+ *) Reimplemented the BN_CTX implementation. There is now no more static
+ limitation on the number of variables it can handle nor the depth of the
+ "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
+ information can now expand as required, and rather than having a single
+ static array of bignums, BN_CTX now uses a linked-list of such arrays
+ allowing it to expand on demand whilst maintaining the usefulness of
+ BN_CTX's "bundling".
+ [Geoff Thorpe]
+
+ *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
+ to allow all RSA operations to function using a single BN_CTX.
+ [Geoff Thorpe]
+
+ *) Preliminary support for certificate policy evaluation and checking. This
+ is initially intended to pass the tests outlined in "Conformance Testing
+ of Relying Party Client Certificate Path Processing Logic" v1.07.
+ [Steve Henson]
+
+ *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
+ remained unused and not that useful. A variety of other little bignum
+ tweaks and fixes have also been made continuing on from the audit (see
+ below).
+ [Geoff Thorpe]
+
+ *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
+ associated ASN1, EVP and SSL functions and old ASN1 macros.
+ [Richard Levitte]
+
+ *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
+ and this should never fail. So the return value from the use of
+ BN_set_word() (which can fail due to needless expansion) is now deprecated;
+ if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
+ [Geoff Thorpe]
+
+ *) BN_CTX_get() should return zero-valued bignums, providing the same
+ initialised value as BN_new().
+ [Geoff Thorpe, suggested by Ulf Möller]
+
+ *) Support for inhibitAnyPolicy certificate extension.
+ [Steve Henson]
+
+ *) An audit of the BIGNUM code is underway, for which debugging code is
+ enabled when BN_DEBUG is defined. This makes stricter enforcements on what
+ is considered valid when processing BIGNUMs, and causes execution to
+ assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
+ further steps are taken to deliberately pollute unused data in BIGNUM
+ structures to try and expose faulty code further on. For now, openssl will
+ (in its default mode of operation) continue to tolerate the inconsistent
+ forms that it has tolerated in the past, but authors and packagers should
+ consider trying openssl and their own applications when compiled with
+ these debugging symbols defined. It will help highlight potential bugs in
+ their own code, and will improve the test coverage for OpenSSL itself. At
+ some point, these tighter rules will become openssl's default to improve
+ maintainability, though the assert()s and other overheads will remain only
+ in debugging configurations. See bn.h for more details.
+ [Geoff Thorpe, Nils Larsch, Ulf Möller]
+
+ *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
+ that can only be obtained through BN_CTX_new() (which implicitly
+ initialises it). The presence of this function only made it possible
+ to overwrite an existing structure (and cause memory leaks).
+ [Geoff Thorpe]
+
+ *) Because of the callback-based approach for implementing LHASH as a
+ template type, lh_insert() adds opaque objects to hash-tables and
+ lh_doall() or lh_doall_arg() are typically used with a destructor callback
+ to clean up those corresponding objects before destroying the hash table
+ (and losing the object pointers). So some over-zealous constifications in
+ LHASH have been relaxed so that lh_insert() does not take (nor store) the
+ objects as "const" and the lh_doall[_arg] callback wrappers are not
+ prototyped to have "const" restrictions on the object pointers they are
+ given (and so aren't required to cast them away any more).
+ [Geoff Thorpe]
+
+ *) The tmdiff.h API was so ugly and minimal that our own timing utility
+ (speed) prefers to use its own implementation. The two implementations
+ haven't been consolidated as yet (volunteers?) but the tmdiff API has had
+ its object type properly exposed (MS_TM) instead of casting to/from "char
+ *". This may still change yet if someone realises MS_TM and "ms_time_***"
+ aren't necessarily the greatest nomenclatures - but this is what was used
+ internally to the implementation so I've used that for now.
+ [Geoff Thorpe]
+