X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=369b32756cfc588455dfa3146900d42256cfb390;hp=a72dabaf39440d7cf70f057e139c9547cca285f1;hb=d6c5d7f3de5e56f467631ee2e4866cf8a523bc02;hpb=b2aea0e3d9a15e30ebce8b6da213df4a3f346155 diff --git a/CHANGES b/CHANGES index a72dabaf39..369b32756c 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,222 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) Early start up entropy quality from the DEVRANDOM seed source has been + improved for older Linux systems. The RAND subsystem will wait for + /dev/random to be producing output before seeding from /dev/urandom. + The seeded state is stored for future library initialisations using + a system global shared memory segment. The shared memory identifier + can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to + the desired value. The default identifier is 114. + [Paul Dale] + + *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 + when primes for RSA keys are computed. + Since we previously always generated primes == 2 (mod 3) for RSA keys, + the 2-prime and 3-prime RSA modules were easy to distinguish, since + N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. + This avoids possible fingerprinting of newly generated RSA modules. + [Bernd Edlinger] + + *) Correct the extended master secret constant on EBCDIC systems. Without this + fix TLS connections between an EBCDIC system and a non-EBCDIC system that + negotiate EMS will fail. Unfortunately this also means that TLS connections + between EBCDIC systems with this fix, and EBCDIC systems without this + fix will fail if they negotiate EMS. + [Matt Caswell] + + *) Changed the library initialisation so that the config file is now loaded + by default. This was already the case for libssl. It now occurs for both + libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to + OPENSSL_init_crypto() to suppress automatic loading of a config file. + [Matt Caswell] + + *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(), + where the former acts as a replacement for ERR_put_error(), and the + latter replaces the combination ERR_put_error()+ERR_add_error_data(). + ERR_raise_data() adds more flexibility by taking a format string and + an arbitrary number of arguments following it, to be processed with + BIO_snprintf(). + [Richard Levitte] + + *) Introduced a new function, OSSL_PROVIDER_available(), which can be used + to check if a named provider is loaded and available. When called, it + will also activate all fallback providers if such are still present. + [Richard Levitte] + + *) Enforce a minimum DH modulus size of 512 bits. + [Bernd Edlinger] + + *) Changed DH parameters to generate the order q subgroup instead of 2q. + Previously generated DH parameters are still accepted by DH_check + but DH_generate_key works around that by clearing bit 0 of the + private key for those. This avoids leaking bit 0 of the private key. + [Bernd Edlinger] + + *) Significantly reduce secure memory usage by the randomness pools. + [Paul Dale] + + *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been + deprecated. + [Rich Salz] + + *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange + algorithms. An implementation of a key exchange algorithm can be obtained + by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be + used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to + the older EVP_PKEY_derive_init() function. See the man pages for the new + functions for further details. + [Matt Caswell] + + *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. + [Matt Caswell] + + *) Removed the function names from error messages and deprecated the + xxx_F_xxx define's. + + *) Removed NextStep support and the macro OPENSSL_UNISTD + [Rich Salz] + + *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, + OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. + Also removed "export var as function" capability; we do not export + variables, only functions. + [Rich Salz] + + *) RC5_32_set_key has been changed to return an int type, with 0 indicating + an error and 1 indicating success. In previous versions of OpenSSL this + was a void type. If a key was set longer than the maximum possible this + would crash. + [Matt Caswell] + + *) Support SM2 signing and verification schemes with X509 certificate. + [Paul Yang] + + *) Use SHA256 as the default digest for TS query in the ts app. + [Tomas Mraz] + + *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. + This checks that the salt length is at least 128 bits, the derived key + length is at least 112 bits, and that the iteration count is at least 1000. + For backwards compatibility these checks are disabled by default in the + default provider, but are enabled by default in the fips provider. + To enable or disable these checks use the control + EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE. + [Shane Lontis] + + *) Default cipher lists/suites are now available via a function, the + #defines are deprecated. + [Todd Short] + + *) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and + VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries + for Windows Store apps easier. Also, the "no-uplink" option has been added. + [Kenji Mouri] + + *) Join the directories crypto/x509 and crypto/x509v3 + [Richard Levitte] + + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + + *) Added command 'openssl kdf' that uses the EVP_KDF API. + [Shane Lontis] + + *) Added command 'openssl mac' that uses the EVP_MAC API. + [Shane Lontis] + + *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such + as default directories. Also added the command 'openssl info' + for scripting purposes. + [Richard Levitte] + + *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been + deprecated. These undocumented functions were never integrated into the EVP + layer and implement the AES Infinite Garble Extension (IGE) mode and AES + Bi-directional IGE mode. These modes were never formally standardised and + usage of these functions is believed to be very small. In particular + AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one + is ever used. The security implications are believed to be minimal, but + this issue was never fixed for backwards compatibility reasons. New code + should not use these modes. + [Matt Caswell] + + *) Add prediction resistance to the DRBG reseeding process. + [Paul Dale] + + *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as + mandated by IEEE Std 1619-2018. + [Paul Dale] + + *) Added newline escaping functionality to a filename when using openssl dgst. + This output format is to replicate the output format found in the '*sum' + checksum programs. This aims to preserve backward compatibility. + [Matt Eaton, Richard Levitte, and Paul Dale] + + *) Removed the heartbeat message in DTLS feature, as it has very + little usage and doesn't seem to fulfill a valuable purpose. + The configuration option is now deprecated. + [Richard Levitte] + + *) Changed the output of 'openssl {digestname} < file' to display the + digest name in its output. + [Richard Levitte] + + *) Added a new generic trace API which provides support for enabling + instrumentation through trace output. This feature is mainly intended + as an aid for developers and is disabled by default. To utilize it, + OpenSSL needs to be configured with the `enable-trace` option. + + If the tracing API is enabled, the application can activate trace output + by registering BIOs as trace channels for a number of tracing and debugging + categories. + + The 'openssl' application has been expanded to enable any of the types + available via environment variables defined by the user, and serves as + one possible example on how to use this functionality. + [Richard Levitte & Matthias St. Pierre] + + *) Added build tests for C++. These are generated files that only do one + thing, to include one public OpenSSL head file each. This tests that + the public header files can be usefully included in a C++ application. + + This test isn't enabled by default. It can be enabled with the option + 'enable-buildtest-c++'. + [Richard Levitte] + + *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF. + [Shane Lontis] + + *) Add KMAC to EVP_MAC. + [Shane Lontis] + + *) Added property based algorithm implementation selection framework to + the core. + [Paul Dale] + + *) Added SCA hardening for modular field inversion in EC_GROUP through + a new dedicated field_inv() pointer in EC_METHOD. + This also addresses a leakage affecting conversions from projective + to affine coordinates. + [Billy Bob Brumley, Nicola Tuveri] + + *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF + implementations. This includes an EVP_PKEY to EVP_KDF bridge for + those algorithms that were already supported through the EVP_PKEY API + (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 + and scrypt are now wrappers that call EVP_KDF. + [David Makepeace] + + *) Build devcrypto engine as a dynamic engine. + [Eneas U de Queiroz] + + *) Add keyed BLAKE2 to EVP_MAC. + [Antoine Salon] + *) Fix a bug in the computation of the endpoint-pair shared secret used by DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime @@ -74,7 +290,7 @@ implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued use of MACs through raw private keys in functionality such as EVP_DigestSign* and EVP_DigestVerify*. - [Richard Levitte] + [Richard Levitte] *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type). @@ -106,6 +322,19 @@ applications with zero-copy system calls such as sendfile and splice. [Boris Pismenny] + Changes between 1.1.1a and 1.1.1b [xx XXX xxxx] + + *) Change the info callback signals for the start and end of a post-handshake + message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START + and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get + confused by this and assume that a TLSv1.2 renegotiation has started. This + can break KeyUpdate handling. Instead we no longer signal the start and end + of a post handshake message exchange (although the messages themselves are + still signalled). This could break some applications that were expecting + the old signals. However without this KeyUpdate is not usable for many + applications. + [Matt Caswell] + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] *) Timing vulnerability in DSA signature generation @@ -307,7 +536,7 @@ SSL_set_ciphersuites() [Matt Caswell] - *) Memory allocation failures consistenly add an error to the error + *) Memory allocation failures consistently add an error to the error stack. [Rich Salz] @@ -6845,7 +7074,7 @@ reason texts, thereby removing some of the footprint that may not be interesting if those errors aren't displayed anyway. - NOTE: it's still possible for any application or module to have it's + NOTE: it's still possible for any application or module to have its own set of error texts inserted. The routines are there, just not used by default when no-err is given. [Richard Levitte] @@ -8811,7 +9040,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of - memory from it's contents. This is done with a counter that will + memory from its contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can