OpenSSL CHANGES
===============
-This is a high-level summary of the most important changes.
-For a full list of changes, see the [git commit log][log] and
-pick the appropriate release branch.
+This is a detailed breakdown of significant changes. For a high-level overview
+of changes in each release, see [NEWS.md](./NEWS.md).
+
+For a full list of changes, see the [git commit log][log] and pick the
+appropriate release branch.
[log]: https://github.com/openssl/openssl/commits/
OpenSSL Releases
----------------
+ - [OpenSSL 3.4](#openssl-34)
+ - [OpenSSL 3.3](#openssl-33)
- [OpenSSL 3.2](#openssl-32)
- [OpenSSL 3.1](#openssl-31)
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.4
+-----------
+
+### Changes between 3.3 and 3.4 [xx XXX xxxx]
+
+ * Added options `-not_before` and `-not_after` for explicit setting
+ start and end dates of certificates created with the `req` and `x509`
+ apps. Added the same options also to `ca` app as alias for
+ `-startdate` and `-enddate` options.
+
+ *Stephan Wurm*
+
+ * The X25519 and X448 key exchange implementation in the FIPS provider
+ is unapproved and has `fips=no` property.
+
+ *Tomáš Mráz*
+
+ * SHAKE-128 and SHAKE-256 implementations have no default digest length
+ anymore. That means these algorithms cannot be used with
+ EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
+
+ This change was necessary because the preexisting default lengths were
+ half the size necessary for full collision resistance supported by these
+ algorithms.
+
+ *Tomáš Mráz*
+
+ * Setting `config_diagnostics=1` in the config file will cause errors to
+ be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
+ in the ssl module configuration.
+
+ *Tomáš Mráz*
+
+ * Use an empty renegotiate extension in TLS client hellos instead of
+ the empty renegotiation SCSV, for all connections with a minimum TLS
+ version > 1.0.
+
+ *Tim Perry*
+
+ * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
+ TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added support for requesting CRL in CMP.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added Attribute Certificate (RFC 5755) support. Attribute
+ Certificates can be created, parsed, modified and printed via the
+ public API. There is no command-line tool support at this time.
+
+ *Damian Hobson-Garcia*
+
+ * Added support to build Position Independent Executables (PIE). Configuration
+ option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
+ support Address Space Layout Randomization (ASLR) in the openssl executable,
+ removes reliance on external toolchain configurations.
+
+ *Craig Lorentzen*
+
+OpenSSL 3.3
+-----------
+
+### Changes between 3.3.0 and 3.3.1 [xx XXX xxxx]
+
+ * Fixed an issue where checking excessively long DSA keys or parameters may
+ be very slow.
+
+ Applications that use the functions EVP_PKEY_param_check() or
+ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may
+ experience long delays. Where the key or parameters that are being checked
+ have been obtained from an untrusted source this may lead to a Denial of
+ Service.
+
+ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
+ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error
+ reason.
+
+ ([CVE-2024-4603])
+
+ *Tomáš Mráz*
+
+### Changes between 3.2 and 3.3.0 [9 Apr 2024]
+
+ * The `-verify` option to the `openssl crl` and `openssl req` will make
+ the program exit with 1 on failure.
+
+ *Vladimír Kotal*
+
+ * The BIO_get_new_index() function can only be called 127 times before it
+ reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
+ error of -1 once it is exhausted. Users may need to reserve using this
+ function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE
+ or BIO_get_new_index() can be used to supply a type to BIO_meth_new().
+
+ *Shane Lontis*
+
+ * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
+ using time_t which is Y2038 safe on 32 bit systems when 64 bit time
+ is enabled (e.g via setting glibc macro _TIME_BITS=64).
+
+ *Ijtaba Hussain*
+
+ * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
+ related functions have been augmented to check for a minimum length of
+ the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
+
+ *Job Snijders*
+
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ Similarly unknown entries that start with `?` character in a TLS
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
+ and the configuration will still be used.
+
+ In both cases if the resulting list is empty, an error is returned.
+
+ *Tomáš Mráz*
+
+ * The EVP_PKEY_fromdata function has been augmented to allow for the derivation
+ of CRT (Chinese Remainder Theorem) parameters when requested. See the
+ OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
+
+ *Neil Horman*
+
+ * The activate and soft_load configuration settings for providers in
+ openssl.cnf have been updated to require a value of [1|yes|true|on]
+ (in lower or UPPER case) to enable the setting. Conversely a value
+ of [0|no|false|off] will disable the setting. All other values, or the
+ omission of a value for these settings will result in an error.
+
+ *Neil Horman*
+
+ * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
+ override the Issuer and Subject when creating a certificate. The `-subj`
+ option now is an alias for `-set_subject`.
+
+ *Job Snijders, George Michaelson*
+
+ * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
+ if called with a NULL stack argument.
+
+ *Tomáš Mráz*
+
+ * In `openssl speed`, changed the default hash function used with `hmac` from
+ `md5` to `sha256`.
+
+ *James Muir*
+
+ * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483:
+ - `certProfile` request message header and respective `-profile` CLI option
+ - support for delayed delivery of all types of response messages
+
+ *David von Oheimb*
+
+ * The build of exporters (such as `.pc` files for pkg-config) cleaned up to
+ be less hard coded in the build file templates, and to allow easier
+ addition of more exporters. With that, an exporter for CMake is also
+ added.
+
+ *Richard Levitte*
+
+ * The BLAKE2s hash algorithm matches BLAKE2b's support
+ for configurable output length.
+
+ *Ahelenia Ziemiańska*
+
+ * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
+ server to prefer session resumption using PSK-only key exchange over PSK
+ with DHE, if both are available.
+
+ *Markus Minichmayr, Tapkey GmbH*
+
+ * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
+ condition in an optimised way when using QUIC.
+
+ *Hugo Landau*
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded. This is turned off on NonStop
+ configurations because of loader differences on that platform compared to
+ Linux.
+
+ *Randall S. Becker*
+
+ * Support for qlog for tracing QUIC connections has been added.
+
+ The qlog output from OpenSSL currently uses a pre-standard draft version of
+ qlog. The output from OpenSSL will change in incompatible ways in future
+ releases, and is not subject to any format stability or compatibility
+ guarantees at this time. This functionality can be
+ disabled with the build-time option `no-unstable-qlog`. See the
+ openssl-qlog(7) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow configuring the negotiated idle timeout for QUIC
+ connections, and to allow determining the number of additional streams
+ that can currently be created for a QUIC connection.
+
+ *Hugo Landau*
+
+ * Added APIs to allow disabling implicit QUIC event processing for
+ QUIC SSL objects, allowing applications to control when event handling
+ occurs. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Limited support for polling of QUIC connection and stream objects in a
+ non-blocking manner. Refer to the SSL_poll(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow querying the size and utilisation of a QUIC stream's
+ write buffer. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * New limit on HTTP response headers is introduced to HTTP client. The
+ default limit is set to 256 header lines. If limit is exceeded the
+ response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
+ Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
+ to change the default. Setting the value to 0 disables the limit.
+
+ *Alexandr Nedvedicky*
+
+ * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
+
+ *Tom Cosgrove*
+
+ * Added X509_STORE_get1_objects to avoid issues with the existing
+ X509_STORE_get0_objects API in multi-threaded applications. Refer to the
+ documentation for details.
+
+ *David Benjamin*
+
+ * Added assembly implementation for md5 on loongarch64
+
+ *Min Zhou*
+
+ * Optimized AES-CTR for ARM Neoverse V1 and V2
+
+ *Fisher Yu*
+
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
+ similar to M1/M2.
+
+ *Tom Cosgrove*
+
+ * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
+ times with different output sizes.
+
+ *Shane Lontis, Holger Dengler*
+
+ * Various optimizations for cryptographic routines using RISC-V vector crypto
+ extensions
+
+ *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen,
+ Jerry Shih*
+
+ * Accept longer context for TLS 1.2 exporters
+
+ While RFC 5705 implies that the maximum length of a context for exporters is
+ 65535 bytes as the length is embedded in uint16, the previous implementation
+ enforced a much smaller limit, which is less than 1024 bytes. This
+ restriction has been removed.
+
+ *Daiki Ueno*
+
OpenSSL 3.2
-----------
-### Changes between 3.1 and 3.2 [xx XXX xxxx]
+### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
+
+ * Fixed an issue where some non-default TLS server configurations can cause
+ unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+ exploit certain server configurations to trigger unbounded memory growth that
+ would lead to a Denial of Service
+
+ This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+ is being used (but not if early_data is also configured and the default
+ anti-replay protection is in use). In this case, under certain conditions,
+ the session cache can get into an incorrect state and it will fail to flush
+ properly as it fills. The session cache will continue to grow in an unbounded
+ manner. A malicious client could deliberately create the scenario for this
+ failure to force a Denial of Service. It may also happen by accident in
+ normal operation.
+
+ ([CVE-2024-2511])
+
+ *Matt Caswell*
+
+ * Fixed bug where SSL_export_keying_material() could not be used with QUIC
+ connections. (#23560)
+
+ *Hugo Landau*
+
+### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
+
+ * A file in PKCS12 format can contain certificates and keys and may come from
+ an untrusted source. The PKCS12 specification allows certain fields to be
+ NULL, but OpenSSL did not correctly check for this case. A fix has been
+ applied to prevent a NULL pointer dereference that results in OpenSSL
+ crashing. If an application processes PKCS12 files from an untrusted source
+ using the OpenSSL APIs then that application will be vulnerable to this
+ issue prior to this fix.
+
+ OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
+ PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
+ and PKCS12_newpass().
+
+ We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
+ function is related to writing data we do not consider it security
+ significant.
+
+ ([CVE-2024-0727])
+
+ *Matt Caswell*
+
+ * When function EVP_PKEY_public_check() is called on RSA public keys,
+ a computation is done to confirm that the RSA modulus, n, is composite.
+ For valid RSA keys, n is a product of two or more large primes and this
+ computation completes quickly. However, if n is an overly large prime,
+ then this computation would take a long time.
+
+ An application that calls EVP_PKEY_public_check() and supplies an RSA key
+ obtained from an untrusted source could be vulnerable to a Denial of Service
+ attack.
+
+ The function EVP_PKEY_public_check() is not called from other OpenSSL
+ functions however it is called from the OpenSSL pkey command line
+ application. For that reason that application is also vulnerable if used
+ with the "-pubin" and "-check" options on untrusted data.
+
+ To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
+ now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
+
+ ([CVE-2023-6237])
+
+ *Tomáš Mráz*
+
+ * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
+ have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
+ rather than SM2.
+
+ *Richard Levitte*
+
+ * The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ for PowerPC CPUs saves the contents of vector registers in different
+ order than they are restored. Thus the contents of some of these vector
+ registers is corrupted when returning to the caller. The vulnerable code is
+ used only on newer PowerPC processors supporting the PowerISA 2.07
+ instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However unless the compiler uses the vector registers
+ for storing pointers, the most likely consequence, if any, would be an
+ incorrect result of some application dependent calculations or a crash
+ leading to a denial of service.
+
+ ([CVE-2023-6129])
+
+ *Rohan McLure*
+
+ * Disable building QUIC server utility when OpenSSL is configured with
+ `no-apps`.
+
+ *Vitalii Koshura*
+
+### Changes between 3.1 and 3.2.0 [23 Nov 2023]
+
+ * Fix excessive time spent in DH check / generation with large Q parameter
+ value.
+
+ Applications that use the functions DH_generate_key() to generate an
+ X9.42 DH key may experience long delays. Likewise, applications that use
+ DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
+ to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
+ Where the key or parameters that are being checked have been obtained from
+ an untrusted source this may lead to a Denial of Service.
+
+ ([CVE-2023-5678])
+
+ *Richard Levitte*
+
+ * The BLAKE2b hash algorithm supports a configurable output length
+ by setting the "size" parameter.
+
+ *Čestmír Kalina and Tomáš Mráz*
+
+ * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES.
+
+ *Evgeny Karpov*
+
+ * Added a function to delete objects from store by URI - OSSL_STORE_delete()
+ and the corresponding provider-storemgmt API function
+ OSSL_FUNC_store_delete().
+
+ *Dmitry Belyavskiy*
+
+ * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass
+ a passphrase callback when opening a store.
+
+ *Simo Sorce*
+
+ * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt)
+ from 8 bytes to 16 bytes.
+ The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and
+ recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2
+ requires a salt length of 128 bits. This affects OpenSSL command line
+ applications such as "genrsa" and "pkcs8" and API's such as
+ PEM_write_bio_PrivateKey() that are reliant on the default value.
+ The additional commandline option 'saltlen' has been added to the
+ OpenSSL command line applications for "pkcs8" and "enc" to allow the
+ salt length to be set to a non default value.
+
+ *Shane Lontis*
* Changed the default value of the `ess_cert_id_alg` configuration
option which is used to calculate the TSA's public key certificate
*Paul Dale*
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
- by default.
+ by default. Also spaces surrounding `=` in DN output are removed.
*Dmitry Belyavskiy*
OpenSSL 3.1
-----------
+### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
+
+ * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
+ EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters
+ that alter the key or IV length ([CVE-2023-5363]).
+
+ *Paul Dale*
+
+### Changes between 3.1.2 and 3.1.3 [19 Sep 2023]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+ The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ does not save the contents of non-volatile XMM registers on Windows 64
+ platform when calculating the MAC of data larger than 64 bytes. Before
+ returning to the caller all the XMM registers are set to zero rather than
+ restoring their previous content. The vulnerable code is used only on newer
+ x86_64 processors supporting the AVX512-IFMA instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However given the contents of the registers are just
+ zeroized so the attacker cannot put arbitrary values inside, the most likely
+ consequence, if any, would be an incorrect result of some application
+ dependent calculations or a crash leading to a denial of service.
+
+ ([CVE-2023-4807])
+
+ *Bernd Edlinger*
+
### Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value.
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
+[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
+[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
+[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975