Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
+ and EVP_PKEY_decrypt() instead.
+ Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
+ and EVP_PKEY_encrypt() instead.
+ [Richard Levitte]
+
+ *) Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
+ and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed
+ a new formulation to include all the things it can be used for,
+ as well as words of caution.
+ [Richard Levitte]
+
+ *) The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
+ Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
+ [Paul Dale]
+
+ *) All of the low level HMAC functions have been deprecated including:
+ HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
+ HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
+ and HMAC_CTX_get_md.
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
+ L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ and L<EVP_MAC_final(3)>.
+ [Paul Dale]
+
+ *) All of the low level CMAC functions have been deprecated including:
+ CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
+ CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
+ L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+ and L<EVP_MAC_final(3)>.
+ [Paul Dale]
+
+ *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
+ SHA384, SHA512 and Whirlpool digest functions have been deprecated.
+ These include:
+ MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
+ MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
+ MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
+ RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
+ RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final,
+ SHA1_Transform, SHA224_Init, SHA224_Update, SHA224_Final,
+ SHA224_Transform, SHA256_Init, SHA256_Update, SHA256_Final,
+ SHA256_Transform, SHA384, SHA384_Init, SHA384_Update, SHA384_Final,
+ SHA512, SHA512_Init, SHA512_Update, SHA512_Final, SHA512_Transform,
+ WHIRLPOOL, WHIRLPOOL_Init, WHIRLPOOL_Update, WHIRLPOOL_BitUpdate
+ and WHIRLPOOL_Final.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should instead use the EVP_DigestInit_ex,
+ EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions.
+ [Paul Dale]
+
+ *) Corrected the documentation of the return values from the EVP_DigestSign*
+ set of functions. The documentation mentioned negative values for some
+ errors, but this was never the case, so the mention of negative values
+ was removed.
+
+ Code that followed the documentation and thereby check with something
+ like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
+ [Richard Levitte]
+
+ *) All of the low level cipher functions have been deprecated including:
+ AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
+ AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
+ AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
+ AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
+ BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
+ BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
+ Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
+ Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
+ Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
+ CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
+ CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
+ DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
+ DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
+ DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
+ DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
+ DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
+ DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
+ DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
+ DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
+ DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
+ DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
+ IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
+ IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
+ RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
+ RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
+ RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
+ RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
+ SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
+ SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
+
+ Use of these low level functions has been informally discouraged for a long
+ time. Instead applications should use the high level EVP APIs, e.g.
+ EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+ equivalently named decrypt functions.
+ [Matt Caswell and Paul Dale]
+
+ *) Removed include/openssl/opensslconf.h.in and replaced it with
+ include/openssl/configuration.h.in, which differs in not including
+ <openssl/macros.h>. A short header include/openssl/opensslconf.h
+ was added to include both.
+
+ This allows internal hacks where one might need to modify the set
+ of configured macros, for example this if deprecated symbols are
+ still supposed to be available internally:
+
+ #include <openssl/configuration.h>
+
+ #undef OPENSSL_NO_DEPRECATED
+ #define OPENSSL_SUPPRESS_DEPRECATED
+
+ #include <openssl/macros.h>
+
+ This should not be used by applications that use the exported
+ symbols, as that will lead to linking errors.
+ [Richard Levitte]
+
+ *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
+ used in exponentiation with 512-bit moduli. No EC algorithms are
+ affected. Analysis suggests that attacks against 2-prime RSA1024,
+ 3-prime RSA1536, and DSA1024 as a result of this defect would be very
+ difficult to perform and are not believed likely. Attacks against DH512
+ are considered just feasible. However, for an attack the target would
+ have to re-use the DH512 private key, which is not recommended anyway.
+ Also applications directly using the low level API BN_mod_exp may be
+ affected if they use BN_FLG_CONSTTIME.
+ (CVE-2019-1551)
+ [Andy Polyakov]
+
+ *) Most memory-debug features have been deprecated, and the functionality
+ replaced with no-ops.
+ [Rich Salz]
+
+ *) Introduced a new method type and API, OSSL_SERIALIZER, to
+ represent generic serializers. An implementation is expected to
+ be able to serialize an object associated with a given name (such
+ as an algorithm name for an asymmetric key) into forms given by
+ implementation properties.
+
+ Serializers are primarily used from inside libcrypto, through
+ calls to functions like EVP_PKEY_print_private(),
+ PEM_write_bio_PrivateKey() and similar.
+
+ Serializers are specified in such a way that they can be made to
+ directly handle the provider side portion of an object, if this
+ provider side part comes from the same provider as the serializer
+ itself, but can also be made to handle objects in parametrized
+ form (as an OSSL_PARAM array of data). This allows a provider to
+ offer generic serializers as a service for any other provider.
+ [Richard Levitte]
+
+ *) Added a .pragma directive to the syntax of configuration files, to
+ allow varying behavior in a supported and predictable manner.
+ Currently added pragma:
+
+ .pragma dollarid:on
+
+ This allows dollar signs to be a keyword character unless it's
+ followed by a opening brace or parenthesis. This is useful for
+ platforms where dollar signs are commonly used in names, such as
+ volume names and system directory names on VMS.
+ [Richard Levitte]
+
+ *) Added functionality to create an EVP_PKEY from user data. This
+ is effectively the same as creating a RSA, DH or DSA object and
+ then assigning them to an EVP_PKEY, but directly using algorithm
+ agnostic EVP functions. A benefit is that this should be future
+ proof for public key algorithms to come.
+ [Richard Levitte]
+
+ *) Change the interpretation of the '--api' configuration option to
+ mean that this is a desired API compatibility level with no
+ further meaning. The previous interpretation, that this would
+ also mean to remove all deprecated symbols up to and including
+ the given version, no requires that 'no-deprecated' is also used
+ in the configuration.
+
+ When building applications, the desired API compatibility level
+ can be set with the OPENSSL_API_COMPAT macro like before. For
+ API compatibility version below 3.0, the old style numerical
+ value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
+ For version 3.0 and on, the value is expected to be the decimal
+ value calculated from the major and minor version like this:
+
+ MAJOR * 10000 + MINOR * 100
+
+ Examples:
+
+ -DOPENSSL_API_COMPAT=30000 For 3.0
+ -DOPENSSL_API_COMPAT=30200 For 3.2
+
+ To hide declarations that are deprecated up to and including the
+ given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
+ given when building the application as well.
+ [Richard Levitte]
+
+ *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow
+ access to certificate and CRL stores via URIs and OSSL_STORE
+ loaders.
+
+ This adds the following functions:
+
+ X509_LOOKUP_store()
+ X509_STORE_load_file()
+ X509_STORE_load_path()
+ X509_STORE_load_store()
+ SSL_add_store_cert_subjects_to_stack()
+ SSL_CTX_set_default_verify_store()
+ SSL_CTX_load_verify_file()
+ SSL_CTX_load_verify_dir()
+ SSL_CTX_load_verify_store()
+
+ Also, the following functions are now deprecated:
+
+ - X509_STORE_load_locations() (use X509_STORE_load_file(),
+ X509_STORE_load_path() or X509_STORE_load_store() instead)
+ - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(),
+ SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead)
+ [Richard Levitte]
+
+ *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+ The presence of this system service is determined at run-time.
+ [Richard Levitte]
+
+ *) Added functionality to create an EVP_PKEY context based on data
+ for methods from providers. This takes an algorithm name and a
+ property query string and simply stores them, with the intent
+ that any operation that uses this context will use those strings
+ to fetch the needed methods implicitly, thereby making the port
+ of application written for pre-3.0 OpenSSL easier.
+ [Richard Levitte]
+
+ *) The undocumented function NCONF_WIN32() has been deprecated; for
+ conversion details see the HISTORY section of doc/man5/config.pod
+ [Rich Salz]
+
+ *) Introduced the new functions EVP_DigestSignInit_ex() and
+ EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
+ EVP_DigestVerifyUpdate() have been converted to functions. See the man
+ pages for further details.
+ [Matt Caswell]
+
+ *) Most common options (such as -rand/-writerand, TLS version control, etc)
+ were refactored and point to newly-enhanced descriptions in openssl.pod
+ [Rich Salz]
+
+ *) Over two thousand fixes were made to the documentation, including:
+ adding missing command flags, better style conformance, documentation
+ of internals, etc.
+ [Rich Salz, Richard Levitte]
+
+ *) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
+ X25519, X448, Ed25519 and Ed448.
+ [Patrick Steuer]
+
+ *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+ the first value.
+ [Jon Spillett]
+
+ *) Deprecated the public definition of ERR_STATE as well as the function
+ ERR_get_state(). This is done in preparation of making ERR_STATE an
+ opaque type.
+ [Richard Levitte]
+
+ *) Added ERR functionality to give callers access to the stored function
+ names that have replaced the older function code based functions.
+
+ New functions are ERR_get_error_func(), ERR_peek_error_func(),
+ ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(),
+ ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all()
+ and ERR_peek_last_error_all().
+
+ These functions have become deprecated: ERR_get_error_line_data(),
+ ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
+ ERR_func_error_string().
+ [Richard Levitte]
+
+ *) Extended testing to be verbose for failing tests only. The make variables
+ VERBOSE_FAILURE or VF can be used to enable this:
+
+ $ make VF=1 test # Unix
+ $ mms /macro=(VF=1) test ! OpenVMS
+ $ nmake VF=1 test # Windows
+
+ [Richard Levitte]
+
+ *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
+ [Nicola Tuveri]
+
+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ (CVE-2019-1547)
+ [Billy Bob Brumley]
+
+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [Bernd Edlinger]
+
+ *) Early start up entropy quality from the DEVRANDOM seed source has been
+ improved for older Linux systems. The RAND subsystem will wait for
+ /dev/random to be producing output before seeding from /dev/urandom.
+ The seeded state is stored for future library initialisations using
+ a system global shared memory segment. The shared memory identifier
+ can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
+ the desired value. The default identifier is 114.
+ [Paul Dale]
+
+ *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
+ when primes for RSA keys are computed.
+ Since we previously always generated primes == 2 (mod 3) for RSA keys,
+ the 2-prime and 3-prime RSA modules were easy to distinguish, since
+ N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
+ 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
+ This avoids possible fingerprinting of newly generated RSA modules.
+ [Bernd Edlinger]
+
*) Correct the extended master secret constant on EBCDIC systems. Without this
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
negotiate EMS will fail. Unfortunately this also means that TLS connections
*) Change the license to the Apache License v2.0.
[Richard Levitte]
- *) Change the possible version information given with OPENSSL_API_COMPAT.
- It may be a pre-3.0.0 style numerical version number as it was defined
- in 1.1.0, and it may also simply take the major version number.
-
- Because of the version numbering of pre-3.0.0 releases, the values 0,
- 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and
- 0x10100000L (1.1.0), respectively.
- [Richard Levitte]
-
*) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
o Major releases (indicated by incrementing the MAJOR release number)
projects / openssl.git / blobdiff