### Changes between 1.1.1 and 3.0 [xx XXX xxxx] ###
+ * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
+ EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely
+ used and applications should instead use the
+ L<EC_POINT_set_affine_coordinates(3)> and
+ L<EC_POINT_get_affine_coordinates(3)> functions.
+
+ *Billy Bob Brumley*
+
+ * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM
+ arrays to be more easily constructed via a series of utility functions.
+ Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
+ the various push functions and finally convert to a passable OSSL_PARAM
+ array using OSSL_PARAM_BLD_to_param().
+
+ *Paul Dale*
+
+ * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
+ EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
+ internal keys, if they correspond to one of those built in types.
+
+ *Richard Levitte*
+
+ * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
+ contain a provider side internal key.
+
+ *Richard Levitte*
+
+ * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
+ They are old functions that we don't use, and that you could disable with
+ the macro NO_ASN1_OLD. This goes all the way back to OpenSSL 0.9.7.
+
+ *Richard Levitte*
* The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
have been converted to Markdown with the goal to produce documents
*Richard Levitte*
- * The command line utilities ecparam and ec have been deprecated. Instead
- use the pkeyparam, pkey and genpkey programs.
+ * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
+ This adds crypto/cmp/, crpyto/crmf/, and test/cmp_*.
+ See L<OSSL_CMP_exec_IR_ses(3)> as starting point.
- *Paul Dale*
+ *David von Oheimb*
+
+ * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
+ The legacy OCSP-focused and only partly documented API is retained.
+ See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.
+
+ *David von Oheimb*
* All of the low level RSA functions have been deprecated including:
- RSA_new_method, RSA_bits, RSA_size, RSA_security_bits,
- RSA_get0_pss_params, RSA_get_version, RSA_get0_engine,
- RSA_generate_key_ex, RSA_generate_multi_prime_key,
- RSA_X931_derive_ex, RSA_X931_generate_key_ex, RSA_check_key,
- RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
+ RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
+ RSA_get_version, RSA_get0_engine, RSA_generate_key_ex,
+ RSA_generate_multi_prime_key, RSA_X931_derive_ex, RSA_X931_generate_key_ex,
+ RSA_check_key, RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method,
RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method,
RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify,
- RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING,
- RSA_blinding_on, RSA_blinding_off, RSA_setup_blinding,
- RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
- RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
- PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
- RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
- RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
- RSA_padding_add_none, RSA_padding_check_none, RSA_padding_add_X931,
- RSA_padding_check_X931, RSA_X931_hash_id, RSA_verify_PKCS1_PSS,
- RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
+ RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING, RSA_blinding_on,
+ RSA_blinding_off, RSA_setup_blinding, RSA_padding_add_PKCS1_type_1,
+ RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2,
+ RSA_padding_check_PKCS1_type_2, PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP,
+ RSA_padding_check_PKCS1_OAEP, RSA_padding_add_PKCS1_OAEP_mgf1,
+ RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23,
+ RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none,
+ RSA_padding_add_X931, RSA_padding_check_X931, RSA_X931_hash_id,
+ RSA_verify_PKCS1_PSS, RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data,
RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
*Kurt Roeckx*
* The command line utilities dhparam, dsa, gendsa and dsaparam have been
- deprecated. Instead use the pkeyparam, pkey, genpkey and pkeyparam
- programs respectively.
+ modified to use PKEY APIs. These commands are now in maintenance mode
+ and no new features will be added to them.
+
+ *Paul Dale*
+
+ * The command line utility rsautl has been deprecated.
+ Instead use the pkeyutl program.
+
+ *Paul Dale*
+
+ * The command line utilities genrsa and rsa have been modified to use PKEY
+ APIs These commands are now in maintenance mode and no new features will
+ be added to them.
*Paul Dale*
* All of the low level DH functions have been deprecated including:
DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
- DH_new_method, DH_bits, DH_size, DH_security_bits, DH_get_ex_new_index,
+ DH_new_method, DH_size, DH_security_bits, DH_get_ex_new_index,
DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex,
DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
- DH_KDF_X9_42, DH_get0_engine, DH_get_length, DH_set_length, DH_meth_new,
- DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name,
- DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data,
- DH_meth_set0_app_data, DH_meth_get_generate_key,
- DH_meth_set_generate_key, DH_meth_get_compute_key,
- DH_meth_set_compute_key, DH_meth_get_bn_mod_exp,
- DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init,
- DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params
- and DH_meth_set_generate_params.
+ DH_KDF_X9_42, DH_get0_engine, DH_meth_new, DH_meth_free, DH_meth_dup,
+ DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags,
+ DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key,
+ DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key,
+ DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init,
+ DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish,
+ DH_meth_get_generate_params and DH_meth_set_generate_params.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_PKEY_derive_init(3)>
* All of the low level DSA functions have been deprecated including:
DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
- DSA_get_default_method, DSA_set_method, DSA_get_method, DSA_new_method,
- DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
- DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
- DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
- DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
- DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
- DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
- DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
- DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
- DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
- DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
- DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
+ DSA_get_default_method, DSA_set_method, DSA_get_method,
+ DSA_new_method, DSA_size, DSA_security_bits, DSA_sign_setup, DSA_sign,
+ DSA_verify, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data,
+ DSA_generate_parameters_ex, DSA_generate_key, DSA_meth_new, DSA_get0_engine,
+ DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name,
+ DSA_meth_get_flags, DSA_meth_set_flags, DSA_meth_get0_app_data,
+ DSA_meth_set0_app_data, DSA_meth_get_sign, DSA_meth_set_sign,
+ DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, DSA_meth_get_verify,
+ DSA_meth_set_verify, DSA_meth_get_mod_exp, DSA_meth_set_mod_exp,
+ DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, DSA_meth_get_init,
+ DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish,
+ DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen and
+ DSA_meth_set_keygen.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
replaced with no-ops.
*Rich Salz*
+
+ * Added documentation for the STACK API. OpenSSL only defines the STACK
+ functions where they are used.
+
+ *Rich Salz*
* Introduced a new method type and API, OSSL_SERIALIZER, to
represent generic serializers. An implementation is expected to
OpenSSL 1.1.1
-------------
-### Changes between 1.1.1d and 1.1.1e [xx XXX xxxx] ###
+### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] ###
+
+
+### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] ###
+
+ * Properly detect EOF while reading in libssl. Previously if we hit an EOF
+ while reading in libssl then we would report an error back to the
+ application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+ an error to the stack (which means we instead return SSL_ERROR_SSL) and
+ therefore give a hint as to what went wrong.
+
+ *Matt Caswell*
+
+ * Check that ed25519 and ed448 are allowed by the security level. Previously
+ signature algorithms not using an MD were not being checked that they were
+ allowed by the security level.
+
+ *Kurt Roeckx*
+
+ * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
+ was not quite right. The behaviour was not consistent between resumption
+ and normal handshakes, and also not quite consistent with historical
+ behaviour. The behaviour in various scenarios has been clarified and
+ it has been updated to make it match historical behaviour as closely as
+ possible.
+
+ *Matt Caswell*
* *[VMS only]* The header files that the VMS compilers include automatically,
`__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas