### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * 'Configure' has been changed to figure out the configuration target if
+ none is given on the command line. Consequently, the 'config' script is
+ now only a mere wrapper. All documentation is changed to only mention
+ 'Configure'.
+
+ *Rich Salz and Richard Levitte*
+
+ * Added a library context that applications as well as other
+ libraries can use to form a separate context within which libcrypto
+ operations are performed.
+
+ There are two ways this can be used:
+
+ - Directly, by passing a library context to functions that take
+ such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
+ fetching functions.
+ - Indirectly, by creating a new library context and then assigning
+ it as the new default, with `OPENSSL_CTX_set0_default`.
+
+ All public OpenSSL functions that take an `OPENSSL_CTX` pointer,
+ apart from the functions directly related to `OPENSSL_CTX`, accept
+ NULL to indicate that the default library context should be used.
+
+ Library code that changes the default library context using
+ `OPENSSL_CTX_set0_default` should take care to restore it with a
+ second call before returning to the caller.
+
+ *Richard Levitte*
+
+ * Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+
+ *Tomas Mraz*
+
+ * Dropped interactive mode from the 'openssl' program. From now on,
+ the `openssl` command without arguments is equivalent to `openssl
+ help`.
+
+ *Richard Levitte*
+
+ * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and
+ EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq().
+ While the old function names have been retained for backward compatibility
+ they should not be used in new developments
+ because their return values are confusing: Unlike other `_cmp()` functions
+ they do not return 0 in case their arguments are equal.
+
+ *David von Oheimb*
+
+ * Deprecated EC_METHOD_get_field_type(). Applications should switch to
+ EC_GROUP_get_field_type().
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
+ EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
+ EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
+ Applications should rely on the library automatically assigning a suitable
+ EC_METHOD internally upon EC_GROUP construction.
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
+ EC_METHOD is now an internal-only concept and a suitable EC_METHOD is
+ assigned internally without application intervention.
+ Users of EC_GROUP_new() should switch to a different suitable constructor.
+
+ *Billy Bob Brumley*
+
+ * Add CAdES-BES signature verification support, mostly derived
+ from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
+
+ *Filipe Raimundo da Silva*
+
+ * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
+
+ *Antonio Iacono*
+
+ * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). These
+ functions are not widely used and now OpenSSL automatically perform this
+ conversion when needed.
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
+ EC_KEY_precompute_mult(). These functions are not widely used and
+ applications should instead switch to named curves which OpenSSL has
+ hardcoded lookup tables for.
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_POINTs_mul(). This function is not widely used and applications
+ should instead use the L<EC_POINT_mul(3)> function.
+
+ *Billy Bob Brumley*
+
* Removed FIPS_mode() and FIPS_mode_set(). These functions are legacy API's
that are not applicable to the new provider model. Applications should
instead use EVP_default_properties_is_fips_enabled() and
*Shane Lontis*
+ * The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
+ is set, an unexpected EOF is ignored, it pretends a close notify was received
+ instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
+
+ *Dmitry Belyavskiy*
+
* Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely
used and applications should instead use the
*Paul Dale*
+ * The security strength of SHA1 and MD5 based signatures in TLS has been
+ reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
+ working at the default security level of 1 and instead requires security
+ level 0. The security level can be changed either using the cipher string
+ with @SECLEVEL, or calling SSL_CTX_set_security_level().
+
+ *Kurt Roeckx*
+
* EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
internal keys, if they correspond to one of those built in types.
*David von Oheimb*
+ * BIO_do_connect and BIO_do_handshake have been extended:
+ If domain name resolution yields multiple IP addresses all of them are tried
+ after connect() failures.
+
+ *David von Oheimb*
+
* All of the low level RSA functions have been deprecated including:
RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
and HMAC_CTX_get_md.
Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ time. Instead applications should use L<EVP_MAC_new_ctx(3)>,
+ L<EVP_MAC_free_ctx(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
Use of these low level functions has been informally discouraged for a long
- time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
- L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ time. Instead applications should use L<EVP_MAC_new_ctx(3)>,
+ L<EVP_MAC_free_ctx(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
- SSL_CTX_load_verify_dir()
- SSL_CTX_load_verify_store()
- Also, the following functions are now deprecated:
-
- - X509_STORE_load_locations() (use X509_STORE_load_file(),
- X509_STORE_load_path() or X509_STORE_load_store() instead)
- - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(),
- SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead)
-
*Richard Levitte*
* Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
*Steve Henson*
- *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
- results on some platforms, including x86_64. This bug occurs at random
- with a very low probability, and is not known to be exploitable in any
- way, though its exact impact is difficult to determine. Thanks to Pieter
- Wuille (Blockstream) who reported this issue and also suggested an initial
- fix. Further analysis was conducted by the OpenSSL development team and
- Adam Langley of Google. The final fix was developed by Andy Polyakov of
- the OpenSSL core team.
- [CVE-2014-3570][]
+ * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ [CVE-2014-3570][]
*Andy Polyakov*
- *) Do not resume sessions on the server if the negotiated protocol
- version does not match the session's version. Resuming with a different
- version, while not strictly forbidden by the RFC, is of questionable
- sanity and breaks all known clients.
+ * Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
*David Benjamin, Emilia Käsper*
- *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
- early CCS messages during renegotiation. (Note that because
- renegotiation is encrypted, this early CCS was not exploitable.)
+ * Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
*Emilia Käsper*
- *) Tighten client-side session ticket handling during renegotiation:
- ensure that the client only accepts a session ticket if the server sends
- the extension anew in the ServerHello. Previously, a TLS client would
- reuse the old extension state and thus accept a session ticket if one was
- announced in the initial ServerHello.
+ * Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
- Similarly, ensure that the client requires a session ticket if one
- was advertised in the ServerHello. Previously, a TLS client would
- ignore a missing NewSessionTicket message.
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
*Emilia Käsper*
*Steve Henson*
- *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
- results on some platforms, including x86_64. This bug occurs at random
- with a very low probability, and is not known to be exploitable in any
- way, though its exact impact is difficult to determine. Thanks to Pieter
- Wuille (Blockstream) who reported this issue and also suggested an initial
- fix. Further analysis was conducted by the OpenSSL development team and
- Adam Langley of Google. The final fix was developed by Andy Polyakov of
- the OpenSSL core team.
- [CVE-2014-3570][]
+ * Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ [CVE-2014-3570][]
- *Andy Polyakov*
+ *Andy Polyakov*
- *) Fix various certificate fingerprint issues.
+ * Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.