X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=164787c45d05c25347b7986dd63afac22f82a5e9;hp=63fe26c3c25d78cf8203929e7aa21c1a97e4e8df;hb=ed98df51c69717529dd7d775b35430c036216339;hpb=6ccfc8fa316f8dcfe4c943e5a43e9e3661be9cb1 diff --git a/CHANGES b/CHANGES index 63fe26c3c2..164787c45d 100644 --- a/CHANGES +++ b/CHANGES @@ -7,7 +7,233 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. - Changes between 1.1.0i and 1.1.1 [xx XXX xxxx] + Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + + *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been + deprecated. These undocumented functions were never integrated into the EVP + layer and implement the AES Infinite Garble Extension (IGE) mode and AES + Bi-directional IGE mode. These modes were never formally standardised and + usage of these functions is believed to be very small. In particular + AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one + is ever used. The security implications are believed to be minimal, but + this issue was never fixed for backwards compatibility reasons. New code + should not use these modes. + [Matt Caswell] + + *) Add prediction resistance to the DRBG reseeding process. + [Paul Dale] + + *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as + mandated by IEEE Std 1619-2018. + [Paul Dale] + + *) Added newline escaping functionality to a filename when using openssl dgst. + This output format is to replicate the output format found in the '*sum' + checksum programs. This aims to preserve backward compatibility. + [Matt Eaton, Richard Levitte, and Paul Dale] + + *) Removed the heartbeat message in DTLS feature, as it has very + little usage and doesn't seem to fulfill a valuable purpose. + The configuration option is now deprecated. + [Richard Levitte] + + *) Changed the output of 'openssl {digestname} < file' to display the + digest name in its output. + [Richard Levitte] + + *) Added a new generic trace API which provides support for enabling + instrumentation through trace output. This feature is mainly intended + as an aid for developers and is disabled by default. To utilize it, + OpenSSL needs to be configured with the `enable-trace` option. + + If the tracing API is enabled, the application can activate trace output + by registering BIOs as trace channels for a number of tracing and debugging + categories. + + The 'openssl' application has been expanded to enable any of the types + available via environment variables defined by the user, and serves as + one possible example on how to use this functionality. + [Richard Levitte & Matthias St. Pierre] + + *) Added build tests for C++. These are generated files that only do one + thing, to include one public OpenSSL head file each. This tests that + the public header files can be usefully included in a C++ application. + + This test isn't enabled by default. It can be enabled with the option + 'enable-buildtest-c++'. + [Richard Levitte] + + *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF. + [Shane Lontis] + + *) Add KMAC to EVP_MAC. + [Shane Lontis] + + *) Added property based algorithm implementation selection framework to + the core. + [Paul Dale] + + *) Added SCA hardening for modular field inversion in EC_GROUP through + a new dedicated field_inv() pointer in EC_METHOD. + This also addresses a leakage affecting conversions from projective + to affine coordinates. + [Billy Bob Brumley, Nicola Tuveri] + + *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF + implementations. This includes an EVP_PKEY to EVP_KDF bridge for + those algorithms that were already supported through the EVP_PKEY API + (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 + and scrypt are now wrappers that call EVP_KDF. + [David Makepeace] + + *) Build devcrypto engine as a dynamic engine. + [Eneas U de Queiroz] + + *) Add keyed BLAKE2 to EVP_MAC. + [Antoine Salon] + + *) Fix a bug in the computation of the endpoint-pair shared secret used + by DTLS over SCTP. This breaks interoperability with older versions + of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime + switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling + interoperability with such broken implementations. However, enabling + this switch breaks interoperability with correct implementations. + + *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + [Bernd Edlinger] + + *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). + [Richard Levitte] + + *) Change the license to the Apache License v2.0. + [Richard Levitte] + + *) Change the possible version information given with OPENSSL_API_COMPAT. + It may be a pre-3.0.0 style numerical version number as it was defined + in 1.1.0, and it may also simply take the major version number. + + Because of the version numbering of pre-3.0.0 releases, the values 0, + 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and + 0x10100000L (1.1.0), respectively. + [Richard Levitte] + + *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. + + o Major releases (indicated by incrementing the MAJOR release number) + may introduce incompatible API/ABI changes. + o Minor releases (indicated by incrementing the MINOR release number) + may introduce new features but retain API/ABI compatibility. + o Patch releases (indicated by incrementing the PATCH number) + are intended for bug fixes and other improvements of existing + features only (like improving performance or adding documentation) + and retain API/ABI compatibility. + [Richard Levitte] + + *) Add support for RFC5297 SIV mode (siv128), including AES-SIV. + [Todd Short] + + *) Remove the 'dist' target and add a tarball building script. The + 'dist' target has fallen out of use, and it shouldn't be + necessary to configure just to create a source distribution. + [Richard Levitte] + + *) Recreate the OS390-Unix config target. It no longer relies on a + special script like it did for OpenSSL pre-1.1.0. + [Richard Levitte] + + *) Instead of having the source directories listed in Configure, add + a 'build.info' keyword SUBDIRS to indicate what sub-directories to + look into. + [Richard Levitte] + + *) Add GMAC to EVP_MAC. + [Paul Dale] + + *) Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC. + [Richard Levitte] + + *) Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC + implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, + to facilitate the continued use of MACs through raw private keys in + functionality such as EVP_DigestSign* and EVP_DigestVerify*. + [Richard Levitte] + + *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users + should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type). + [Antoine Salon] + + *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for + the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names + are retained for backwards compatibility. + [Antoine Salon] + + *) AES-XTS mode now enforces that its two keys are different to mitigate + the attacked described in "Efficient Instantiations of Tweakable + Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. + Details of this attack can be obtained from: + http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf + [Paul Dale] + + *) Rename the object files, i.e. give them other names than in previous + versions. Their names now include the name of the final product, as + well as its type mnemonic (bin, lib, shlib). + [Richard Levitte] + + *) Added new option for 'openssl list', '-objects', which will display the + list of built in objects, i.e. OIDs with names. + [Richard Levitte] + + *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path + improves application performance by removing data copies and providing + applications with zero-copy system calls such as sendfile and splice. + [Boris Pismenny] + + Changes between 1.1.1a and 1.1.1b [xx XXX xxxx] + + *) Change the info callback signals for the start and end of a post-handshake + message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START + and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get + confused by this and assume that a TLSv1.2 renegotiation has started. This + can break KeyUpdate handling. Instead we no longer signal the start and end + of a post handshake message exchange (although the messages themselves are + still signalled). This could break some applications that were expecting + the old signals. However without this KeyUpdate is not usable for many + applications. + [Matt Caswell] + + Changes between 1.1.1 and 1.1.1a [20 Nov 2018] + + *) Timing vulnerability in DSA signature generation + + The OpenSSL DSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. + (CVE-2018-0734) + [Paul Dale] + + *) Timing vulnerability in ECDSA signature generation + + The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a + timing side channel attack. An attacker could use variations in the signing + algorithm to recover the private key. + + This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser. + (CVE-2018-0735) + [Paul Dale] + + *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input + if its length exceeds 4096 bytes. The limit has been raised to a buffer size + of two gigabytes and the error handling improved. + + This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been + categorized as a normal bug, not a security issue, because the DRBG reseeds + automatically and is fully functional even without additional randomness + provided by the application. + + Changes between 1.1.0i and 1.1.1 [11 Sep 2018] *) Add a new ClientHello callback. Provides a callback interface that gives the application the ability to adjust the nascent SSL object at the @@ -11380,7 +11606,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k (still largely untested) [Bodo Moeller] - *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive + *) New function ASN1_tag2str() to convert an ASN1 tag to a descriptive ASCII string. This was handled independently in various places before. [Steve Henson] @@ -13103,4 +13329,3 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 bytes sent in the client random. [Edward Bishop ] -