Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Added property based algorithm implementation selection framework to
+ the core.
+ [Paul Dale]
+
+ *) Added SCA hardening for modular field inversion in EC_GROUP through
+ a new dedicated field_inv() pointer in EC_METHOD.
+ This also addresses a leakage affecting conversions from projective
+ to affine coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
+ *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
+ implementations. This includes an EVP_PKEY to EVP_KDF bridge for
+ those algorithms that were already supported through the EVP_PKEY API
+ (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
+ and scrypt are now wrappers that call EVP_KDF.
+ [David Makepeace]
+
+ *) Build devcrypto engine as a dynamic engine.
+ [Eneas U de Queiroz]
+
*) Add keyed BLAKE2 to EVP_MAC.
[Antoine Salon]
applications with zero-copy system calls such as sendfile and splice.
[Boris Pismenny]
+ Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]
+
+ *) Change the info callback signals for the start and end of a post-handshake
+ message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
+ and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
+ confused by this and assume that a TLSv1.2 renegotiation has started. This
+ can break KeyUpdate handling. Instead we no longer signal the start and end
+ of a post handshake message exchange (although the messages themselves are
+ still signalled). This could break some applications that were expecting
+ the old signals. However without this KeyUpdate is not usable for many
+ applications.
+ [Matt Caswell]
+
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
*) Timing vulnerability in DSA signature generation