+ This is a high-level summary of the most important changes.
+ For a full list of changes, see the git commit log; for example,
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
+
+ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+
+ *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
+ [Richard Levitte]
+
+ *) Change the license to the Apache License v2.0.
+ [Richard Levitte]
+
+ *) Change the possible version information given with OPENSSL_API_COMPAT.
+ It may be a pre-3.0.0 style numerical version number as it was defined
+ in 1.1.0, and it may also simply take the major version number.
+
+ Because of the version numbering of pre-3.0.0 releases, the values 0,
+ 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and
+ 0x10100000L (1.1.0), respectively.
+ [Richard Levitte]
+
+ *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
+
+ o Major releases (indicated by incrementing the MAJOR release number)
+ may introduce incompatible API/ABI changes.
+ o Minor releases (indicated by incrementing the MINOR release number)
+ may introduce new features but retain API/ABI compatibility.
+ o Patch releases (indicated by incrementing the PATCH number)
+ are intended for bug fixes and other improvements of existing
+ features only (like improving performance or adding documentation)
+ and retain API/ABI compatibility.
+ [Richard Levitte]
+
+ *) Add support for RFC5297 SIV mode (siv128), including AES-SIV.
+ [Todd Short]
+
+ *) Remove the 'dist' target and add a tarball building script. The
+ 'dist' target has fallen out of use, and it shouldn't be
+ necessary to configure just to create a source distribution.
+ [Richard Levitte]
+
+ *) Recreate the OS390-Unix config target. It no longer relies on a
+ special script like it did for OpenSSL pre-1.1.0.
+ [Richard Levitte]
+
+ *) Instead of having the source directories listed in Configure, add
+ a 'build.info' keyword SUBDIRS to indicate what sub-directories to
+ look into.
+ [Richard Levitte]
+
+ *) Add GMAC to EVP_MAC.
+ [Paul Dale]
+
+ *) Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
+ [Richard Levitte]
+
+ *) Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
+ implementations. This includes a generic EVP_PKEY to EVP_MAC bridge,
+ to facilitate the continued use of MACs through raw private keys in
+ functionality such as EVP_DigestSign* and EVP_DigestVerify*.
+ [Richard Levitte]
+
+ *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users
+ should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type).
+ [Antoine Salon]
+
+ *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+ the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+ are retained for backwards compatibility.
+ [Antoine Salon]
+
+ *) AES-XTS mode now enforces that its two keys are different to mitigate
+ the attacked described in "Efficient Instantiations of Tweakable
+ Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+ Details of this attack can be obtained from:
+ http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+ [Paul Dale]
+
+ *) Rename the object files, i.e. give them other names than in previous
+ versions. Their names now include the name of the final product, as
+ well as its type mnemonic (bin, lib, shlib).
+ [Richard Levitte]
+
+ *) Added new option for 'openssl list', '-objects', which will display the
+ list of built in objects, i.e. OIDs with names.
+ [Richard Levitte]
+
+ *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
+ improves application performance by removing data copies and providing
+ applications with zero-copy system calls such as sendfile and splice.
+ [Boris Pismenny]
+
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+ *) Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ (CVE-2018-0734)
+ [Paul Dale]
+
+ *) Timing vulnerability in ECDSA signature generation
+
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+ (CVE-2018-0735)
+ [Paul Dale]
+
+ *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+ if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+ of two gigabytes and the error handling improved.
+
+ This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+ categorized as a normal bug, not a security issue, because the DRBG reseeds
+ automatically and is fully functional even without additional randomness
+ provided by the application.
+
+ Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
+
+ *) Add a new ClientHello callback. Provides a callback interface that gives
+ the application the ability to adjust the nascent SSL object at the
+ earliest stage of ClientHello processing, immediately after extensions have
+ been collected but before they have been processed. In particular, this
+ callback can adjust the supported TLS versions in response to the contents
+ of the ClientHello
+ [Benjamin Kaduk]
+
+ *) Add SM2 base algorithm support.
+ [Jack Lloyd]
+
+ *) s390x assembly pack: add (improved) hardware-support for the following
+ cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
+ aes-cfb/cfb8, aes-ecb.
+ [Patrick Steuer]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for prime curves. The new implementation is based on formulae from
+ differential addition-and-doubling in homogeneous projective coordinates
+ from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
+ against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
+ and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
+ to work in projective coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
+ moving between systems, and to avoid confusion when a Windows build is
+ done with mingw vs with MSVC. For POSIX installs, there's still a
+ symlink or copy named 'tsget' to avoid that confusion as well.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for binary curves. The new implementation is based on formulae from
+ differential addition-and-doubling in mixed Lopez-Dahab projective
+ coordinates, modified to independently blind the operands.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Add a scaffold to optionally enhance the Montgomery ladder implementation
+ for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
+ EC_METHODs to implement their own specialized "ladder step", to take
+ advantage of more favorable coordinate systems or more efficient
+ differential addition-and-doubling algorithms.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Modified the random device based seed sources to keep the relevant
+ file descriptors open rather than reopening them on each access.
+ This allows such sources to operate in a chroot() jail without
+ the associated device nodes being available. This behaviour can be
+ controlled using RAND_keep_random_devices_open().
+ [Paul Dale]
+
+ *) Numerous side-channel attack mitigations have been applied. This may have
+ performance impacts for some algorithms for the benefit of improved
+ security. Specific changes are noted in this change log by their respective
+ authors.
+ [Matt Caswell]
+
+ *) AIX shared library support overhaul. Switch to AIX "natural" way of
+ handling shared libraries, which means collecting shared objects of
+ different versions and bitnesses in one common archive. This allows to
+ mitigate conflict between 1.0 and 1.1 side-by-side installations. It
+ doesn't affect the way 3rd party applications are linked, only how
+ multi-version installation is managed.
+ [Andy Polyakov]
+
+ *) Make ec_group_do_inverse_ord() more robust and available to other
+ EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
+ mitigations are applied to the fallback BN_mod_inverse().
+ When using this function rather than BN_mod_inverse() directly, new
+ EC cryptosystem implementations are then safer-by-default.
+ [Billy Bob Brumley]
+
+ *) Add coordinate blinding for EC_POINT and implement projective
+ coordinate blinding for generic prime curves as a countermeasure to
+ chosen point SCA attacks.
+ [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) Enforce checking in the pkeyutl command line app to ensure that the input
+ length does not exceed the maximum supported digest length when performing
+ a sign, verify or verifyrecover operation.
+ [Matt Caswell]
+
+ *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
+ I/O in combination with something like select() or poll() will hang. This
+ can be turned off again using SSL_CTX_clear_mode().
+ Many applications do not properly handle non-application data records, and
+ TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
+ around the problems in those applications, but can also break some.
+ It's recommended to read the manpages about SSL_read(), SSL_write(),
+ SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
+ SSL_CTX_set_read_ahead() again.
+ [Kurt Roeckx]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Apply blinding to binary field modular inversion and remove patent
+ pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
+ [Billy Bob Brumley]
+
+ *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
+ binary and prime elliptic curves.
+ [Billy Bob Brumley]
+
+ *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
+ constant time fixed point multiplication.
+ [Billy Bob Brumley]
+
+ *) Revise elliptic curve scalar multiplication with timing attack
+ defenses: ec_wNAF_mul redirects to a constant time implementation
+ when computing fixed point and variable point multiplication (which
+ in OpenSSL are mostly used with secret scalars in keygen, sign,
+ ECDH derive operations).
+ [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
+ Sohaib ul Hassan]
+
+ *) Updated CONTRIBUTING
+ [Rich Salz]
+
+ *) Updated DRBG / RAND to request nonce and additional low entropy
+ randomness from the system.
+ [Matthias St. Pierre]
+
+ *) Updated 'openssl rehash' to use OpenSSL consistent default.
+ [Richard Levitte]
+
+ *) Moved the load of the ssl_conf module to libcrypto, which helps
+ loading engines that libssl uses before libssl is initialised.
+ [Matt Caswell]
+
+ *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
+ [Matt Caswell]
+
+ *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
+ [Ingo Schwarze, Rich Salz]
+
+ *) Added output of accepting IP address and port for 'openssl s_server'
+ [Richard Levitte]
+
+ *) Added a new API for TLSv1.3 ciphersuites:
+ SSL_CTX_set_ciphersuites()
+ SSL_set_ciphersuites()
+ [Matt Caswell]
+
+ *) Memory allocation failures consistenly add an error to the error
+ stack.
+ [Rich Salz]
+
+ *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
+ in libcrypto when run as setuid/setgid.
+ [Bernd Edlinger]
+
+ *) Load any config file by default when libssl is used.
+ [Matt Caswell]
+
+ *) Added new public header file <openssl/rand_drbg.h> and documentation
+ for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
+ [Matthias St. Pierre]
+
+ *) QNX support removed (cannot find contributors to get their approval
+ for the license change).
+ [Rich Salz]
+
+ *) TLSv1.3 replay protection for early data has been implemented. See the
+ SSL_read_early_data() man page for further details.
+ [Matt Caswell]
+
+ *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
+ configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
+ below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
+ In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
+ would otherwise inadvertently disable all TLSv1.3 ciphersuites the
+ configuration has been separated out. See the ciphers man page or the
+ SSL_CTX_set_ciphersuites() man page for more information.
+ [Matt Caswell]
+
+ *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
+ in responder mode now supports the new "-multi" option, which
+ spawns the specified number of child processes to handle OCSP
+ requests. The "-timeout" option now also limits the OCSP
+ responder's patience to wait to receive the full client request
+ on a newly accepted connection. Child processes are respawned
+ as needed, and the CA index file is automatically reloaded
+ when changed. This makes it possible to run the "ocsp" responder
+ as a long-running service, making the OpenSSL CA somewhat more
+ feature-complete. In this mode, most diagnostic messages logged
+ after entering the event loop are logged via syslog(3) rather than
+ written to stderr.
+ [Viktor Dukhovni]
+
+ *) Added support for X448 and Ed448. Heavily based on original work by
+ Mike Hamburg.
+ [Matt Caswell]
+
+ *) Extend OSSL_STORE with capabilities to search and to narrow the set of
+ objects loaded. This adds the functions OSSL_STORE_expect() and
+ OSSL_STORE_find() as well as needed tools to construct searches and
+ get the search data out of them.
+ [Richard Levitte]
+
+ *) Support for TLSv1.3 added. Note that users upgrading from an earlier
+ version of OpenSSL should review their configuration settings to ensure
+ that they are still appropriate for TLSv1.3. For further information see:
+ https://wiki.openssl.org/index.php/TLS1.3
+ [Matt Caswell]
+
+ *) Grand redesign of the OpenSSL random generator
+
+ The default RAND method now utilizes an AES-CTR DRBG according to
+ NIST standard SP 800-90Ar1. The new random generator is essentially
+ a port of the default random generator from the OpenSSL FIPS 2.0
+ object module. It is a hybrid deterministic random bit generator
+ using an AES-CTR bit stream and which seeds and reseeds itself
+ automatically using trusted system entropy sources.
+
+ Some of its new features are:
+ o Support for multiple DRBG instances with seed chaining.
+ o The default RAND method makes use of a DRBG.
+ o There is a public and private DRBG instance.
+ o The DRBG instances are fork-safe.
+ o Keep all global DRBG instances on the secure heap if it is enabled.
+ o The public and private DRBG instance are per thread for lock free
+ operation
+ [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
+
+ *) Changed Configure so it only says what it does and doesn't dump
+ so much data. Instead, ./configdata.pm should be used as a script
+ to display all sorts of configuration data.
+ [Richard Levitte]
+
+ *) Added processing of "make variables" to Configure.
+ [Richard Levitte]
+
+ *) Added SHA512/224 and SHA512/256 algorithm support.
+ [Paul Dale]
+
+ *) The last traces of Netware support, first removed in 1.1.0, have
+ now been removed.
+ [Rich Salz]
+
+ *) Get rid of Makefile.shared, and in the process, make the processing
+ of certain files (rc.obj, or the .def/.map/.opt files produced from
+ the ordinal files) more visible and hopefully easier to trace and
+ debug (or make silent).
+ [Richard Levitte]
+
+ *) Make it possible to have environment variable assignments as
+ arguments to config / Configure.
+ [Richard Levitte]
+
+ *) Add multi-prime RSA (RFC 8017) support.
+ [Paul Yang]
+
+ *) Add SM3 implemented according to GB/T 32905-2016
+ [ Jack Lloyd <jack.lloyd@ribose.com>,
+ Ronald Tse <ronald.tse@ribose.com>,
+ Erick Borsboom <erick.borsboom@ribose.com> ]
+
+ *) Add 'Maximum Fragment Length' TLS extension negotiation and support
+ as documented in RFC6066.
+ Based on a patch from Tomasz Moń
+ [Filipe Raimundo da Silva]
+
+ *) Add SM4 implemented according to GB/T 32907-2016.
+ [ Jack Lloyd <jack.lloyd@ribose.com>,
+ Ronald Tse <ronald.tse@ribose.com>,
+ Erick Borsboom <erick.borsboom@ribose.com> ]
+
+ *) Reimplement -newreq-nodes and ERR_error_string_n; the
+ original author does not agree with the license change.
+ [Rich Salz]
+
+ *) Add ARIA AEAD TLS support.
+ [Jon Spillett]
+
+ *) Some macro definitions to support VS6 have been removed. Visual
+ Studio 6 has not worked since 1.1.0
+ [Rich Salz]
+
+ *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
+ without clearing the errors.
+ [Richard Levitte]
+
+ *) Add "atfork" functions. If building on a system that without
+ pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
+ requirements. The RAND facility now uses/requires this.
+ [Rich Salz]
+
+ *) Add SHA3.
+ [Andy Polyakov]
+
+ *) The UI API becomes a permanent and integral part of libcrypto, i.e.
+ not possible to disable entirely. However, it's still possible to
+ disable the console reading UI method, UI_OpenSSL() (use UI_null()
+ as a fallback).
+
+ To disable, configure with 'no-ui-console'. 'no-ui' is still
+ possible to use as an alias. Check at compile time with the
+ macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still
+ possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
+ [Richard Levitte]
+
+ *) Add a STORE module, which implements a uniform and URI based reader of
+ stores that can contain keys, certificates, CRLs and numerous other
+ objects. The main API is loosely based on a few stdio functions,
+ and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
+ OSSL_STORE_error and OSSL_STORE_close.
+ The implementation uses backends called "loaders" to implement arbitrary
+ URI schemes. There is one built in "loader" for the 'file' scheme.
+ [Richard Levitte]
+
+ *) Add devcrypto engine. This has been implemented against cryptodev-linux,
+ then adjusted to work on FreeBSD 8.4 as well.
+ Enable by configuring with 'enable-devcryptoeng'. This is done by default
+ on BSD implementations, as cryptodev.h is assumed to exist on all of them.
+ [Richard Levitte]
+
+ *) Module names can prefixed with OSSL_ or OPENSSL_. This affects
+ util/mkerr.pl, which is adapted to allow those prefixes, leading to
+ error code calls like this:
+
+ OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
+
+ With this change, we claim the namespaces OSSL and OPENSSL in a manner
+ that can be encoded in C. For the foreseeable future, this will only
+ affect new modules.
+ [Richard Levitte and Tim Hudson]
+
+ *) Removed BSD cryptodev engine.
+ [Rich Salz]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) In the UI interface, make it possible to duplicate the user data. This
+ can be used by engines that need to retain the data for a longer time
+ than just the call where this user data is passed.
+ [Richard Levitte]
+
+ *) Ignore the '-named_curve auto' value for compatibility of applications
+ with OpenSSL 1.0.2.
+ [Tomas Mraz <tmraz@fedoraproject.org>]
+
+ *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
+ bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
+ alerts across multiple records (some of which could be empty). In practice
+ it make no sense to send an empty alert record, or to fragment one. TLSv1.3
+ prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ support this at all. Supporting it adds significant complexity to the
+ record layer, and its removal is unlikely to cause inter-operability
+ issues.
+ [Matt Caswell]
+
+ *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
+ with Z. These are meant to replace LONG and ZLONG and to be size safe.
+ The use of LONG and ZLONG is discouraged and scheduled for deprecation
+ in OpenSSL 1.2.0.
+ [Richard Levitte]
+
+ *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
+ 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
+ [Richard Levitte, Andy Polyakov]
+
+ *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
+ does for RSA, etc.
+ [Richard Levitte]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
+ success if they are asked to add an object which already exists
+ in the store. This change cascades to other functions which load
+ certificates and CRLs.
+ [Paul Dale]
+
+ *) x86_64 assembly pack: annotate code with DWARF CFI directives to
+ facilitate stack unwinding even from assembly subroutines.
+ [Andy Polyakov]
+
+ *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
+ Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
+ [Richard Levitte]
+
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Add support for ARIA
+ [Paul Dale]
+
+ *) s_client will now send the Server Name Indication (SNI) extension by
+ default unless the new "-noservername" option is used. The server name is
+ based on the host provided to the "-connect" option unless overridden by
+ using "-servername".
+ [Matt Caswell]
+
+ *) Add support for SipHash
+ [Todd Short]
+
+ *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
+ [Matt Caswell]
+
+ *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
+ using the algorithm defined in
+ https://www.akkadia.org/drepper/SHA-crypt.txt
+ [Richard Levitte]
+
+ *) Heartbeat support has been removed; the ABI is changed for now.
+ [Richard Levitte, Rich Salz]
+
+ *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
+ [Emilia Käsper]
+
+ *) The RSA "null" method, which was partially supported to avoid patent
+ issues, has been replaced to always returns NULL.
+ [Rich Salz]
+
+
+ Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
+
+ *) Client DoS due to large DH parameter
+
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
+
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ (CVE-2018-0732)
+ [Guido Vranken]
+
+ *) Cache timing vulnerability in RSA Key Generation
+
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
+
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ (CVE-2018-0737)
+ [Billy Brumley]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
+ line terminators to CRLF and removes additional trailing line terminators
+ at the end of a file. A bug in the canonicalisation process meant that
+ some characters, such as form-feed, were incorrectly treated as whitespace
+ and removed. This is contrary to the specification (RFC5485). This fix
+ could mean that detached text data signed with an earlier version of
+ OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+ signed with a fixed OpenSSL may fail to verify with an earlier version of
+ OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+ and use the "-binary" flag (for the "cms" command line application) or set
+ the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+ [Matt Caswell]
+
+ Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
+
+ *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+ Constructed ASN.1 types with a recursive definition (such as can be found
+ in PKCS7) could eventually exceed the stack given malicious input with
+ excessive recursion. This could result in a Denial Of Service attack. There
+ are no such structures used within SSL/TLS that come from untrusted sources
+ so this is considered safe.
+
+ This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+ project.
+ (CVE-2018-0739)
+ [Matt Caswell]
+
+ *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
+
+ Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
+ effectively reduced to only comparing the least significant bit of each
+ byte. This allows an attacker to forge messages that would be considered as
+ authenticated in an amount of tries lower than that guaranteed by the
+ security claims of the scheme. The module can only be compiled by the
+ HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
+
+ This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
+ (IBM).
+ (CVE-2018-0733)
+ [Andy Polyakov]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) Backport SSL_OP_NO_RENGOTIATION
+
+ OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
+ (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
+ changes this is no longer possible in 1.1.0. Therefore the new
+ SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
+ 1.1.0 to provide equivalent functionality.
+
+ Note that if an application built against 1.1.0h headers (or above) is run
+ using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
+ accepted but nothing will happen, i.e. renegotiation will not be prevented.
+ [Matt Caswell]
+
+ *) Removed the OS390-Unix config target. It relied on a script that doesn't
+ exist.
+ [Rich Salz]
+
+ *) rsaz_1024_mul_avx2 overflow bug on x86_64
+
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this
+ defect would be very difficult to perform and are not believed likely.
+ Attacks against DH1024 are considered just feasible, because most of the
+ work necessary to deduce information about a private key may be performed
+ offline. The amount of resources required for such an attack would be
+ significant. However, for an attack on TLS to be meaningful, the server
+ would have to share the DH1024 private key among multiple clients, which is
+ no longer an option since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ This issue was reported to OpenSSL by David Benjamin (Google). The issue
+ was originally found via the OSS-Fuzz project.
+ (CVE-2017-3738)
+ [Andy Polyakov]
+
+ Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
+
+ *) bn_sqrx8x_internal carry bug on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients.
+
+ This only affects processors that support the BMI1, BMI2 and ADX extensions
+ like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3736)
+ [Andy Polyakov]
+
+ *) Malformed X.509 IPAddressFamily could cause OOB read
+
+ If an X.509 certificate has a malformed IPAddressFamily extension,
+ OpenSSL could do a one-byte buffer overread. The most likely result
+ would be an erroneous display of the certificate in text format.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3735)
+ [Rich Salz]
+
+ Changes between 1.1.0e and 1.1.0f [25 May 2017]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
+ Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
+
+ *) Encrypt-Then-Mac renegotiation crash
+
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
+ and servers are affected.
+
+ This issue was reported to OpenSSL by Joe Orton (Red Hat).
+ (CVE-2017-3733)
+ [Matt Caswell]
+
+ Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
+
+ *) Truncated packet could crash via OOB read
+
+ If one side of an SSL/TLS path is running on a 32-bit host and a specific
+ cipher is being used, then a truncated packet can cause that host to
+ perform an out-of-bounds read, usually resulting in a crash.
+
+ This issue was reported to OpenSSL by Robert Święcki of Google.
+ (CVE-2017-3731)
+ [Andy Polyakov]
+
+ *) Bad (EC)DHE parameters cause a client crash
+
+ If a malicious server supplies bad parameters for a DHE or ECDHE key
+ exchange then this can result in the client attempting to dereference a
+ NULL pointer leading to a client crash. This could be exploited in a Denial
+ of Service attack.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ (CVE-2017-3730)
+ [Matt Caswell]
+
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+ similar to CVE-2015-3193 but must be treated as a separate problem.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3732)
+ [Andy Polyakov]
+
+ Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
+
+ *) ChaCha20/Poly1305 heap-buffer-overflow
+
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+
+ This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
+ (CVE-2016-7054)
+ [Richard Levitte]
+
+ *) CMS Null dereference
+
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+ type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+ structure callback if an attempt is made to free certain invalid encodings.
+ Only CHOICE structures using a callback which do not handle NULL value are
+ affected.
+
+ This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
+ (CVE-2016-7053)
+ [Stephen Henson]
+
+ *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
+
+ *) Removed automatic addition of RPATH in shared libraries and executables,
+ as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
+ [Richard Levitte]
+
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
+
+ *) Fix Use After Free for large message sizes
+
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to
+ store the incoming message is reallocated and moved. Unfortunately a
+ dangling pointer to the old location is left which results in an attempt to
+ write to the previously freed location. This is likely to result in a
+ crash, however it could potentially lead to execution of arbitrary code.
+
+ This issue only affects OpenSSL 1.1.0a.
+
+ This issue was reported to OpenSSL by Robert Święcki.
+ (CVE-2016-6309)
+ [Matt Caswell]
+
+ Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
+
+ *) OCSP Status Request extension unbounded memory growth
+
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6304)
+ [Matt Caswell]
+
+ *) SSL_peek() hang on empty record
+
+ OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
+ sends an empty record. This could be exploited by a malicious peer in a
+ Denial Of Service attack.
+
+ This issue was reported to OpenSSL by Alex Gaynor.
+ (CVE-2016-6305)
+ [Matt Caswell]
+
+ *) Excessive allocation of memory in tls_get_message_header() and
+ dtls1_preprocess_fragment()
+
+ A (D)TLS message includes 3 bytes for its length in the header for the
+ message. This would allow for messages up to 16Mb in length. Messages of
+ this length are excessive and OpenSSL includes a check to ensure that a
+ peer is sending reasonably sized messages in order to avoid too much memory
+ being consumed to service a connection. A flaw in the logic of version
+ 1.1.0 means that memory for the message is allocated too early, prior to
+ the excessive message length check. Due to way memory is allocated in
+ OpenSSL this could mean an attacker could force up to 21Mb to be allocated
+ to service a connection. This could lead to a Denial of Service through
+ memory exhaustion. However, the excessive message length check still takes
+ place, and this would cause the connection to immediately fail. Assuming
+ that the application calls SSL_free() on the failed connection in a timely
+ manner then the 21Mb of allocated memory will then be immediately freed
+ again. Therefore the excessive memory allocation will be transitory in
+ nature. This then means that there is only a security impact if:
+
+ 1) The application does not call SSL_free() in a timely manner in the event
+ that the connection fails
+ or
+ 2) The application is working in a constrained environment where there is
+ very little free memory
+ or
+ 3) The attacker initiates multiple connection attempts such that there are
+ multiple connections in a state where memory has been allocated for the
+ connection; SSL_free() has not yet been called; and there is insufficient
+ memory to service the multiple requests.
+
+ Except in the instance of (1) above any Denial Of Service is likely to be
+ transitory because as soon as the connection fails the memory is
+ subsequently freed again in the SSL_free() call. However there is an
+ increased risk during this period of application crashes due to the lack of
+ memory - which would then mean a more serious Denial of Service.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6307 and CVE-2016-6308)
+ [Matt Caswell]
+
+ *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
+ had to be removed. Primary reason is that vendor assembler can't
+ assemble our modules with -KPIC flag. As result it, assembly
+ support, was not even available as option. But its lack means
+ lack of side-channel resistant code, which is incompatible with
+ security by todays standards. Fortunately gcc is readily available
+ prepackaged option, which we firmly point at...
+ [Andy Polyakov]
+
+ Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
+
+ *) Windows command-line tool supports UTF-8 opt-in option for arguments
+ and console input. Setting OPENSSL_WIN32_UTF8 environment variable
+ (to any value) allows Windows user to access PKCS#12 file generated
+ with Windows CryptoAPI and protected with non-ASCII password, as well
+ as files generated under UTF-8 locale on Linux also protected with
+ non-ASCII password.
+ [Andy Polyakov]
+
+ *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
+ have been disabled by default and removed from DEFAULT, just like RC4.
+ See the RC4 item below to re-enable both.
+ [Rich Salz]
+
+ *) The method for finding the storage location for the Windows RAND seed file
+ has changed. First we check %RANDFILE%. If that is not set then we check
+ the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
+ all else fails we fall back to C:\.
+ [Matt Caswell]
+
+ *) The EVP_EncryptUpdate() function has had its return type changed from void
+ to int. A return of 0 indicates and error while a return of 1 indicates
+ success.
+ [Matt Caswell]
+
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
+
+ *) Windows RAND implementation was simplified to only get entropy by
+ calling CryptGenRandom(). Various other RAND-related tickets
+ were also closed.
+ [Joseph Wylie Yandle, Rich Salz]
+
+ *) The stack and lhash API's were renamed to start with OPENSSL_SK_
+ and OPENSSL_LH_, respectively. The old names are available
+ with API compatibility. They new names are now completely documented.
+ [Rich Salz]
+
+ *) Unify TYPE_up_ref(obj) methods signature.
+ SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
+ X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
+ int (instead of void) like all others TYPE_up_ref() methods.
+ So now these methods also check the return value of CRYPTO_atomic_add(),
+ and the validity of object reference counter.
+ [fdasilvayy@gmail.com]
+
+ *) With Windows Visual Studio builds, the .pdb files are installed
+ alongside the installed libraries and executables. For a static
+ library installation, ossl_static.pdb is the associate compiler
+ generated .pdb file to be used when linking programs.
+ [Richard Levitte]
+
+ *) Remove openssl.spec. Packaging files belong with the packagers.
+ [Richard Levitte]
+
+ *) Automatic Darwin/OSX configuration has had a refresh, it will now
+ recognise x86_64 architectures automatically. You can still decide
+ to build for a different bitness with the environment variable
+ KERNEL_BITS (can be 32 or 64), for example:
+
+ KERNEL_BITS=32 ./config
+
+ [Richard Levitte]
+
+ *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+ 256 bit AES and HMAC with SHA256.
+ [Steve Henson]
+
+ *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
+ [Andy Polyakov]
+
+ *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
+ [Rich Salz]