https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
+ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+
+ *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
+ SHA384, SHA512 and Whirlpool digest functions have been deprecated.
+ These include:
+ MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
+ MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
+ MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
+ RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
+ RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final,
+ SHA1_Transform, SHA224_Init, SHA224_Update, SHA224_Final,
+ SHA224_Transform, SHA256_Init, SHA256_Update, SHA256_Final,
+ SHA256_Transform, SHA384, SHA384_Init, SHA384_Update, SHA384_Final,
+ SHA512, SHA512_Init, SHA512_Update, SHA512_Final, SHA512_Transform,
+ WHIRLPOOL, WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_BitUpdate
+ and WHIRLPOOL_Final.
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should instead use the EVP_DigestInit_ex,
+ EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions.
+ [Paul Dale]
+
+ *) Corrected the documentation of the return values from the EVP_DigestSign*
+ set of functions. The documentation mentioned negative values for some
+ errors, but this was never the case, so the mention of negative values
+ was removed.
+
+ Code that followed the documentation and thereby check with something
+ like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
+ [Richard Levitte]
+
+ *) All of the low level cipher functions have been deprecated including:
+ AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
+ AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
+ AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
+ AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
+ BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
+ BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
+ Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
+ Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
+ Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
+ CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
+ CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
+ DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
+ DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
+ DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
+ DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
+ DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
+ DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
+ DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
+ DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
+ DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
+ DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
+ IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
+ IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
+ RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
+ RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
+ RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
+ RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
+ SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
+ SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use the high level EVP APIs, e.g.
+ EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+ equivalently named decrypt functions.
+ [Matt Caswell and Paul Dale]
+
+ *) Removed include/openssl/opensslconf.h.in and replaced it with
+ include/openssl/configuration.h.in, which differs in not including
+ <openssl/macros.h>. A short header include/openssl/opensslconf.h
+ was added to include both.
+
+ This allows internal hacks where one might need to modify the set
+ of configured macros, for example this if deprecated symbols are
+ still supposed to be available internally:
+
+ #include <openssl/configuration.h>
+
+ #undef OPENSSL_NO_DEPRECATED
+ #define OPENSSL_SUPPRESS_DEPRECATED
+
+ #include <openssl/macros.h>
+
+ This should not be used by applications that use the exported
+ symbols, as that will lead to linking errors.
+ [Richard Levitte]
+
+ *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
+ 3-prime RSA1536, and DSA1024 as a result of this defect would be very
+ difficult to perform and are not believed likely. Attacks against DH512
+ are considered just feasible. However, for an attack the target would
+ have to re-use the DH512 private key, which is not recommended anyway.
+ Also applications directly using the low level API BN_mod_exp may be
+ affected if they use BN_FLG_CONSTTIME.
+ (CVE-2019-1551)
+ [Andy Polyakov]
+
+ *) Most memory-debug features have been deprecated, and the functionality
+ replaced with no-ops.
+ [Rich Salz]
+
+ *) Introduced a new method type and API, OSSL_SERIALIZER, to
+ represent generic serializers. An implementation is expected to
+ be able to serialize an object associated with a given name (such
+ as an algorithm name for an asymmetric key) into forms given by
+ implementation properties.
+
+ Serializers are primarily used from inside libcrypto, through
+ calls to functions like EVP_PKEY_print_private(),
+ PEM_write_bio_PrivateKey() and similar.
+
+ Serializers are specified in such a way that they can be made to
+ directly handle the provider side portion of an object, if this
+ provider side part comes from the same provider as the serializer
+ itself, but can also be made to handle objects in parametrized
+ form (as an OSSL_PARAM array of data). This allows a provider to
+ offer generic serializers as a service for any other provider.
+ [Richard Levitte]
+
+ *) Added a .pragma directive to the syntax of configuration files, to
+ allow varying behavior in a supported and predictable manner.
+ Currently added pragma:
+
+ .pragma dollarid:on
+
+ This allows dollar signs to be a keyword character unless it's
+ followed by a opening brace or parenthesis. This is useful for
+ platforms where dollar signs are commonly used in names, such as
+ volume names and system directory names on VMS.
+ [Richard Levitte]
+
+ *) Added functionality to create an EVP_PKEY from user data. This
+ is effectively the same as creating a RSA, DH or DSA object and
+ then assigning them to an EVP_PKEY, but directly using algorithm
+ agnostic EVP functions. A benefit is that this should be future
+ proof for public key algorithms to come.
+ [Richard Levitte]
+
+ *) Change the interpretation of the '--api' configuration option to
+ mean that this is a desired API compatibility level with no
+ further meaning. The previous interpretation, that this would
+ also mean to remove all deprecated symbols up to and including
+ the given version, no requires that 'no-deprecated' is also used
+ in the configuration.
+
+ When building applications, the desired API compatibility level
+ can be set with the OPENSSL_API_COMPAT macro like before. For
+ API compatibility version below 3.0, the old style numerical
+ value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
+ For version 3.0 and on, the value is expected to be the decimal
+ value calculated from the major and minor version like this:
+
+ MAJOR * 10000 + MINOR * 100
+
+ Examples:
+
+ -DOPENSSL_API_COMPAT=30000 For 3.0
+ -DOPENSSL_API_COMPAT=30200 For 3.2
+
+ To hide declarations that are deprecated up to and including the
+ given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
+ given when building the application as well.
+ [Richard Levitte]
+
+ *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow
+ access to certificate and CRL stores via URIs and OSSL_STORE
+ loaders.
+
+ This adds the following functions:
+
+ X509_LOOKUP_store()
+ X509_STORE_load_file()
+ X509_STORE_load_path()
+ X509_STORE_load_store()
+ SSL_add_store_cert_subjects_to_stack()
+ SSL_CTX_set_default_verify_store()
+ SSL_CTX_load_verify_file()
+ SSL_CTX_load_verify_dir()
+ SSL_CTX_load_verify_store()
+
+ Also, the following functions are now deprecated:
+
+ - X509_STORE_load_locations() (use X509_STORE_load_file(),
+ X509_STORE_load_path() or X509_STORE_load_store() instead)
+ - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(),
+ SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead)
+ [Richard Levitte]
+
+ *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+ The presence of this system service is determined at run-time.
+ [Richard Levitte]
+
+ *) Added functionality to create an EVP_PKEY context based on data
+ for methods from providers. This takes an algorithm name and a
+ property query string and simply stores them, with the intent
+ that any operation that uses this context will use those strings
+ to fetch the needed methods implicitly, thereby making the port
+ of application written for pre-3.0 OpenSSL easier.
+ [Richard Levitte]
+
+ *) The undocumented function NCONF_WIN32() has been deprecated; for
+ conversion details see the HISTORY section of doc/man5/config.pod
+ [Rich Salz]
+
+ *) Introduced the new functions EVP_DigestSignInit_ex() and
+ EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
+ EVP_DigestVerifyUpdate() have been converted to functions. See the man
+ pages for further details.
+ [Matt Caswell]
+
+ *) Most common options (such as -rand/-writerand, TLS version control, etc)
+ were refactored and point to newly-enhanced descriptions in openssl.pod
+ [Rich Salz]
+
+ *) Over two thousand fixes were made to the documentation, including:
+ adding missing command flags, better style conformance, documentation
+ of internals, etc.
+ [Rich Salz, Richard Levitte]
+
+ *) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
+ X25519, X448, Ed25519 and Ed448.
+ [Patrick Steuer]
+
+ *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+ the first value.
+ [Jon Spillett]
+
+ *) Deprecated the public definition of ERR_STATE as well as the function
+ ERR_get_state(). This is done in preparation of making ERR_STATE an
+ opaque type.
+ [Richard Levitte]
+
+ *) Added ERR functionality to give callers access to the stored function
+ names that have replaced the older function code based functions.
+
+ New functions are ERR_get_error_func(), ERR_peek_error_func(),
+ ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(),
+ ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all()
+ and ERR_peek_last_error_all().
+
+ These functions have become deprecated: ERR_get_error_line_data(),
+ ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
+ ERR_func_error_string().
+ [Richard Levitte]
+
+ *) Extended testing to be verbose for failing tests only. The make variables
+ VERBOSE_FAILURE or VF can be used to enable this:
+
+ $ make VF=1 test # Unix
+ $ mms /macro=(VF=1) test ! OpenVMS
+ $ nmake VF=1 test # Windows
+
+ [Richard Levitte]
+
+ *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
+ [Nicola Tuveri]
+
+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ (CVE-2019-1547)
+ [Billy Bob Brumley]
+
+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [Bernd Edlinger]
+
+ *) Early start up entropy quality from the DEVRANDOM seed source has been
+ improved for older Linux systems. The RAND subsystem will wait for
+ /dev/random to be producing output before seeding from /dev/urandom.
+ The seeded state is stored for future library initialisations using
+ a system global shared memory segment. The shared memory identifier
+ can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
+ the desired value. The default identifier is 114.
+ [Paul Dale]
+
+ *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
+ when primes for RSA keys are computed.
+ Since we previously always generated primes == 2 (mod 3) for RSA keys,
+ the 2-prime and 3-prime RSA modules were easy to distinguish, since
+ N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
+ 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
+ This avoids possible fingerprinting of newly generated RSA modules.
+ [Bernd Edlinger]
+
+ *) Correct the extended master secret constant on EBCDIC systems. Without this
+ fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+ negotiate EMS will fail. Unfortunately this also means that TLS connections
+ between EBCDIC systems with this fix, and EBCDIC systems without this
+ fix will fail if they negotiate EMS.
+ [Matt Caswell]
+
+ *) Changed the library initialisation so that the config file is now loaded
+ by default. This was already the case for libssl. It now occurs for both
+ libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
+ OPENSSL_init_crypto() to suppress automatic loading of a config file.
+ [Matt Caswell]
+
+ *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(),
+ where the former acts as a replacement for ERR_put_error(), and the
+ latter replaces the combination ERR_put_error()+ERR_add_error_data().
+ ERR_raise_data() adds more flexibility by taking a format string and
+ an arbitrary number of arguments following it, to be processed with
+ BIO_snprintf().
+ [Richard Levitte]
+
+ *) Introduced a new function, OSSL_PROVIDER_available(), which can be used
+ to check if a named provider is loaded and available. When called, it
+ will also activate all fallback providers if such are still present.
+ [Richard Levitte]
+
+ *) Enforce a minimum DH modulus size of 512 bits.
+ [Bernd Edlinger]
+
+ *) Changed DH parameters to generate the order q subgroup instead of 2q.
+ Previously generated DH parameters are still accepted by DH_check
+ but DH_generate_key works around that by clearing bit 0 of the
+ private key for those. This avoids leaking bit 0 of the private key.
+ [Bernd Edlinger]
+
+ *) Significantly reduce secure memory usage by the randomness pools.
+ [Paul Dale]
+
+ *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been
+ deprecated.
+ [Rich Salz]
+
+ *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange
+ algorithms. An implementation of a key exchange algorithm can be obtained
+ by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be
+ used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
+ the older EVP_PKEY_derive_init() function. See the man pages for the new
+ functions for further details.
+ [Matt Caswell]
+
+ *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
+ [Matt Caswell]
+
+ *) Removed the function names from error messages and deprecated the
+ xxx_F_xxx define's.
+
+ *) Removed NextStep support and the macro OPENSSL_UNISTD
+ [Rich Salz]
+
+ *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL,
+ OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
+ Also removed "export var as function" capability; we do not export
+ variables, only functions.
+ [Rich Salz]
+
+ *) RC5_32_set_key has been changed to return an int type, with 0 indicating
+ an error and 1 indicating success. In previous versions of OpenSSL this
+ was a void type. If a key was set longer than the maximum possible this
+ would crash.
+ [Matt Caswell]
+
+ *) Support SM2 signing and verification schemes with X509 certificate.
+ [Paul Yang]
+
+ *) Use SHA256 as the default digest for TS query in the ts app.
+ [Tomas Mraz]
+
+ *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
+ This checks that the salt length is at least 128 bits, the derived key
+ length is at least 112 bits, and that the iteration count is at least 1000.
+ For backwards compatibility these checks are disabled by default in the
+ default provider, but are enabled by default in the fips provider.
+ To enable or disable these checks use the control
+ EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE.
+ [Shane Lontis]
+
+ *) Default cipher lists/suites are now available via a function, the
+ #defines are deprecated.
+ [Todd Short]
+
+ *) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
+ VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
+ for Windows Store apps easier. Also, the "no-uplink" option has been added.
+ [Kenji Mouri]
+
+ *) Join the directories crypto/x509 and crypto/x509v3
+ [Richard Levitte]
+
+ *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+ This changes the size when using the genpkey app when no size is given. It
+ fixes an omission in earlier changes that changed all RSA, DSA and DH
+ generation apps to use 2048 bits by default.
+ [Kurt Roeckx]
+
+ *) Added command 'openssl kdf' that uses the EVP_KDF API.
+ [Shane Lontis]
+
+ *) Added command 'openssl mac' that uses the EVP_MAC API.
+ [Shane Lontis]
+
+ *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such
+ as default directories. Also added the command 'openssl info'
+ for scripting purposes.
+ [Richard Levitte]
+
+ *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
+ deprecated. These undocumented functions were never integrated into the EVP
+ layer and implement the AES Infinite Garble Extension (IGE) mode and AES
+ Bi-directional IGE mode. These modes were never formally standardised and
+ usage of these functions is believed to be very small. In particular
+ AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
+ is ever used. The security implications are believed to be minimal, but
+ this issue was never fixed for backwards compatibility reasons. New code
+ should not use these modes.
+ [Matt Caswell]
+
+ *) Add prediction resistance to the DRBG reseeding process.
+ [Paul Dale]
+
+ *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as
+ mandated by IEEE Std 1619-2018.
+ [Paul Dale]
+
+ *) Added newline escaping functionality to a filename when using openssl dgst.
+ This output format is to replicate the output format found in the '*sum'
+ checksum programs. This aims to preserve backward compatibility.
+ [Matt Eaton, Richard Levitte, and Paul Dale]
+
+ *) Removed the heartbeat message in DTLS feature, as it has very
+ little usage and doesn't seem to fulfill a valuable purpose.
+ The configuration option is now deprecated.
+ [Richard Levitte]
+
+ *) Changed the output of 'openssl {digestname} < file' to display the
+ digest name in its output.
+ [Richard Levitte]
+
+ *) Added a new generic trace API which provides support for enabling
+ instrumentation through trace output. This feature is mainly intended
+ as an aid for developers and is disabled by default. To utilize it,
+ OpenSSL needs to be configured with the `enable-trace` option.
+
+ If the tracing API is enabled, the application can activate trace output
+ by registering BIOs as trace channels for a number of tracing and debugging
+ categories.
+
+ The 'openssl' application has been expanded to enable any of the types
+ available via environment variables defined by the user, and serves as
+ one possible example on how to use this functionality.
+ [Richard Levitte & Matthias St. Pierre]
+
+ *) Added build tests for C++. These are generated files that only do one
+ thing, to include one public OpenSSL head file each. This tests that
+ the public header files can be usefully included in a C++ application.
+
+ This test isn't enabled by default. It can be enabled with the option
+ 'enable-buildtest-c++'.
+ [Richard Levitte]
+
+ *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF.
+ [Shane Lontis]
+
+ *) Add KMAC to EVP_MAC.
+ [Shane Lontis]
+
+ *) Added property based algorithm implementation selection framework to
+ the core.
+ [Paul Dale]
+
+ *) Added SCA hardening for modular field inversion in EC_GROUP through
+ a new dedicated field_inv() pointer in EC_METHOD.
+ This also addresses a leakage affecting conversions from projective
+ to affine coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
+ *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
+ implementations. This includes an EVP_PKEY to EVP_KDF bridge for
+ those algorithms that were already supported through the EVP_PKEY API
+ (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
+ and scrypt are now wrappers that call EVP_KDF.
+ [David Makepeace]
+
+ *) Build devcrypto engine as a dynamic engine.
+ [Eneas U de Queiroz]
+
+ *) Add keyed BLAKE2 to EVP_MAC.
+ [Antoine Salon]
+
+ *) Fix a bug in the computation of the endpoint-pair shared secret used
+ by DTLS over SCTP. This breaks interoperability with older versions
+ of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
+ switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
+ interoperability with such broken implementations. However, enabling
+ this switch breaks interoperability with correct implementations.
+
+ *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+ re-used X509_PUBKEY object if the second PUBKEY is malformed.
+ [Bernd Edlinger]
+
+ *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
+ [Richard Levitte]
+
+ *) Change the license to the Apache License v2.0.
+ [Richard Levitte]
+
+ *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
+
+ o Major releases (indicated by incrementing the MAJOR release number)
+ may introduce incompatible API/ABI changes.
+ o Minor releases (indicated by incrementing the MINOR release number)
+ may introduce new features but retain API/ABI compatibility.
+ o Patch releases (indicated by incrementing the PATCH number)
+ are intended for bug fixes and other improvements of existing
+ features only (like improving performance or adding documentation)
+ and retain API/ABI compatibility.
+ [Richard Levitte]
+
+ *) Add support for RFC5297 SIV mode (siv128), including AES-SIV.
+ [Todd Short]
+
+ *) Remove the 'dist' target and add a tarball building script. The
+ 'dist' target has fallen out of use, and it shouldn't be
+ necessary to configure just to create a source distribution.
+ [Richard Levitte]
+
+ *) Recreate the OS390-Unix config target. It no longer relies on a
+ special script like it did for OpenSSL pre-1.1.0.
+ [Richard Levitte]
+
+ *) Instead of having the source directories listed in Configure, add
+ a 'build.info' keyword SUBDIRS to indicate what sub-directories to
+ look into.
+ [Richard Levitte]
+
+ *) Add GMAC to EVP_MAC.
+ [Paul Dale]
+
+ *) Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
+ [Richard Levitte]
+
+ *) Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
+ implementations. This includes a generic EVP_PKEY to EVP_MAC bridge,
+ to facilitate the continued use of MACs through raw private keys in
+ functionality such as EVP_DigestSign* and EVP_DigestVerify*.
+ [Richard Levitte]
+
+ *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users
+ should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type).
+ [Antoine Salon]
+
+ *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+ the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+ are retained for backwards compatibility.
+ [Antoine Salon]
+
+ *) AES-XTS mode now enforces that its two keys are different to mitigate
+ the attacked described in "Efficient Instantiations of Tweakable
+ Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
+ Details of this attack can be obtained from:
+ http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
+ [Paul Dale]
+
+ *) Rename the object files, i.e. give them other names than in previous
+ versions. Their names now include the name of the final product, as
+ well as its type mnemonic (bin, lib, shlib).
+ [Richard Levitte]
+
+ *) Added new option for 'openssl list', '-objects', which will display the
+ list of built in objects, i.e. OIDs with names.
+ [Richard Levitte]
+
+ *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
+ improves application performance by removing data copies and providing
+ applications with zero-copy system calls such as sendfile and splice.
+ [Boris Pismenny]
+
+ Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]
+
+ *) Change the info callback signals for the start and end of a post-handshake
+ message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
+ and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
+ confused by this and assume that a TLSv1.2 renegotiation has started. This
+ can break KeyUpdate handling. Instead we no longer signal the start and end
+ of a post handshake message exchange (although the messages themselves are
+ still signalled). This could break some applications that were expecting
+ the old signals. However without this KeyUpdate is not usable for many
+ applications.
+ [Matt Caswell]
+
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+ *) Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ (CVE-2018-0734)
+ [Paul Dale]
+
+ *) Timing vulnerability in ECDSA signature generation
+
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+ (CVE-2018-0735)
+ [Paul Dale]
+
+ *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+ if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+ of two gigabytes and the error handling improved.
+
+ This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+ categorized as a normal bug, not a security issue, because the DRBG reseeds
+ automatically and is fully functional even without additional randomness
+ provided by the application.
+
+ Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
+
+ *) Add a new ClientHello callback. Provides a callback interface that gives
+ the application the ability to adjust the nascent SSL object at the
+ earliest stage of ClientHello processing, immediately after extensions have
+ been collected but before they have been processed. In particular, this
+ callback can adjust the supported TLS versions in response to the contents
+ of the ClientHello
+ [Benjamin Kaduk]
+
+ *) Add SM2 base algorithm support.
+ [Jack Lloyd]
+
+ *) s390x assembly pack: add (improved) hardware-support for the following
+ cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
+ aes-cfb/cfb8, aes-ecb.
+ [Patrick Steuer]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for prime curves. The new implementation is based on formulae from
+ differential addition-and-doubling in homogeneous projective coordinates
+ from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
+ against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
+ and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
+ to work in projective coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
+ moving between systems, and to avoid confusion when a Windows build is
+ done with mingw vs with MSVC. For POSIX installs, there's still a
+ symlink or copy named 'tsget' to avoid that confusion as well.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for binary curves. The new implementation is based on formulae from
+ differential addition-and-doubling in mixed Lopez-Dahab projective
+ coordinates, modified to independently blind the operands.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Add a scaffold to optionally enhance the Montgomery ladder implementation
+ for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
+ EC_METHODs to implement their own specialized "ladder step", to take
+ advantage of more favorable coordinate systems or more efficient
+ differential addition-and-doubling algorithms.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Modified the random device based seed sources to keep the relevant
+ file descriptors open rather than reopening them on each access.
+ This allows such sources to operate in a chroot() jail without
+ the associated device nodes being available. This behaviour can be
+ controlled using RAND_keep_random_devices_open().
+ [Paul Dale]
+
+ *) Numerous side-channel attack mitigations have been applied. This may have
+ performance impacts for some algorithms for the benefit of improved
+ security. Specific changes are noted in this change log by their respective
+ authors.
+ [Matt Caswell]
+
+ *) AIX shared library support overhaul. Switch to AIX "natural" way of
+ handling shared libraries, which means collecting shared objects of
+ different versions and bitnesses in one common archive. This allows to
+ mitigate conflict between 1.0 and 1.1 side-by-side installations. It
+ doesn't affect the way 3rd party applications are linked, only how
+ multi-version installation is managed.
+ [Andy Polyakov]
+
+ *) Make ec_group_do_inverse_ord() more robust and available to other
+ EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
+ mitigations are applied to the fallback BN_mod_inverse().
+ When using this function rather than BN_mod_inverse() directly, new
+ EC cryptosystem implementations are then safer-by-default.
+ [Billy Bob Brumley]
+
+ *) Add coordinate blinding for EC_POINT and implement projective
+ coordinate blinding for generic prime curves as a countermeasure to
+ chosen point SCA attacks.
+ [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) Enforce checking in the pkeyutl command line app to ensure that the input
+ length does not exceed the maximum supported digest length when performing
+ a sign, verify or verifyrecover operation.
+ [Matt Caswell]
+
+ *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
+ I/O in combination with something like select() or poll() will hang. This
+ can be turned off again using SSL_CTX_clear_mode().
+ Many applications do not properly handle non-application data records, and
+ TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
+ around the problems in those applications, but can also break some.
+ It's recommended to read the manpages about SSL_read(), SSL_write(),
+ SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
+ SSL_CTX_set_read_ahead() again.
+ [Kurt Roeckx]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Apply blinding to binary field modular inversion and remove patent
+ pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
+ [Billy Bob Brumley]
+
+ *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
+ binary and prime elliptic curves.
+ [Billy Bob Brumley]
+
+ *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
+ constant time fixed point multiplication.
+ [Billy Bob Brumley]
+
+ *) Revise elliptic curve scalar multiplication with timing attack
+ defenses: ec_wNAF_mul redirects to a constant time implementation
+ when computing fixed point and variable point multiplication (which
+ in OpenSSL are mostly used with secret scalars in keygen, sign,
+ ECDH derive operations).
+ [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
+ Sohaib ul Hassan]
+
+ *) Updated CONTRIBUTING
+ [Rich Salz]
+
+ *) Updated DRBG / RAND to request nonce and additional low entropy
+ randomness from the system.
+ [Matthias St. Pierre]
+
+ *) Updated 'openssl rehash' to use OpenSSL consistent default.
+ [Richard Levitte]
+
+ *) Moved the load of the ssl_conf module to libcrypto, which helps
+ loading engines that libssl uses before libssl is initialised.
+ [Matt Caswell]
+
+ *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
+ [Matt Caswell]
+
+ *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
+ [Ingo Schwarze, Rich Salz]
+
+ *) Added output of accepting IP address and port for 'openssl s_server'
+ [Richard Levitte]
+
+ *) Added a new API for TLSv1.3 ciphersuites:
+ SSL_CTX_set_ciphersuites()
+ SSL_set_ciphersuites()
+ [Matt Caswell]
+
+ *) Memory allocation failures consistently add an error to the error
+ stack.
+ [Rich Salz]
+
+ *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
+ in libcrypto when run as setuid/setgid.
+ [Bernd Edlinger]
+
+ *) Load any config file by default when libssl is used.
+ [Matt Caswell]
*) Added new public header file <openssl/rand_drbg.h> and documentation
for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
- configuraton has been separated out. See the ciphers man page or the
+ configuration has been separated out. See the ciphers man page or the
SSL_CTX_set_ciphersuites() man page for more information.
[Matt Caswell]
*) Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
that they are still appropriate for TLSv1.3. For further information see:
- https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/
-
- NOTE: In this pre-release of OpenSSL a draft version of the
- TLSv1.3 standard has been implemented. Implementations of different draft
- versions of the standard do not inter-operate, and this version will not
- inter-operate with an implementation of the final standard when it is
- eventually published. Different pre-release versions may implement
- different versions of the draft. The final version of OpenSSL 1.1.1 will
- implement the final version of the standard.
- TODO(TLS1.3): Remove the above note before final release
+ https://wiki.openssl.org/index.php/TLS1.3
[Matt Caswell]
*) Grand redesign of the OpenSSL random generator
Some of its new features are:
o Support for multiple DRBG instances with seed chaining.
- o Add a public DRBG instance for the default RAND method.
- o Add a dedicated DRBG instance for generating long term private keys.
- o Make the DRBG instances fork-safe.
+ o The default RAND method makes use of a DRBG.
+ o There is a public and private DRBG instance.
+ o The DRBG instances are fork-safe.
o Keep all global DRBG instances on the secure heap if it is enabled.
- o Add a DRBG instance to every SSL instance for lock free operation
- and to increase unpredictability.
+ o The public and private DRBG instance are per thread for lock free
+ operation
[Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
*) Changed Configure so it only says what it does and doesn't dump
issues, has been replaced to always returns NULL.
[Rich Salz]
- Changes between 1.1.0g and 1.1.0h [xx XXX xxxx]
+
+ Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
+
+ *) Client DoS due to large DH parameter
+
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
+
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ (CVE-2018-0732)
+ [Guido Vranken]
+
+ *) Cache timing vulnerability in RSA Key Generation
+
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
+
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ (CVE-2018-0737)
+ [Billy Brumley]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
+ line terminators to CRLF and removes additional trailing line terminators
+ at the end of a file. A bug in the canonicalisation process meant that
+ some characters, such as form-feed, were incorrectly treated as whitespace
+ and removed. This is contrary to the specification (RFC5485). This fix
+ could mean that detached text data signed with an earlier version of
+ OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+ signed with a fixed OpenSSL may fail to verify with an earlier version of
+ OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+ and use the "-binary" flag (for the "cms" command line application) or set
+ the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+ [Matt Caswell]
+
+ Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
reason texts, thereby removing some of the footprint that may not
be interesting if those errors aren't displayed anyway.
- NOTE: it's still possible for any application or module to have it's
+ NOTE: it's still possible for any application or module to have its
own set of error texts inserted. The routines are there, just not
used by default when no-err is given.
[Richard Levitte]
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
- memory from it's contents. This is done with a counter that will
+ memory from its contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
(still largely untested)
[Bodo Moeller]
- *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive
+ *) New function ASN1_tag2str() to convert an ASN1 tag to a descriptive
ASCII string. This was handled independently in various places before.
[Steve Henson]
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
bytes sent in the client random.
[Edward Bishop <ebishop@spyglass.com>]
-
projects / openssl.git / blobdiff