+ +) Changes to Kerberos SSL for RFC 2712 compliance:
+ 1. Implemented real KerberosWrapper, instead of just using
+ KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
+ 2. Implemented optional authenticator field of KerberosWrapper.
+
+ Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
+ and authenticator structs; see crypto/krb5/.
+
+ Generalized Kerberos calls to support multiple Kerberos libraries.
+ [Vern Staats <staatsvr@asc.hpc.mil>,
+ Jeffrey Altman <jaltman@columbia.edu>
+ via Richard Levitte]
+
+ +) Cause 'openssl speed' to use fully hard-coded DSA keys as it
+ already does with RSA. testdsa.h now has 'priv_key/pub_key'
+ values for each of the key sizes rather than having just
+ parameters (and 'speed' generating keys each time).
+ [Geoff Thorpe]
+
+ -) OpenSSL 0.9.6b released [9 July 2001]
+
+ *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
+ to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
+ Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
+ PRNG state recovery was possible based on the output of
+ one PRNG request appropriately sized to gain knowledge on
+ 'md' followed by enough consecutive 1-byte PRNG requests
+ to traverse all of 'state'.
+
+ 1. When updating 'md_local' (the current thread's copy of 'md')
+ during PRNG output generation, hash all of the previous
+ 'md_local' value, not just the half used for PRNG output.
+
+ 2. Make the number of bytes from 'state' included into the hash
+ independent from the number of PRNG bytes requested.
+
+ The first measure alone would be sufficient to avoid
+ Markku-Juhani's attack. (Actually it had never occurred
+ to me that the half of 'md_local' used for chaining was the
+ half from which PRNG output bytes were taken -- I had always
+ assumed that the secret half would be used.) The second
+ measure makes sure that additional data from 'state' is never
+ mixed into 'md_local' in small portions; this heuristically
+ further strengthens the PRNG.
+ [Bodo Moeller]
+
+ +) Speed up EVP routines.
+ Before:
+encrypt
+type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
+des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
+des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
+des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
+decrypt
+des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
+des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
+des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
+ After:
+encrypt
+des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
+decrypt
+des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
+ [Ben Laurie]
+
+ *) Fix crypto/bn/asm/mips3.s.
+ [Andy Polyakov]
+
+ *) When only the key is given to "enc", the IV is undefined. Print out
+ an error message in this case.
+ [Lutz Jaenicke]
+
+ +) Added the OS2-EMX target.
+ ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
+
+ +) Rewrite apps to use NCONF routines instead of the old CONF. New functions
+ to support NCONF routines in extension code. New function CONF_set_nconf()
+ to allow functions which take an NCONF to also handle the old LHASH
+ structure: this means that the old CONF compatible routines can be
+ retained (in particular wrt extensions) without having to duplicate the
+ code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
+ [Steve Henson]
+
+ *) Handle special case when X509_NAME is empty in X509 printing routines.
+ [Steve Henson]
+
+ *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
+ positive and less than q.
+ [Bodo Moeller]
+
+ +) Enhance the general user interface with mechanisms for inner control
+ and with pssibilities to have yes/no kind of prompts.
+ [Richard Levitte]
+
+ +) Change all calls to low level digest routines in the library and
+ applications to use EVP. Add missing calls to HMAC_cleanup() and
+ don't assume HMAC_CTX can be copied using memcpy().
+ [Verdon Walker <VWalker@novell.com>, Steve Henson]
+
+ +) Add the possibility to control engines through control names but with
+ arbitrary arguments instead of just a string.
+ Change the key loaders to take a UI_METHOD instead of a callback
+ function pointer. NOTE: this breaks binary compatibility with earlier
+ versions of OpenSSL [engine].
+ Addapt the nCipher code for these new conditions and add a card insertion
+ callback.
+ [Richard Levitte]
+
+ +) Enhance the general user interface with mechanisms to better support
+ dialog box interfaces, application-defined prompts, the possibility
+ to use defaults (for example default passwords from somewhere else)
+ and interrupts/cancelations.
+ [Richard Levitte]
+
+ *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
+ used: it isn't thread safe and the add_lock_callback should handle
+ that itself.
+ [Paul Rose <Paul.Rose@bridge.com>]
+
+ *) Verify that incoming data obeys the block size in
+ ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
+ [Bodo Moeller]
+
+ +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
+ attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
+ [Steve Henson]
+
+ *) Fix OAEP check.
+ [Ulf Möller, Bodo Möller]
+
+ *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+ RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+ when fixing the server behaviour for backwards-compatible 'client
+ hello' messages. (Note that the attack is impractical against
+ SSL 3.0 and TLS 1.0 anyway because length and version checking
+ means that the probability of guessing a valid ciphertext is
+ around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+ paper.)
+
+ Before 0.9.5, the countermeasure (hide the error by generating a
+ random 'decryption result') did not work properly because
+ ERR_clear_error() was missing, meaning that SSL_get_error() would
+ detect the supposedly ignored error.
+
+ Both problems are now fixed.
+ [Bodo Moeller]
+
+ *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+ (previously it was 1024).
+ [Bodo Moeller]
+
+ +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
+ tidy up some unecessarily weird code in 'sk_new()').
+ [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
+
+ +) Change the key loading routines for ENGINEs to use the same kind
+ callback (pem_password_cb) as all other routines that need this
+ kind of callback.
+ [Richard Levitte]
+
+ *) Fix for compatibility mode trust settings: ignore trust settings
+ unless some valid trust or reject settings are present.
+ [Steve Henson]
+
+ *) Fix for blowfish EVP: its a variable length cipher.
+ [Steve Henson]
+
+ +) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
+ 256 bit (=32 byte) keys. Of course seeding with more entropy bytes
+ than this minimum value is recommended.
+ [Lutz Jaenicke]
+
+ +) New random seeder for OpenVMS, using the system process statistics
+ that are easily reachable.
+ [Richard Levitte]
+
+ +) Windows apparently can't transparently handle global
+ variables defined in DLLs. Initialisations such as:
+
+ const ASN1_ITEM *it = &ASN1_INTEGER_it;
+
+ wont compile. This is used by the any applications that need to
+ delcare their own ASN1 modules. This was fixed by adding the option
+ EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
+ needed for static libraries under Win32.
+ [Steve Henson]
+
+ +) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
+ setting of purpose and trust fields. New X509_STORE trust and
+ purpose functions and tidy up setting in other SSL functions.
+ [Steve Henson]
+
+ +) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
+ structure. These are inherited by X509_STORE_CTX when it is
+ initialised. This allows various defaults to be set in the
+ X509_STORE structure (such as flags for CRL checking and custom
+ purpose or trust settings) for functions which only use X509_STORE_CTX
+ internally such as S/MIME.
+
+ Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
+ trust settings if they are not set in X509_STORE. This allows X509_STORE
+ purposes and trust (in S/MIME for example) to override any set by default.
+
+ Add command line options for CRL checking to smime, s_client and s_server
+ applications.
+ [Steve Henson]
+
+ +) Initial CRL based revocation checking. If the CRL checking flag(s)
+ are set then the CRL is looked up in the X509_STORE structure and
+ its validity and signature checked, then if the certificate is found
+ in the CRL the verify fails with a revoked error.
+
+ Various new CRL related callbacks added to X509_STORE_CTX structure.
+
+ Command line options added to 'verify' application to support this.
+
+ This needs some additional work, such as being able to handle multiple
+ CRLs with different times, extension based lookup (rather than just
+ by subject name) and ultimately more complete V2 CRL extension
+ handling.
+ [Steve Henson]
+
+ +) Add a general user interface API (crypto/ui/). This is designed
+ to replace things like des_read_password and friends (backward
+ compatibility functions using this new API are provided).
+ The purpose is to remove prompting functions from the DES code
+ section as well as provide for prompting through dialog boxes in
+ a window system and the like.
+ [Richard Levitte]
+
+ *) Fix various bugs related to DSA S/MIME verification. Handle missing
+ parameters in DSA public key structures and return an error in the
+ DSA routines if parameters are absent.
+ [Steve Henson]
+