OpenSSL 3.0
-----------
-### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+For OpenSSL 3.0 a [Migration guide][] has been added, so the CHANGES entries
+listed here are only a brief description.
+The migration guide contains more detailed information related to new features,
+breaking changes, and mappings for the large list of deprecated functions.
+
+[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
+
+### Changes between 3.0.0 and 3.0.1 [xx XXX xxxx]
+
+ *
+
+### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
+
+ * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
+ deprecated.
+
+ *Matt Caswell*
+
+ * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
+ S390X capability vector to zero. This simplifies testing of different code
+ paths on S390X architecture.
+
+ *Patrick Steuer*
+
+ * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
+ as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
+ SP 800-38D". The communication will fail at this point.
+
+ *Paul Dale*
+
+ * The EC_GROUP_clear_free() function is deprecated as there is nothing
+ confidential in EC_GROUP data.
+
+ *Nicola Tuveri*
+
+ * The byte order mark (BOM) character is ignored if encountered at the
+ beginning of a PEM-formatted file.
+
+ *Dmitry Belyavskiy*
+
+ * Added CMS support for the Russian GOST algorithms.
+
+ *Dmitry Belyavskiy*
+
+ * Due to move of the implementation of cryptographic operations
+ to the providers, validation of various operation parameters can
+ be postponed until the actual operation is executed where previously
+ it happened immediately when an operation parameter was set.
+
+ For example when setting an unsupported curve with
+ EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not
+ fail but later keygen operations with the EVP_PKEY_CTX will fail.
+
+ *OpenSSL team members and many third party contributors*
+
+ * The EVP_get_cipherbyname() function will return NULL for algorithms such as
+ "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
+ previously only accessible via low level interfaces. Use EVP_CIPHER_fetch()
+ instead to retrieve these algorithms from a provider.
+
+ *Shane Lontis*
+
+ * On build targets where the multilib postfix is set in the build
+ configuration the libdir directory was changing based on whether
+ the lib directory with the multilib postfix exists on the system
+ or not. This unpredictable behavior was removed and eventual
+ multilib postfix is now always added to the default libdir. Use
+ `--libdir=lib` to override the libdir if adding the postfix is
+ undesirable.
+
+ *Jan Lána*
+
+ * The triple DES key wrap functionality now conforms to RFC 3217 but is
+ no longer interoperable with OpenSSL 1.1.1.
+
+ *Paul Dale*
+
+ * The ERR_GET_FUNC() function was removed. With the loss of meaningful
+ function codes, this function can only cause problems for calling
+ applications.
+
+ *Paul Dale*
+
+ * Add a configurable flag to output date formats as ISO 8601. Does not
+ change the default date format.
+
+ *William Edmisten*
+
+ * Version of MSVC earlier than 1300 could get link warnings, which could
+ be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
+ Support for this flag has been removed.
+
+ *Rich Salz*
+
+ * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
+ -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
+ printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
+ Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
+ also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
+
+ *Rich Salz*
+
+ * The signatures of the functions to get and set options on SSL and
+ SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
+ Some source code changes may be required.
+
+ *Rich Salz*
+
+ * The public definitions of conf_method_st and conf_st have been
+ deprecated. They will be made opaque in a future release.
+
+ *Rich Salz and Tomáš Mráz*
+
+ * Client-initiated renegotiation is disabled by default. To allow it, use
+ the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
+ flag, or the "ClientRenegotiation" config parameter as appropriate.
+
+ *Rich Salz*
+
+ * Add "abspath" and "includedir" pragma's to config files, to prevent,
+ or modify relative pathname inclusion.
+
+ *Rich Salz*
+
+ * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
+ validated. Please consult the README-FIPS and
+ README-PROVIDERS files, as well as the migration guide.
+
+ *OpenSSL team members and many third party contributors*
+
+ * For the key types DH and DHX the allowed settable parameters are now different.
+
+ *Shane Lontis*
+
+ * The openssl commands that read keys, certificates, and CRLs now
+ automatically detect the PEM or DER format of the input files.
+
+ *David von Oheimb, Richard Levitte, and Tomáš Mráz*
+
+ * Added enhanced PKCS#12 APIs which accept a library context.
+
+ *Jon Spillett*
+
+ * The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
+
+ *Matt Caswell*
+
+ * Added support for Kernel TLS (KTLS).
+
+ *Boris Pismenny, John Baldwin and Andrew Gallatin*
+
+ * Support for RFC 5746 secure renegotiation is now required by default for
+ SSL or TLS connections to succeed.
+
+ *Benjamin Kaduk*
+
+ * The signature of the `copy` functional parameter of the
+ EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
+ now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
+ the signature of the `pub_decode` functional parameter of the
+ EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
+ now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
+
+ *David von Oheimb*
+
+ * The error return values from some control calls (ctrl) have changed.
+
+ *Paul Dale*
+
+ * A public key check is now performed during EVP_PKEY_derive_set_peer().
+
+ *Shane Lontis*
+
+ * Many functions in the EVP_ namespace that are getters of values from
+ implementations or contexts were renamed to include get or get0 in their
+ names. Old names are provided as macro aliases for compatibility and
+ are not deprecated.
+
+ *Tomáš Mráz*
+
+ * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
+ EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
+ EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
+ are deprecated.
+
+ *Tomáš Mráz*
+
+ * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
+ more key types.
+
+ * The output from the command line applications may have minor
+ changes.
+
+ *Paul Dale*
+
+ * The output from numerous "printing" may have minor changes.
+
+ *David von Oheimb*
+
+ * Windows thread synchronization uses read/write primitives (SRWLock) when
+ supported by the OS, otherwise CriticalSection continues to be used.
+
+ *Vincent Drake*
+
+ * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to
+ work on read only BIO source/sinks that do not support these functions.
+ This allows piping or redirection of a file BIO using stdin to be buffered
+ into memory. This is used internally in OSSL_DECODER_from_bio().
+
+ *Shane Lontis*
+
+ * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1
+ this function would return one of the values OSSL_STORE_INFO_NAME,
+ OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or
+ OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported
+ as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now
+ reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications
+ using this function should be amended to handle the changed return value.
+
+ *Richard Levitte*
+
+ * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
+ for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
+ As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
+ Correct the semantics of checking the validation chain in case ESSCertID{,v2}
+ contains more than one certificate identifier: This means that all
+ certificates referenced there MUST be part of the validation chain.
+
+ *David von Oheimb*
+
+ * The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4,
+ RC5, DESX and DES have been moved to the legacy provider.
+
+ *Matt Caswell*
+
+ * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
+ RIPEMD-160 have been moved to the legacy provider.
+
+ *Matt Caswell*
+
+ * The deprecated function EVP_PKEY_get0() now returns NULL being called for a
+ provided key.
+
+ *Dmitry Belyavskiy*
+
+ * The deprecated functions EVP_PKEY_get0_RSA(),
+ EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(),
+ EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as
+ well as the similarly named "get1" functions behave differently in
+ OpenSSL 3.0.
+
+ *Matt Caswell*
+
+ * A number of functions handling low-level keys or engines were deprecated
+ including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(),
+ EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
+ EVP_PKEY_get0_siphash().
+
+ *Matt Caswell*
+
+ * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into
+ the legacy crypto provider as an EVP_KDF. Applications requiring this KDF
+ will need to load the legacy crypto provider. This includes these PBE
+ algorithms which use this KDF:
+ - NID_pbeWithMD2AndDES_CBC
+ - NID_pbeWithMD5AndDES_CBC
+ - NID_pbeWithSHA1AndRC2_CBC
+ - NID_pbeWithMD2AndRC2_CBC
+ - NID_pbeWithMD5AndRC2_CBC
+ - NID_pbeWithSHA1AndDES_CBC
+
+ *Jon Spillett*
+
+ * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and
+ BIO_debug_callback() functions.
+
+ *Tomáš Mráz*
+
+ * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
+ EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
+
+ *Tomáš Mráz*
+
+ * The RAND_METHOD APIs have been deprecated.
+
+ *Paul Dale*
+
+ * The SRP APIs have been deprecated.
+
+ *Matt Caswell*
* Add a compile time option to prevent the caching of provider fetched
algorithms. This is enabled by including the no-cached-fetch option
*Paul Dale*
+ * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
+ count of PKCS12_DEFAULT_ITER.
+
+ *Tomáš Mráz and Sahana Prasad*
+
+ * The openssl speed command does not use low-level API calls anymore.
+
+ *Tomáš Mráz*
+
+ * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
+ capable processors.
+
+ *Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)*
+
* Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
- Typically if OpenSSL has no EC or DH algorithms then it cannot support
- connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
- through providers. Therefore third party providers may supply group
- implementations even where there are no built-in ones. Attempting to create
- TLS connections in such a build without also disabling TLSv1.3 at run time or
- using third party provider groups may result in handshake failures. TLSv1.3
- can be disabled at compile time using the "no-tls1_3" Configure option.
*Matt Caswell*
+ * Implemented support for fully "pluggable" TLSv1.3 groups. This means that
+ providers may supply their own group implementations (using either the "key
+ exchange" or the "key encapsulation" methods) which will automatically be
+ detected and used by libssl.
+
+ *Matt Caswell, Nicola Tuveri*
+
* The undocumented function X509_certificate_type() has been deprecated;
- applications can use X509_get0_pubkey() and X509_get0_signature() to
- get the same information.
*Rich Salz*
- * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
- functions. They are identical to BN_rand() and BN_rand_range()
- respectively.
+ * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
*Tomáš Mráz*
+ * Removed RSA padding mode for SSLv23 (which was only used for
+ SSLv2). This includes the functions RSA_padding_check_SSLv23() and
+ RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
+ `rsautl` command.
+
+ *Rich Salz*
+
+ * Deprecated the obsolete X9.31 RSA key generation related functions.
+
+ * While a callback function set via `SSL_CTX_set_cert_verify_callback()`
+ is not allowed to return a value > 1, this is no more taken as failure.
+
+ *Viktor Dukhovni and David von Oheimb*
+
* Deprecated the obsolete X9.31 RSA key generation related functions
BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
BN_X931_generate_prime_ex().
*Tomáš Mráz*
* The default key generation method for the regular 2-prime RSA keys was
- changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with
- Conditions Based on Auxiliary Probable Primes). This method is slower
- than the original method.
+ changed to the FIPS 186-4 B.3.6 method.
*Shane Lontis*
* Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
- They are replaced with the BN_check_prime() function that avoids possible
- misuse and always uses at least 64 rounds of the Miller-Rabin
- primality test. At least 64 rounds of the Miller-Rabin test are now also
- used for all prime generation, including RSA key generation.
- This increases key generation time, especially for larger keys.
*Kurt Roeckx*
- * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
- as they are not useful with non-deprecated functions.
+ * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
*Rich Salz*
- * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
- OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
- OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
- OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These
- were used to collect all necessary data to form a HTTP request, and to
- perform the HTTP transfer with that request. With OpenSSL 3.0, the
- type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced
- with OSSL_HTTP_REQ_CTX_new(), OSSL_HTTP_REQ_CTX_free(),
- OSSL_HTTP_REQ_CTX_set_request_line(), OSSL_HTTP_REQ_CTX_add1_header(),
- OSSL_HTTP_REQ_CTX_i2d(), OSSL_HTTP_REQ_CTX_nbio(),
- OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and
- OSSL_HTTP_REQ_CTX_set_max_response_length().
+ * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and
+ replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
- *Rich Salz and Richard Levitte*
+ *Rich Salz, Richard Levitte, and David von Oheimb*
+
+ * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
+
+ *David von Oheimb*
+
+ * Deprecated `OCSP_parse_url()`.
+
+ *David von Oheimb*
* Validation of SM2 keys has been separated from the validation of regular EC
- keys, allowing to improve the SM2 validation process to reject loaded private
- keys that are not conforming to the SM2 ISO standard.
- In particular, a private scalar `k` outside the range `1 <= k < n-1` is now
- correctly rejected.
+ keys.
*Nicola Tuveri*
*Dmitry Belyavskiy*
- * All of the low level EC_KEY functions have been deprecated including:
-
- EC_KEY_OpenSSL, EC_KEY_get_default_method, EC_KEY_set_default_method,
- EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new_method
- EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
- EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
- EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
- EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
- EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign,
- EC_KEY_METHOD_get_verify,
- EC_KEY_new_ex, EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags,
- EC_KEY_clear_flags, EC_KEY_decoded_from_explicit_params,
- EC_KEY_new_by_curve_name_ex, EC_KEY_new_by_curve_name, EC_KEY_free,
- EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_engine,
- EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key,
- EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key,
- EC_KEY_get_enc_flags, EC_KEY_set_enc_flags, EC_KEY_get_conv_form,
- EC_KEY_set_conv_form, EC_KEY_set_ex_data, EC_KEY_get_ex_data,
- EC_KEY_set_asn1_flag, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_can_sign,
- EC_KEY_set_public_key_affine_coordinates, EC_KEY_key2buf, EC_KEY_oct2key,
- EC_KEY_oct2priv, EC_KEY_priv2oct and EC_KEY_priv2buf.
- Applications that need to implement an EC_KEY_METHOD need to consider
- implementation of the functionality in a special provider.
- For replacement of the functions manipulating the EC_KEY objects
- see the EVP_PKEY-EC(7) manual page.
-
- Additionally functions that read and write EC_KEY objects such as
- o2i_ECPublicKey, i2o_ECPublicKey, ECParameters_print_fp, EC_KEY_print_fp,
- d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio,
- d2i_ECPrivateKey_fp, d2i_EC_PUBKEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY_fp,
- i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio,
- i2d_ECPrivateKey_fp, i2d_EC_PUBKEY, i2d_EC_PUBKEY_bio and i2d_EC_PUBKEY_fp
- have also been deprecated. Applications should instead use the
- OSSL_DECODER and OSSL_ENCODER APIs to read and write EC files.
-
- Finally functions that assign or obtain EC_KEY objects from an EVP_PKEY such as
- EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_EC_KEY, EVP_PKEY_get1_EC_KEY and
- EVP_PKEY_set1_EC_KEY are also deprecated. Applications should instead either
- read or write an EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER
- APIs. Or load an EVP_PKEY directly from EC data using EVP_PKEY_fromdata().
+ * Added convenience functions for generating asymmetric key pairs:
+ The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
+ and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
+
+ *David von Oheimb*
+
+ * All of the low level EC_KEY functions have been deprecated.
*Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
* Deprecated all the libcrypto and libssl error string loading
- functions: ERR_load_ASN1_strings(), ERR_load_ASYNC_strings(),
- ERR_load_BIO_strings(), ERR_load_BN_strings(), ERR_load_BUF_strings(),
- ERR_load_CMS_strings(), ERR_load_COMP_strings(), ERR_load_CONF_strings(),
- ERR_load_CRYPTO_strings(), ERR_load_CT_strings(), ERR_load_DH_strings(),
- ERR_load_DSA_strings(), ERR_load_EC_strings(), ERR_load_ENGINE_strings(),
- ERR_load_ERR_strings(), ERR_load_EVP_strings(), ERR_load_KDF_strings(),
- ERR_load_OBJ_strings(), ERR_load_OCSP_strings(), ERR_load_PEM_strings(),
- ERR_load_PKCS12_strings(), ERR_load_PKCS7_strings(), ERR_load_RAND_strings(),
- ERR_load_RSA_strings(), ERR_load_OSSL_STORE_strings(), ERR_load_TS_strings(),
- ERR_load_UI_strings(), ERR_load_X509_strings(), ERR_load_X509V3_strings().
-
- Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL
- now loads error strings automatically.
+ functions.
*Richard Levitte*
* The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
- deprecated. These are used to set the Diffie-Hellman (DH) parameters that
- are to be used by servers requiring ephemeral DH keys. Instead applications
- should consider using the built-in DH parameters that are available by
- calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). If custom parameters are
- necessary then applications can use the alternative functions
- SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey(). There is no direct
- replacement for the "callback" functions. The callback was originally useful
- in order to have different parameters for export and non-export ciphersuites.
- Export ciphersuites are no longer supported by OpenSSL. Use of the callback
- functions should be replaced by one of the other methods described above.
+ deprecated.
*Matt Caswell*
*Rich Salz*
* Add support for AES Key Wrap inverse ciphers to the EVP layer.
- The algorithms are:
- "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV",
- "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and "AES-256-WRAP-PAD-INV".
- The inverse ciphers use AES decryption for wrapping, and
- AES encryption for unwrapping.
*Shane Lontis*
* Deprecated EVP_PKEY_set1_tls_encodedpoint() and
- EVP_PKEY_get1_tls_encodedpoint(). These functions were previously used by
- libssl to set or get an encoded public key in/from an EVP_PKEY object. With
- OpenSSL 3.0 these are replaced by the more generic functions
- EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key().
- The old versions have been converted to deprecated macros that just call the
- new functions.
+ EVP_PKEY_get1_tls_encodedpoint().
*Matt Caswell*
* The security callback, which can be customised by application code, supports
- the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
- in the "other" parameter. In most places this is what is passed. All these
- places occur server side. However there was one client side call of this
- security operation and it passed a DH object instead. This is incorrect
- according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
- of the other locations. Therefore this client side call has been changed to
- pass an EVP_PKEY instead.
+ the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter
+ was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
*Matt Caswell*
*Paul Dale*
- * Deprecated EVP_PKEY_set_alias_type(). This function was previously
- needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
- type is internally recognised so the workaround is no longer needed.
-
- Functionality is still retained as it is, but will only work with
- EVP_PKEYs with a legacy internal key.
+ * Removed EVP_PKEY_set_alias_type().
*Richard Levitte*
* Remove the RAND_DRBG API
- The RAND_DRBG API did not fit well into the new provider concept as
- implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
- RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
- and some of its API calls are rather low-level. This holds in particular
- for the callback mechanism (`RAND_DRBG_set_callbacks()`).
-
- Adding a compatibility layer to continue supporting the RAND_DRBG API as
- a legacy API for a regular deprecation period turned out to come at the
- price of complicating the new provider API unnecessarily. Since the
- RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
- to drop it entirely.
-
*Paul Dale and Matthias St. Pierre*
* Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
other libraries can use to form a separate context within which
libcrypto operations are performed.
- There are two ways this can be used:
-
- - Directly, by passing a library context to functions that take
- such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
- fetching functions.
- - Indirectly, by creating a new library context and then assigning
- it as the new default, with `OSSL_LIB_CTX_set0_default`.
-
- All public OpenSSL functions that take an `OSSL_LIB_CTX` pointer,
- apart from the functions directly related to `OSSL_LIB_CTX`, accept
- NULL to indicate that the default library context should be used.
-
- Library code that changes the default library context using
- `OSSL_LIB_CTX_set0_default` should take care to restore it with a
- second call before returning to the caller.
+ *Richard Levitte*
- _(Note: the library context was initially called `OPENSSL_CTX` and
- renamed to `OSSL_LIB_CTX` in version 3.0.0 alpha7.)_
+ * Added various `_ex` functions to the OpenSSL API that support using
+ a non-default `OSSL_LIB_CTX`.
- *Richard Levitte*
+ *OpenSSL team*
* Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
*Tomáš Mráz*
- * Dropped interactive mode from the `openssl` program. From now on,
- running it without arguments is equivalent to `openssl help`.
+ * Dropped interactive mode from the `openssl` program.
*Richard Levitte*
- * Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and
- `EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`.
- While the old function names have been retained for backward compatibility
- they should not be used in new developments
- because their return values are confusing: Unlike other `_cmp()` functions
- they do not return 0 in case their arguments are equal.
+ * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
- *David von Oheimb*
+ *David von Oheimb and Shane Lontis*
- * Deprecated `EC_METHOD_get_field_type()`. Applications should switch to
- `EC_GROUP_get_field_type()`.
+ * Deprecated `EC_METHOD_get_field_type()`.
*Billy Bob Brumley*
* Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
- Applications should rely on the library automatically assigning a suitable
- EC_METHOD internally upon EC_GROUP construction.
*Billy Bob Brumley*
* Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
- EC_METHOD is now an internal-only concept and a suitable EC_METHOD is
- assigned internally without application intervention.
- Users of EC_GROUP_new() should switch to a different suitable constructor.
*Billy Bob Brumley*
*Antonio Iacono*
- * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). These
- functions are not widely used and now OpenSSL automatically perform this
- conversion when needed.
+ * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
+ parameter (RFC 5084) for the Cryptographic Message Syntax (CMS).
+
+ *Jakub Zelenka*
+
+ * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
*Billy Bob Brumley*
* Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
- EC_KEY_precompute_mult(). These functions are not widely used and
- applications should instead switch to named curves which OpenSSL has
- hardcoded lookup tables for.
+ EC_KEY_precompute_mult().
*Billy Bob Brumley*
- * Deprecated EC_POINTs_mul(). This function is not widely used and applications
- should instead use the L<EC_POINT_mul(3)> function.
+ * Deprecated EC_POINTs_mul().
*Billy Bob Brumley*
- * Removed FIPS_mode() and FIPS_mode_set(). These functions are legacy API's
- that are not applicable to the new provider model. Applications should
- instead use EVP_default_properties_is_fips_enabled() and
- EVP_default_properties_enable_fips().
+ * Removed FIPS_mode() and FIPS_mode_set().
*Shane Lontis*
- * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
- is set, an unexpected EOF is ignored, it pretends a close notify was received
- instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
+ * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
*Dmitry Belyavskiy*
* Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
- EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely
- used and applications should instead use the
- L<EC_POINT_set_affine_coordinates(3)> and
- L<EC_POINT_get_affine_coordinates(3)> functions.
+ EC_POINT_get_Jprojective_coordinates_GFp().
*Billy Bob Brumley*
*Paul Dale*
* The security strength of SHA1 and MD5 based signatures in TLS has been
- reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
- working at the default security level of 1 and instead requires security
- level 0. The security level can be changed either using the cipher string
- with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`.
+ reduced.
*Kurt Roeckx*
- * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
- EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
- internal keys, if they correspond to one of those built in types.
-
- *Richard Levitte*
-
* Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
contain a provider side internal key.
*Richard Levitte*
* ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
- They are old functions that we don't use, and that you could disable with
- the macro NO_ASN1_OLD. This goes all the way back to OpenSSL 0.9.7.
*Richard Levitte*
*David von Oheimb, Martin Peylo*
* Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`.
- The legacy OCSP-focused and only partly documented API is retained for
- backward compatibility. See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.
+ It supports arbitrary request and response content types, GET redirection,
+ TLS, connections via HTTP(S) proxies, connections and exchange via
+ user-defined BIOs (allowing implicit connections), persistent connections,
+ and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details.
+ The legacy OCSP-focused (and only partly documented) API
+ is retained for backward compatibility, while most of it is deprecated.
*David von Oheimb*
*David von Oheimb*
- * All of the low level RSA functions have been deprecated including:
-
- RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
- RSA_get_version, RSA_get0_engine, RSA_generate_key_ex,
- RSA_generate_multi_prime_key, RSA_X931_derive_ex, RSA_X931_generate_key_ex,
- RSA_check_key, RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
- RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method,
- RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method,
- RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify,
- RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING, RSA_blinding_on,
- RSA_blinding_off, RSA_setup_blinding, RSA_padding_add_PKCS1_type_1,
- RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2,
- RSA_padding_check_PKCS1_type_2, PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP,
- RSA_padding_check_PKCS1_OAEP, RSA_padding_add_PKCS1_OAEP_mgf1,
- RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23,
- RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none,
- RSA_padding_add_X931, RSA_padding_check_X931, RSA_X931_hash_id,
- RSA_verify_PKCS1_PSS, RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
- RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data,
- RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
- RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
- RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_get_pub_enc,
- RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec,
- RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec,
- RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp,
- RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init,
- RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish,
- RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify,
- RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
- RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen.
-
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_PKEY_encrypt_init(3)>,
- L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
- L<EVP_PKEY_decrypt(3)>.
+ * All of the low level RSA functions have been deprecated.
*Paul Dale*
* X509 certificates signed using SHA1 are no longer allowed at security
level 1 and above.
- In TLS/SSL the default security level is 1. It can be set either
- using the cipher string with `@SECLEVEL`, or calling
- `SSL_CTX_set_security_level()`. If the leaf certificate is signed with SHA-1,
- a call to `SSL_CTX_use_certificate()` will fail if the security level is not
- lowered first.
- Outside TLS/SSL, the default security level is -1 (effectively 0). It can
- be set using `X509_VERIFY_PARAM_set_auth_level()` or using the `-auth_level`
- options of the commands.
*Kurt Roeckx*
*Paul Dale*
* The command line utility rsautl has been deprecated.
- Instead use the pkeyutl program.
*Paul Dale*
*Paul Dale*
- * All of the low level DH functions have been deprecated including:
-
- DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
- DH_new_method, DH_new, DH_free, DH_up_ref, DH_bits, DH_set0_pqg, DH_size,
- DH_security_bits, DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data,
- DH_generate_parameters_ex, DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
- DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
- DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
- DH_KDF_X9_42, DH_get0_engine, DH_meth_new, DH_meth_free, DH_meth_dup,
- DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags,
- DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key,
- DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key,
- DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init,
- DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish,
- DH_meth_get_generate_params and DH_meth_set_generate_params.
-
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_PKEY_derive_init(3)>
- and L<EVP_PKEY_derive(3)>.
-
- Additionally functions that read and write DH objects such as d2i_DHparams,
- i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams and other similar
- functions have also been deprecated. Applications should instead use the
- OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.
-
- Finaly functions that assign or obtain DH objects from an EVP_PKEY such as
- `EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and
- `EVP_PKEY_set1_DH()` are also deprecated.
- Applications should instead either read or write an
- EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs.
- Or load an EVP_PKEY directly from DH data using `EVP_PKEY_fromdata()`.
+ * All of the low level DH functions have been deprecated.
*Paul Dale and Matt Caswell*
- * All of the low level DSA functions have been deprecated including:
-
- DSA_new, DSA_free, DSA_up_ref, DSA_bits, DSA_get0_pqg, DSA_set0_pqg,
- DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g,
- DSA_get0_pub_key, DSA_get0_priv_key, DSA_clear_flags, DSA_test_flags,
- DSA_set_flags, DSA_do_sign, DSA_do_verify, DSA_OpenSSL,
- DSA_set_default_method, DSA_get_default_method, DSA_set_method,
- DSA_get_method, DSA_new_method, DSA_size, DSA_security_bits,
- DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
- DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
- DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
- DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
- DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
- DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
- DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
- DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
- DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
- DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
- DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
-
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
- L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
+ * All of the low level DSA functions have been deprecated.
*Paul Dale*
* Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
- This means that applications don't have to look at the curve NID and
- `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
- However, they still can, that `EVP_PKEY_set_alias_type()` call acts as
- a no-op when the EVP_PKEY is already of the given type.
-
- Parameter and key generation is also reworked to make it possible
- to generate EVP_PKEY_SM2 parameters and keys without having to go
- through EVP_PKEY_EC generation and then change the EVP_PKEY type.
- However, code that does the latter will still work as before.
*Richard Levitte*
- * Deprecated low level ECDH and ECDSA functions. These include:
-
- ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
- ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
- ECDSA_size.
-
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use the EVP_PKEY_derive(3),
- EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
+ * Deprecated low level ECDH and ECDSA functions.
*Paul Dale*
- * Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
- and EVP_PKEY_decrypt() instead.
- Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
- and EVP_PKEY_encrypt() instead.
+ * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
*Richard Levitte*
- * Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
- and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed
+ * Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits()
+ and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed
a new formulation to include all the things it can be used for,
as well as words of caution.
*Richard Levitte*
* The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
- Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
*Paul Dale*
- * All of the low level HMAC functions have been deprecated including:
-
- HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
- HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
- and HMAC_CTX_get_md.
+ * All of the low level HMAC functions have been deprecated.
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
- and L<EVP_MAC_final(3)>.
-
- *Paul Dale*
+ *Paul Dale and David von Oheimb*
* Over two thousand fixes were made to the documentation, including:
- Common options (such as -rand/-writerand, TLS version control, etc)
*Rich Salz*
- * All of the low level CMAC functions have been deprecated including:
-
- CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
- CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
-
- Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
- and L<EVP_MAC_final(3)>.
+ * All of the low level CMAC functions have been deprecated.
*Paul Dale*
- * All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
- SHA384, SHA512 and Whirlpool digest functions have been deprecated.
- These include:
-
- MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
- MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
- MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
- RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
- RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
- SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
- SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
- SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
- SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
- WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final.
-
- Use of these low level functions has been informally discouraged
- for a long time. Applications should use the EVP_DigestInit_ex(3),
- EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
+ * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
+ functions have been deprecated.
- *Paul Dale*
+ *Paul Dale and David von Oheimb*
* Corrected the documentation of the return values from the `EVP_DigestSign*`
set of functions. The documentation mentioned negative values for some
*Richard Levitte*
- * All of the low level cipher functions have been deprecated including:
-
- AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
- AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
- AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
- AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
- BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
- BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
- Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
- Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
- Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
- CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
- CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
- DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
- DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
- DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
- DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
- DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
- DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
- DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
- DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
- DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
- DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
- IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
- IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
- RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
- RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
- RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
- RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
- SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
- SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
-
- Use of these low level functions has been informally discouraged for
- a long time. Applications should use the high level EVP APIs, e.g.
- EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
- equivalently named decrypt functions instead.
+ * All of the low level cipher functions have been deprecated.
*Matt Caswell and Paul Dale*
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
- Also applications directly using the low level API BN_mod_exp may be
+ Also applications directly using the low-level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
([CVE-2019-1551])
*Rich Salz*
- * Introduced a new method type and API, OSSL_ENCODER, to
- represent generic encoders. An implementation is expected to
- be able to encode an object associated with a given name (such
- as an algorithm name for an asymmetric key) into forms given by
- implementation properties.
+ * Introduced a new method type and API, OSSL_ENCODER, to represent
+ generic encoders. These do the same sort of job that PEM writers
+ and d2i functions do, but with support for methods supplied by
+ providers, and the possibility for providers to support other
+ formats as well.
- Encoders are primarily used from inside libcrypto, through
- calls to functions like EVP_PKEY_print_private(),
- PEM_write_bio_PrivateKey() and similar.
+ *Richard Levitte*
- Encoders are specified in such a way that they can be made to
- directly handle the provider side portion of an object, if this
- provider side part comes from the same provider as the encoder
- itself, but can also be made to handle objects in parametrized
- form (as an OSSL_PARAM array of data). This allows a provider to
- offer generic encoders as a service for any other provider.
+ * Introduced a new method type and API, OSSL_DECODER, to represent
+ generic decoders. These do the same sort of job that PEM readers
+ and i2d functions do, but with support for methods supplied by
+ providers, and the possibility for providers to support other
+ formats as well.
*Richard Levitte*
*Richard Levitte*
- * Added functionality to create an EVP_PKEY from user data. This
- is effectively the same as creating a RSA, DH or DSA object and
- then assigning them to an EVP_PKEY, but directly using algorithm
- agnostic EVP functions. A benefit is that this should be future
- proof for public key algorithms to come.
+ * Added functionality to create an EVP_PKEY from user data.
*Richard Levitte*
ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(),
ERR_peek_error_all() and ERR_peek_last_error_all().
- These functions have become deprecated: ERR_get_error_line(),
- ERR_get_error_line_data(), ERR_peek_error_line_data(),
- ERR_peek_last_error_line_data() and ERR_func_error_string().
-
- Users are recommended to use ERR_get_error_all(), or to pick information
- with ERR_peek functions and finish off with getting the error code by using
- ERR_get_error().
+ Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(),
+ ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
+ ERR_func_error_string().
*Richard Levitte*
* Removed the function names from error messages and deprecated the
xxx_F_xxx define's.
+ *Richard Levitte*
+
* Removed NextStep support and the macro OPENSSL_UNISTD
*Rich Salz*
*Tomáš Mráz*
* Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
- This checks that the salt length is at least 128 bits, the derived key
- length is at least 112 bits, and that the iteration count is at least 1000.
- For backwards compatibility these checks are disabled by default in the
- default provider, but are enabled by default in the fips provider.
- To enable or disable these checks use the control
- EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE.
*Shane Lontis*
*Richard Levitte*
* The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
- deprecated. These undocumented functions were never integrated into the EVP
- layer and implement the AES Infinite Garble Extension (IGE) mode and AES
- Bi-directional IGE mode. These modes were never formally standardised and
- usage of these functions is believed to be very small. In particular
- AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
- is ever used. The security implications are believed to be minimal, but
- this issue was never fixed for backwards compatibility reasons. New code
- should not use these modes.
+ deprecated.
*Matt Caswell*
*Richard Levitte*
* Added a new generic trace API which provides support for enabling
- instrumentation through trace output. This feature is mainly intended
- as an aid for developers and is disabled by default. To utilize it,
- OpenSSL needs to be configured with the `enable-trace` option.
-
- If the tracing API is enabled, the application can activate trace output
- by registering BIOs as trace channels for a number of tracing and debugging
- categories.
-
- The `openssl` program has been expanded to enable any of the types
- available via environment variables defined by the user, and serves as
- one possible example on how to use this functionality.
+ instrumentation through trace output.
*Richard Levitte & Matthias St. Pierre*
*Richard Levitte*
- * Add Single Step KDF (EVP_KDF_SS) to EVP_KDF.
+ * Added KB KDF (EVP_KDF_KB) to EVP_KDF.
+
+ *Robbie Harwood*
+
+ * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
+
+ *Simo Sorce*
+
+ * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
*Shane Lontis*
- * Add KMAC to EVP_MAC.
+ * Added KMAC to EVP_MAC.
*Shane Lontis*
*Richard Levitte*
- * Change the license to the Apache License v2.0.
+ * Changed the license to the Apache License v2.0.
*Richard Levitte*
*Richard Levitte*
- * Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users
- should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type).
+ * Deprecate ECDH_KDF_X9_62().
*Antoine Salon*
*Boris Pismenny*
- * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that
- option is set, openssl cleanses (zeroize) plaintext bytes from
- internal buffers after delivering them to the application. Note,
- the application is still responsible for cleansing other copies
- (e.g.: data received by SSL_read(3)).
+ * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
*Martin Elshuber*
*David von Oheimb*
- * Deprecated pthread fork support methods. These were unused so no
- replacement is required.
-
- - OPENSSL_fork_prepare()
- - OPENSSL_fork_parent()
- - OPENSSL_fork_child()
+ * Deprecated pthread fork support methods.
*Randall S. Becker*
+ * Added support for FFDHE key exchange in TLS 1.3.
+
+ *Raja Ashok*
+
+ * Added a new concept for OpenSSL plugability: providers. This
+ functionality is designed to replace the ENGINE API and ENGINE
+ implementations, and to be much more dynamic, allowing provider
+ authors to introduce new algorithms among other things, as long as
+ there's an API that supports the algorithm type.
+
+ With this concept comes a new core API for interaction between
+ libcrypto and provider implementations. Public libcrypto functions
+ that want to use providers do so through this core API.
+
+ The main documentation for this core API is found in
+ doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
+ refer to other manuals describing the API specific for supported
+ algorithm types (also called operations).
+
+ *The OpenSSL team*
+
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1i and 1.1.1j [xx XXX xxxx]
+### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+
+ * Fixed an SM2 Decryption Buffer Overflow.
+
+ In order to decrypt SM2 encrypted data an application is expected to
+ call the API function EVP_PKEY_decrypt(). Typically an application will
+ call this function twice. The first time, on entry, the "out" parameter
+ can be NULL and, on exit, the "outlen" parameter is populated with the
+ buffer size required to hold the decrypted plaintext. The application
+ can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
+ again, but this time passing a non-NULL value for the "out" parameter.
+
+ A bug in the implementation of the SM2 decryption code means that the
+ calculation of the buffer size required to hold the plaintext returned
+ by the first call to EVP_PKEY_decrypt() can be smaller than the actual
+ size required by the second call. This can lead to a buffer overflow
+ when EVP_PKEY_decrypt() is called by the application a second time with
+ a buffer that is too small.
+
+ A malicious attacker who is able present SM2 content for decryption to
+ an application could cause attacker chosen data to overflow the buffer
+ by up to a maximum of 62 bytes altering the contents of other data held
+ after the buffer, possibly changing application behaviour or causing
+ the application to crash. The location of the buffer is application
+ dependent but is typically heap allocated.
+ ([CVE-2021-3711])
+
+ *Matt Caswell*
+
+ * Fixed various read buffer overruns processing ASN.1 strings
+
+ ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
+ structure which contains a buffer holding the string data and a field
+ holding the buffer length. This contrasts with normal C strings which
+ are repesented as a buffer for the string data which is terminated
+ with a NUL (0) byte.
+
+ Although not a strict requirement, ASN.1 strings that are parsed using
+ OpenSSL's own "d2i" functions (and other similar parsing functions) as
+ well as any string whose value has been set with the ASN1_STRING_set()
+ function will additionally NUL terminate the byte array in the
+ ASN1_STRING structure.
+
+ However, it is possible for applications to directly construct valid
+ ASN1_STRING structures which do not NUL terminate the byte array by
+ directly setting the "data" and "length" fields in the ASN1_STRING
+ array. This can also happen by using the ASN1_STRING_set0() function.
+
+ Numerous OpenSSL functions that print ASN.1 data have been found to
+ assume that the ASN1_STRING byte array will be NUL terminated, even
+ though this is not guaranteed for strings that have been directly
+ constructed. Where an application requests an ASN.1 structure to be
+ printed, and where that ASN.1 structure contains ASN1_STRINGs that have
+ been directly constructed by the application without NUL terminating
+ the "data" field, then a read buffer overrun can occur.
+
+ The same thing can also occur during name constraints processing
+ of certificates (for example if a certificate has been directly
+ constructed by the application instead of loading it via the OpenSSL
+ parsing functions, and the certificate contains non NUL terminated
+ ASN1_STRING structures). It can also occur in the X509_get1_email(),
+ X509_REQ_get1_email() and X509_get1_ocsp() functions.
+
+ If a malicious actor can cause an application to directly construct an
+ ASN1_STRING and then process it through one of the affected OpenSSL
+ functions then this issue could be hit. This might result in a crash
+ (causing a Denial of Service attack). It could also result in the
+ disclosure of private memory contents (such as private keys, or
+ sensitive plaintext).
+ ([CVE-2021-3712])
+
+ *Matt Caswell*
+
+### Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
+
+ * Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of
+ the certificates present in a certificate chain. It is not set by default.
+
+ Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+ the chain that have explicitly encoded elliptic curve parameters was added
+ as an additional strict check.
+
+ An error in the implementation of this check meant that the result of a
+ previous check to confirm that certificates in the chain are valid CA
+ certificates was overwritten. This effectively bypasses the check
+ that non-CA certificates must not be able to issue other certificates.
+
+ If a "purpose" has been configured then there is a subsequent opportunity
+ for checks that the certificate is a valid CA. All of the named "purpose"
+ values implemented in libcrypto perform this check. Therefore, where
+ a purpose is set the certificate chain will still be rejected even when the
+ strict flag has been used. A purpose is set by default in libssl client and
+ server certificate verification routines, but it can be overridden or
+ removed by an application.
+
+ In order to be affected, an application must explicitly set the
+ X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+ for the certificate verification or, in the case of TLS client or server
+ applications, override the default purpose.
+ ([CVE-2021-3450])
+
+ *Tomáš Mráz*
+
+ * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+ crafted renegotiation ClientHello message from a client. If a TLSv1.2
+ renegotiation ClientHello omits the signature_algorithms extension (where it
+ was present in the initial ClientHello), but includes a
+ signature_algorithms_cert extension then a NULL pointer dereference will
+ result, leading to a crash and a denial of service attack.
+
+ A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
+ (which is the default configuration). OpenSSL TLS clients are not impacted by
+ this issue.
+ ([CVE-2021-3449])
+
+ *Peter Kästle and Samuel Sapalski*
+
+### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
+
+ * Fixed the X509_issuer_and_serial_hash() function. It attempts to
+ create a unique hash value based on the issuer and serial number data
+ contained within an X509 certificate. However it was failing to correctly
+ handle any errors that may occur while parsing the issuer field (which might
+ occur if the issuer field is maliciously constructed). This may subsequently
+ result in a NULL pointer deref and a crash leading to a potential denial of
+ service attack.
+ ([CVE-2021-23841])
+
+ *Matt Caswell*
+
+ * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
+ padding mode to correctly check for rollback attacks. This is considered a
+ bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
+ CVE-2021-23839.
+
+ *Matt Caswell*
- * Fixed SRP_Calc_client_key so that it uses constant time. The previous
+ Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
+ functions. Previously they could overflow the output length argument in some
+ cases where the input length is close to the maximum permissable length for
+ an integer on the platform. In such cases the return value from the function
+ call would be 1 (indicating success), but the output length value would be
+ negative. This could cause applications to behave incorrectly or crash.
+ ([CVE-2021-23840])
+
+ *Matt Caswell*
+
+ * Fixed SRP_Calc_client_key so that it runs in constant time. The previous
implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
could be exploited in a side channel attack to recover the password. Since
the attack is local host only this is outside of the current OpenSSL
*Richard Levitte*
- * Added newline escaping functionality to a filename when using openssl dgst.
- This output format is to replicate the output format found in the `*sum`
- checksum programs. This aims to preserve backward compatibility.
-
- *Matt Eaton, Richard Levitte, and Paul Dale*
-
* Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
- ([CVE-2017-3735])
*Rich Salz*
bytes.
This issue was reported by Juraj Somorovsky using TLS-Attacker.
- ([CVE-2016-2107])
*Kurt Roeckx*
*Steve Henson*
- * Add similar low level API blocking to ciphers.
+ * Add similar low-level API blocking to ciphers.
*Steve Henson*
- * Low level digest APIs are not approved in FIPS mode: any attempt
+ * low-level digest APIs are not approved in FIPS mode: any attempt
to use these will cause a fatal error. Applications that *really* want
to use them can use the `private_*` version instead.
* Add new 'medium level' PKCS#12 API. Certificates and keys
can be added using this API to created arbitrary PKCS#12
- files while avoiding the low level API.
+ files while avoiding the low-level API.
New options to PKCS12_create(), key or cert can be NULL and
will then be omitted from the output file. The encryption
options work when creating a PKCS#12 file. New option -nomac
to omit the mac, NONE can be set for an encryption algorithm.
New code is modified to use the enhanced PKCS12_create()
- instead of the low level API.
+ instead of the low-level API.
*Steve Henson*
*"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
* Rewrite commands to use `NCONF` routines instead of the old `CONF`.
- New functions to support `NCONF `routines in extension code.
+ New functions to support `NCONF` routines in extension code.
New function `CONF_set_nconf()`
to allow functions which take an `NCONF` to also handle the old `LHASH`
structure: this means that the old `CONF` compatible routines can be
*Richard Levitte*
- * Change all calls to low level digest routines in the library and
+ * Change all calls to low-level digest routines in the library and
applications to use EVP. Add missing calls to HMAC_cleanup() and
don't assume HMAC_CTX can be copied using memcpy().
*Bodo Moeller*
* New openssl application 'rsautl'. This utility can be
- used for low level RSA operations. DER public key
+ used for low-level RSA operations. DER public key
BIO/fp routines also added.
*Steve Henson*
provides hooks that allow the default DSA functions or functions on a
"per key" basis to be replaced. This allows hardware acceleration and
hardware key storage to be handled without major modification to the
- library. Also added low level modexp hooks and CRYPTO_EX structure and
+ library. Also added low-level modexp hooks and CRYPTO_EX structure and
associated functions.
*Steve Henson*
*Ralf S. Engelschall*
* Removed dummy files from the 0.9.1b source tree:
- ```
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
- ```
*Ralf S. Engelschall*
projects / openssl.git / blobdiff