X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=3661a4f2631b97d533d9cb6635a136918659d211;hp=3d2f94303aa17dd757b843a472dad4524faa4748;hb=9e5aaf78868ca2f4d65d3bb1f9246659a6522241;hpb=bacaa618c26411d212015493d0eb82076a3e76a1 diff --git a/CHANGES b/CHANGES index 3d2f94303a..3661a4f263 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,260 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, + SHA384, SHA512 and Whirlpool digest functions have been deprecated. + These include: + MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, + MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, + MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, + RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, + RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, + SHA1_Transform, SHA224_Init, SHA224_Update, SHA224_Final, + SHA224_Transform, SHA256_Init, SHA256_Update, SHA256_Final, + SHA256_Transform, SHA384, SHA384_Init, SHA384_Update, SHA384_Final, + SHA512, SHA512_Init, SHA512_Update, SHA512_Final, SHA512_Transform, + WHIRLPOOL, WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_BitUpdate + and WHIRLPOOL_Final. + Use of these low level functions has been informally discouraged for a long + time. Instead applications should instead use the EVP_DigestInit_ex, + EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions. + [Paul Dale] + + *) Corrected the documentation of the return values from the EVP_DigestSign* + set of functions. The documentation mentioned negative values for some + errors, but this was never the case, so the mention of negative values + was removed. + + Code that followed the documentation and thereby check with something + like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed. + [Richard Levitte] + + *) All of the low level cipher functions have been deprecated including: + AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, + AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, + AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, + AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt, + BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, + BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt, + Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt, + Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt, + Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt, + CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt, + CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2, + DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt, + DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt, + DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key, + DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key, + DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, + DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity, + DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, + DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt, + DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt, + DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options, + IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key, + IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key, + RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt, + RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key, + RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt, + RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt, + SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt, + SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt. + + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use the high level EVP APIs, e.g. + EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the + equivalently named decrypt functions. + [Matt Caswell and Paul Dale] + + *) Removed include/openssl/opensslconf.h.in and replaced it with + include/openssl/configuration.h.in, which differs in not including + . A short header include/openssl/opensslconf.h + was added to include both. + + This allows internal hacks where one might need to modify the set + of configured macros, for example this if deprecated symbols are + still supposed to be available internally: + + #include + + #undef OPENSSL_NO_DEPRECATED + #define OPENSSL_SUPPRESS_DEPRECATED + + #include + + This should not be used by applications that use the exported + symbols, as that will lead to linking errors. + [Richard Levitte] + + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] + + *) Most memory-debug features have been deprecated, and the functionality + replaced with no-ops. + [Rich Salz] + + *) Introduced a new method type and API, OSSL_SERIALIZER, to + represent generic serializers. An implementation is expected to + be able to serialize an object associated with a given name (such + as an algorithm name for an asymmetric key) into forms given by + implementation properties. + + Serializers are primarily used from inside libcrypto, through + calls to functions like EVP_PKEY_print_private(), + PEM_write_bio_PrivateKey() and similar. + + Serializers are specified in such a way that they can be made to + directly handle the provider side portion of an object, if this + provider side part comes from the same provider as the serializer + itself, but can also be made to handle objects in parametrized + form (as an OSSL_PARAM array of data). This allows a provider to + offer generic serializers as a service for any other provider. + [Richard Levitte] + + *) Added a .pragma directive to the syntax of configuration files, to + allow varying behavior in a supported and predictable manner. + Currently added pragma: + + .pragma dollarid:on + + This allows dollar signs to be a keyword character unless it's + followed by a opening brace or parenthesis. This is useful for + platforms where dollar signs are commonly used in names, such as + volume names and system directory names on VMS. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY from user data. This + is effectively the same as creating a RSA, DH or DSA object and + then assigning them to an EVP_PKEY, but directly using algorithm + agnostic EVP functions. A benefit is that this should be future + proof for public key algorithms to come. + [Richard Levitte] + + *) Change the interpretation of the '--api' configuration option to + mean that this is a desired API compatibility level with no + further meaning. The previous interpretation, that this would + also mean to remove all deprecated symbols up to and including + the given version, no requires that 'no-deprecated' is also used + in the configuration. + + When building applications, the desired API compatibility level + can be set with the OPENSSL_API_COMPAT macro like before. For + API compatibility version below 3.0, the old style numerical + value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. + For version 3.0 and on, the value is expected to be the decimal + value calculated from the major and minor version like this: + + MAJOR * 10000 + MINOR * 100 + + Examples: + + -DOPENSSL_API_COMPAT=30000 For 3.0 + -DOPENSSL_API_COMPAT=30200 For 3.2 + + To hide declarations that are deprecated up to and including the + given API compatibility level, -DOPENSSL_NO_DEPRECATED must be + given when building the application as well. + [Richard Levitte] + + *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow + access to certificate and CRL stores via URIs and OSSL_STORE + loaders. + + This adds the following functions: + + X509_LOOKUP_store() + X509_STORE_load_file() + X509_STORE_load_path() + X509_STORE_load_store() + SSL_add_store_cert_subjects_to_stack() + SSL_CTX_set_default_verify_store() + SSL_CTX_load_verify_file() + SSL_CTX_load_verify_dir() + SSL_CTX_load_verify_store() + + Also, the following functions are now deprecated: + + - X509_STORE_load_locations() (use X509_STORE_load_file(), + X509_STORE_load_path() or X509_STORE_load_store() instead) + - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(), + SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead) + [Richard Levitte] + + *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. + The presence of this system service is determined at run-time. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY context based on data + for methods from providers. This takes an algorithm name and a + property query string and simply stores them, with the intent + that any operation that uses this context will use those strings + to fetch the needed methods implicitly, thereby making the port + of application written for pre-3.0 OpenSSL easier. + [Richard Levitte] + + *) The undocumented function NCONF_WIN32() has been deprecated; for + conversion details see the HISTORY section of doc/man5/config.pod + [Rich Salz] + + *) Introduced the new functions EVP_DigestSignInit_ex() and + EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and + EVP_DigestVerifyUpdate() have been converted to functions. See the man + pages for further details. + [Matt Caswell] + + *) Most common options (such as -rand/-writerand, TLS version control, etc) + were refactored and point to newly-enhanced descriptions in openssl.pod + [Rich Salz] + + *) Over two thousand fixes were made to the documentation, including: + adding missing command flags, better style conformance, documentation + of internals, etc. + [Rich Salz, Richard Levitte] + + *) s390x assembly pack: add hardware-support for P-256, P-384, P-521, + X25519, X448, Ed25519 and Ed448. + [Patrick Steuer] + + *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just + the first value. + [Jon Spillett] + + *) Deprecated the public definition of ERR_STATE as well as the function + ERR_get_state(). This is done in preparation of making ERR_STATE an + opaque type. + [Richard Levitte] + + *) Added ERR functionality to give callers access to the stored function + names that have replaced the older function code based functions. + + New functions are ERR_get_error_func(), ERR_peek_error_func(), + ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(), + ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() + and ERR_peek_last_error_all(). + + These functions have become deprecated: ERR_get_error_line_data(), + ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and + ERR_func_error_string(). + [Richard Levitte] + + *) Extended testing to be verbose for failing tests only. The make variables + VERBOSE_FAILURE or VF can be used to enable this: + + $ make VF=1 test # Unix + $ mms /macro=(VF=1) test ! OpenVMS + $ nmake VF=1 test # Windows + + [Richard Levitte] + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ @@ -27,6 +281,20 @@ (CVE-2019-1547) [Billy Bob Brumley] + *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + An attack is simple, if the first CMS_recipientInfo is valid but the + second CMS_recipientInfo is chosen ciphertext. If the second + recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct + encryption key will be replaced by garbage, and the message cannot be + decoded, but if the RSA decryption fails, the correct encryption key is + used and the recipient will not notice the attack. + As a work around for this potential attack the length of the decrypted + key must be equal to the cipher default key length, in case the + certifiate is not given and all recipientInfo are tried out. + The old behaviour can be re-enabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag. + [Bernd Edlinger] + *) Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. @@ -260,15 +528,6 @@ *) Change the license to the Apache License v2.0. [Richard Levitte] - *) Change the possible version information given with OPENSSL_API_COMPAT. - It may be a pre-3.0.0 style numerical version number as it was defined - in 1.1.0, and it may also simply take the major version number. - - Because of the version numbering of pre-3.0.0 releases, the values 0, - 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and - 0x10100000L (1.1.0), respectively. - [Richard Levitte] - *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. o Major releases (indicated by incrementing the MAJOR release number)