OpenSSL Releases
----------------
+ - [OpenSSL 3.4](#openssl-34)
- [OpenSSL 3.3](#openssl-33)
- [OpenSSL 3.2](#openssl-32)
- [OpenSSL 3.1](#openssl-31)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
+OpenSSL 3.4
+-----------
+
+### Changes between 3.3 and 3.4 [xx XXX xxxx]
+
+ * Added options `-not_before` and `-not_after` for explicit setting
+ start and end dates of certificates created with the `req` and `x509`
+ apps. Added the same options also to `ca` app as alias for
+ `-startdate` and `-enddate` options.
+
+ *Stephan Wurm*
+
+ * The X25519 and X448 key exchange implementation in the FIPS provider
+ is unapproved and has `fips=no` property.
+
+ *Tomáš Mráz*
+
+ * SHAKE-128 and SHAKE-256 implementations have no default digest length
+ anymore. That means these algorithms cannot be used with
+ EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
+
+ This change was necessary because the preexisting default lengths were
+ half the size necessary for full collision resistance supported by these
+ algorithms.
+
+ *Tomáš Mráz*
+
+ * Setting `config_diagnostics=1` in the config file will cause errors to
+ be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
+ in the ssl module configuration.
+
+ *Tomáš Mráz*
+
+ * Use an empty renegotiate extension in TLS client hellos instead of
+ the empty renegotiation SCSV, for all connections with a minimum TLS
+ version > 1.0.
+
+ *Tim Perry*
+
+ * Added support for integrity-only cipher suites TLS_SHA256_SHA256 and
+ TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added support for requesting CRL in CMP.
+
+ This work was sponsored by Siemens AG.
+
+ *Rajeev Ranjan*
+
+ * Added Attribute Certificate (RFC 5755) support. Attribute
+ Certificates can be created, parsed, modified and printed via the
+ public API. There is no command-line tool support at this time.
+
+ *Damian Hobson-Garcia*
+
+ * Added support to build Position Independent Executables (PIE). Configuration
+ option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
+ support Address Space Layout Randomization (ASLR) in the openssl executable,
+ removes reliance on external toolchain configurations.
+
+ *Craig Lorentzen*
+
OpenSSL 3.3
-----------
### Changes between 3.2 and 3.3 [xx XXX xxxx]
- * The activate configuration setting for providers in openssl.cnf has been
- updated to require a value of [1|yes|true|on] (in lower or UPPER case) to
- activate the provider. Conversely a setting [0|no|false|off] will prevent
- provider activation. All other values, or the omission of a value for this
- setting will result in an error.
+ * The `-verify` option to the `openssl crl` and `openssl req` will make
+ the program exit with 1 on failure.
+
+ *Vladimír Kotal*
+
+ * The BIO_get_new_index() function can only be called 127 times before it
+ reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an
+ error of -1 once it is exhausted. Users may need to reserve using this
+ function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE
+ or BIO_get_new_index() can be used to supply a type to BIO_meth_new().
+
+ *Shane Lontis*
+
+ * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
+ using time_t which is Y2038 safe on 32 bit systems when 64 bit time
+ is enabled (e.g via setting glibc macro _TIME_BITS=64).
+
+ *Ijtaba Hussain*
+
+ * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
+ related functions have been augmented to check for a minimum length of
+ the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
+
+ *Job Snijders*
+
+ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
+ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
+ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
+ ignored and the configuration will still be used.
+
+ Similarly unknown entries that start with `?` character in a TLS
+ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored
+ and the configuration will still be used.
+
+ In both cases if the resulting list is empty, an error is returned.
+
+ *Tomáš Mráz*
+
+ * The EVP_PKEY_fromdata function has been augmented to allow for the derivation
+ of CRT (Chinese Remainder Theorem) parameters when requested. See the
+ OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
+
+ *Neil Horman*
+
+ * The activate and soft_load configuration settings for providers in
+ openssl.cnf have been updated to require a value of [1|yes|true|on]
+ (in lower or UPPER case) to enable the setting. Conversely a value
+ of [0|no|false|off] will disable the setting. All other values, or the
+ omission of a value for these settings will result in an error.
*Neil Horman*
+ * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
+ override the Issuer and Subject when creating a certificate. The `-subj`
+ option now is an alias for `-set_subject`.
+
+ *Job Snijders, George Michaelson*
+
+ * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
+ if called with a NULL stack argument.
+
+ *Tomáš Mráz*
+
* In `openssl speed`, changed the default hash function used with `hmac` from
`md5` to `sha256`.
*Markus Minichmayr, Tapkey GmbH*
+ * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
+ condition in an optimised way when using QUIC.
+
+ *Hugo Landau*
+
+ * New atexit configuration switch, which controls whether the OPENSSL_cleanup
+ is registered when libcrypto is unloaded. This is turned off on NonStop
+ configurations because of loader differences on that platform compared to
+ Linux.
+
+ *Randall S. Becker*
+
+ * Support for qlog for tracing QUIC connections has been added.
+
+ The qlog output from OpenSSL currently uses a pre-standard draft version of
+ qlog. The output from OpenSSL will change in incompatible ways in future
+ releases, and is not subject to any format stability or compatibility
+ guarantees at this time. This functionality can be
+ disabled with the build-time option `no-unstable-qlog`. See the
+ openssl-qlog(7) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow configuring the negotiated idle timeout for QUIC
+ connections, and to allow determining the number of additional streams
+ that can currently be created for a QUIC connection.
+
+ *Hugo Landau*
+
+ * Added APIs to allow disabling implicit QUIC event processing for
+ QUIC SSL objects, allowing applications to control when event handling
+ occurs. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Limited support for polling of QUIC connection and stream objects in a
+ non-blocking manner. Refer to the SSL_poll(3) manpage for details.
+
+ *Hugo Landau*
+
+ * Added APIs to allow querying the size and utilisation of a QUIC stream's
+ write buffer. Refer to the SSL_get_value_uint(3) manpage for details.
+
+ *Hugo Landau*
+
+ * New limit on HTTP response headers is introduced to HTTP client. The
+ default limit is set to 256 header lines. If limit is exceeded the
+ response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
+ Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
+ to change the default. Setting the value to 0 disables the limit.
+
+ *Alexandr Nedvedicky*
+
+ * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
+
+ *Tom Cosgrove*
+
+ * Added X509_STORE_get1_objects to avoid issues with the existing
+ X509_STORE_get0_objects API in multi-threaded applications. Refer to the
+ documentation for details.
+
+ *David Benjamin*
+
+ * Added assembly implementation for md5 on loongarch64
+
+ *Min Zhou*
+
+ * Optimized AES-CTR for ARM Neoverse V1 and V2
+
+ *Fisher Yu*
+
+ * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
+ similar to M1/M2.
+
+ *Tom Cosgrove*
+
+ * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
+ times with different output sizes.
+
+ *Shane Lontis, Holger Dengler*
+
+ * Various optimizations for cryptographic routines using RISC-V vector crypto
+ extensions
+
+ *Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe Chen,
+ Jerry Shih*
+
+ * Accept longer context for TLS 1.2 exporters
+
+ While RFC 5705 implies that the maximum length of a context for exporters is
+ 65535 bytes as the length is embedded in uint16, the previous implementation
+ enforced a much smaller limit, which is less than 1024 bytes. This
+ restriction has been removed.
+
+ *Daiki Ueno*
+
OpenSSL 3.2
-----------
-### Changes between 3.1 and 3.2 [xx XXX xxxx]
+### Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
+
+ * Fixed an issue where some non-default TLS server configurations can cause
+ unbounded memory growth when processing TLSv1.3 sessions. An attacker may
+ exploit certain server configurations to trigger unbounded memory growth that
+ would lead to a Denial of Service
+
+ This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
+ is being used (but not if early_data is also configured and the default
+ anti-replay protection is in use). In this case, under certain conditions,
+ the session cache can get into an incorrect state and it will fail to flush
+ properly as it fills. The session cache will continue to grow in an unbounded
+ manner. A malicious client could deliberately create the scenario for this
+ failure to force a Denial of Service. It may also happen by accident in
+ normal operation.
+
+ ([CVE-2024-2511])
+
+ *Matt Caswell*
+
+ * Fixed bug where SSL_export_keying_material() could not be used with QUIC
+ connections. (#23560)
+
+ *Hugo Landau*
+
+### Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
+
+ * A file in PKCS12 format can contain certificates and keys and may come from
+ an untrusted source. The PKCS12 specification allows certain fields to be
+ NULL, but OpenSSL did not correctly check for this case. A fix has been
+ applied to prevent a NULL pointer dereference that results in OpenSSL
+ crashing. If an application processes PKCS12 files from an untrusted source
+ using the OpenSSL APIs then that application will be vulnerable to this
+ issue prior to this fix.
+
+ OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
+ PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
+ and PKCS12_newpass().
+
+ We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
+ function is related to writing data we do not consider it security
+ significant.
+
+ ([CVE-2024-0727])
+
+ *Matt Caswell*
+
+ * When function EVP_PKEY_public_check() is called on RSA public keys,
+ a computation is done to confirm that the RSA modulus, n, is composite.
+ For valid RSA keys, n is a product of two or more large primes and this
+ computation completes quickly. However, if n is an overly large prime,
+ then this computation would take a long time.
+
+ An application that calls EVP_PKEY_public_check() and supplies an RSA key
+ obtained from an untrusted source could be vulnerable to a Denial of Service
+ attack.
+
+ The function EVP_PKEY_public_check() is not called from other OpenSSL
+ functions however it is called from the OpenSSL pkey command line
+ application. For that reason that application is also vulnerable if used
+ with the "-pubin" and "-check" options on untrusted data.
+
+ To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
+ now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
+
+ ([CVE-2023-6237])
+
+ *Tomáš Mráz*
+
+ * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
+ have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
+ rather than SM2.
+
+ *Richard Levitte*
+
+ * The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ for PowerPC CPUs saves the contents of vector registers in different
+ order than they are restored. Thus the contents of some of these vector
+ registers is corrupted when returning to the caller. The vulnerable code is
+ used only on newer PowerPC processors supporting the PowerISA 2.07
+ instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However unless the compiler uses the vector registers
+ for storing pointers, the most likely consequence, if any, would be an
+ incorrect result of some application dependent calculations or a crash
+ leading to a denial of service.
+
+ ([CVE-2023-6129])
+
+ *Rohan McLure*
+
+ * Disable building QUIC server utility when OpenSSL is configured with
+ `no-apps`.
+
+ *Vitalii Koshura*
+
+### Changes between 3.1 and 3.2.0 [23 Nov 2023]
+
+ * Fix excessive time spent in DH check / generation with large Q parameter
+ value.
+
+ Applications that use the functions DH_generate_key() to generate an
+ X9.42 DH key may experience long delays. Likewise, applications that use
+ DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
+ to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
+ Where the key or parameters that are being checked have been obtained from
+ an untrusted source this may lead to a Denial of Service.
+
+ ([CVE-2023-5678])
+
+ *Richard Levitte*
* The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.
*Paul Dale*
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
- by default.
+ by default. Also spaces surrounding `=` in DN output are removed.
*Dmitry Belyavskiy*
OpenSSL 3.1
-----------
-### Changes between 3.1.4 and 3.1.5 [xx XXX xxxx]
-
- * Fix excessive time spent in DH check / generation with large Q parameter
- value.
-
- Applications that use the functions DH_generate_key() to generate an
- X9.42 DH key may experience long delays. Likewise, applications that use
- DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
- to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
- Where the key or parameters that are being checked have been obtained from
- an untrusted source this may lead to a Denial of Service.
-
- ([CVE-2023-5678])
-
- *Richard Levitte*
-
### Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
* Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
<!-- Links -->
+[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
+[CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
+[CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
+[CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
[CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
[CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
[CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807