-----------
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
+ EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions. They are not needed
+ and require returning octet ptr parameters from providers that
+ would like to support them which complicates provider implementations.
+
+ *Tomáš Mráz*
+
+ * The RAND_METHOD APIs have been deprecated. The functions deprecated are:
+ RAND_OpenSSL(), RAND_get_rand_method(), RAND_set_rand_engine() and
+ RAND_set_rand_method(). Provider based random number generators should
+ be used instead via EVP_RAND(3).
+
+ *Paul Dale*
+ * The SRP APIs have been deprecated. The old APIs do not work via providers,
+ and there is no EVP interface to them. Unfortunately there is no replacement
+ for these APIs at this time.
+
+ *Matt Caswell*
+
+ * Add a compile time option to prevent the caching of provider fetched
+ algorithms. This is enabled by including the no-cached-fetch option
+ at configuration time.
+
+ *Paul Dale*
+
+ * The openssl speed command does not use low-level API calls anymore. This
+ implies some of the performance numbers might not be fully comparable
+ with the previous releases due to higher overhead. This applies
+ particularly to measuring performance on smaller data chunks.
+
+ *Tomáš Mráz*
+
+ * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
+ Typically if OpenSSL has no EC or DH algorithms then it cannot support
+ connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
+ through providers. Therefore third party providers may supply group
+ implementations even where there are no built-in ones. Attempting to create
+ TLS connections in such a build without also disabling TLSv1.3 at run time or
+ using third party provider groups may result in handshake failures. TLSv1.3
+ can be disabled at compile time using the "no-tls1_3" Configure option.
+
+ *Matt Caswell*
+
+ * The undocumented function X509_certificate_type() has been deprecated;
+ applications can use X509_get0_pubkey() and X509_get0_signature() to
+ get the same information.
+
+ *Rich Salz*
+
+ * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
+ functions. They are identical to BN_rand() and BN_rand_range()
+ respectively.
+
+ *Tomáš Mráz*
+
+ * Removed RSA padding mode for SSLv23 (which was only used for
+ SSLv2). This includes the functions RSA_padding_check_SSLv23() and
+ RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
+ `rsautl` command.
+
+ *Rich Salz*
* Deprecated the obsolete X9.31 RSA key generation related functions
BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
BN_X931_generate_prime_ex().
- *Tomas Mraz*
+ *Tomáš Mráz*
+
+ * The default key generation method for the regular 2-prime RSA keys was
+ changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with
+ Conditions Based on Auxiliary Probable Primes). This method is slower
+ than the original method.
+
+ *Shane Lontis*
+
+ * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
+ They are replaced with the BN_check_prime() function that avoids possible
+ misuse and always uses at least 64 rounds of the Miller-Rabin
+ primality test. At least 64 rounds of the Miller-Rabin test are now also
+ used for all prime generation, including RSA key generation.
+ This increases key generation time, especially for larger keys.
+
+ *Kurt Roeckx*
+
+ * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
+ as they are not useful with non-deprecated functions.
+
+ *Rich Salz*
* Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
*Rich Salz and Richard Levitte*
+ * Deprecated `OCSP_parse_url()`, which is replaced with `OSSL_HTTP_parse_url`.
+
+ *David von Oheimb*
+
* Validation of SM2 keys has been separated from the validation of regular EC
keys, allowing to improve the SM2 validation process to reject loaded private
keys that are not conforming to the SM2 ISO standard.
read or write an EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER
APIs. Or load an EVP_PKEY directly from EC data using EVP_PKEY_fromdata().
- *Shane Lontis, Paul Dale, Richard Levitte, and Tomas Mraz*
+ *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
* Deprecated all the libcrypto and libssl error string loading
functions: ERR_load_ASN1_strings(), ERR_load_ASYNC_strings(),
* Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
- *Tomas Mraz*
+ *Tomáš Mráz*
* Dropped interactive mode from the `openssl` program. From now on,
running it without arguments is equivalent to `openssl help`.
* Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys
with explicit curve parameters (specifiedCurve) as required by RFC 5480.
- *Tomas Mraz*
+ *Tomáš Mráz*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a encoded key
* Use SHA256 as the default digest for TS query in the `ts` app.
- *Tomas Mraz*
+ *Tomáš Mráz*
* Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
This checks that the salt length is at least 128 bits, the derived key
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx]
+### Changes between 1.1.1j and 1.1.1k [xx XXX xxxx]
+
+### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+ * Fixed the X509_issuer_and_serial_hash() function. It attempts to
+ create a unique hash value based on the issuer and serial number data
+ contained within an X509 certificate. However it was failing to correctly
+ handle any errors that may occur while parsing the issuer field (which might
+ occur if the issuer field is maliciously constructed). This may subsequently
+ result in a NULL pointer deref and a crash leading to a potential denial of
+ service attack.
+ ([CVE-2021-23841])
+
+ *Matt Caswell*
+
+ * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks. This is considered a
+ bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+ CVE-2021-23839.
+
+ *Matt Caswell*
+
+ Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+ functions. Previously they could overflow the output length argument in some
+ cases where the input length is close to the maximum permissable length for
+ an integer on the platform. In such cases the return value from the function
+ call would be 1 (indicating success), but the output length value would be
+ negative. This could cause applications to behave incorrectly or crash.
+ ([CVE-2021-23840])
+
+ *Matt Caswell*
- * Fixed SRP_Calc_client_key so that it uses constant time. The previous
+ * Fixed SRP_Calc_client_key so that it runs in constant time. The previous
implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
could be exploited in a side channel attack to recover the password. Since
the attack is local host only this is outside of the current OpenSSL
* Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
- *Tomas Mraz*
+ *Tomáš Mráz*
* The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
* Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
- *Tomas Mraz*
+ *Tomáš Mráz*
* The Oracle Developer Studio compiler will start reporting deprecated APIs
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
- *Tomas Mraz*
+ *Tomáš Mráz*
* Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
* Ignore the '-named_curve auto' value for compatibility of applications
with OpenSSL 1.0.2.
- *Tomas Mraz <tmraz@fedoraproject.org>*
+ *Tomáš Mráz <tmraz@fedoraproject.org>*
* Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
projects / openssl.git / blobdiff