configure what shared-library to load and
	375	to control aspects of the way it is handled. Also, made an update to
	376	the README.ENGINE file that brings its information up-to-date and
	377	provides some information and instructions on the "dynamic" ENGINE
	378	(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
	379	[Geoff Thorpe]
	380
d98a4b73 UM	381	*) BN_sqr() bug fix.
	382