X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=1750162a1081c50fa2ee12f08facf6228e0b9b85;hp=f6062af7668e17049813efac566ab434d8233e1e;hb=31a796d1cc884c727a226d3dfba6a1ad7a50b865;hpb=12df11bdf11fb6a3410483b0097f032e329b4623 diff --git a/CHANGES b/CHANGES index f6062af766..1750162a10 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,426 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to + automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. + This means that applications don't have to look at the curve NID and + 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations. + However, they still can, that EVP_PKEY_set_alias_type() call acts as + a no-op when the EVP_PKEY is already of the given type. + + Parameter and key generation is also reworked to make it possible + to generate EVP_PKEY_SM2 parameters and keys without having to go + through EVP_PKEY_EC generation and then change the EVP_PKEY type. + However, code that does the latter will still work as before. + [Richard Levitte] + + *) Deprecated low level ECDH and ECDSA functions. These include: + + ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify, + ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and + ECDSA_size. + + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use the EVP_PKEY_derive(3), + EVP_DigestSign(3) and EVP_DigestVerify(3) functions. + [Paul Dale] + + *) Deprecated the EC_KEY_METHOD functions. These include: + + EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init, + EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key, + EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify, + EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen, + EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and + EC_KEY_METHOD_get_verify. + + Instead applications and extension writers should use the OSSL_PROVIDER + APIs. + [Paul Dale] + + *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init() + and EVP_PKEY_decrypt() instead. + Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init() + and EVP_PKEY_encrypt() instead. + [Richard Levitte] + + *) Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits() + and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed + a new formulation to include all the things it can be used for, + as well as words of caution. + [Richard Levitte] + + *) The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. + Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function. + [Paul Dale] + + *) All of the low level HMAC functions have been deprecated including: + HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, + HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags + and HMAC_CTX_get_md. + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use L, + L, L, L + and L. + [Paul Dale] + + *) All of the low level CMAC functions have been deprecated including: + CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx, + CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume. + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use L, + L, L, L + and L. + [Paul Dale] + + *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, + SHA384, SHA512 and Whirlpool digest functions have been deprecated. + These include: + + MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, + MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, + MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, + RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, + RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform, + SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init, + SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init, + SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, + SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init, + WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final. + + Use of these low level functions has been informally discouraged + for a long time. Applications should use the EVP_DigestInit_ex(3), + EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead. + [Paul Dale] + + *) Corrected the documentation of the return values from the EVP_DigestSign* + set of functions. The documentation mentioned negative values for some + errors, but this was never the case, so the mention of negative values + was removed. + + Code that followed the documentation and thereby check with something + like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed. + [Richard Levitte] + + *) All of the low level cipher functions have been deprecated including: + + AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, + AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, + AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, + AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt, + BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, + BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt, + Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt, + Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt, + Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt, + CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt, + CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2, + DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt, + DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt, + DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key, + DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key, + DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, + DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity, + DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, + DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt, + DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt, + DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options, + IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key, + IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key, + RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt, + RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key, + RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt, + RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt, + SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt, + SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt. + + Use of these low level functions has been informally discouraged for + a long time. Applications should use the high level EVP APIs, e.g. + EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the + equivalently named decrypt functions instead. + [Matt Caswell and Paul Dale] + + *) Removed include/openssl/opensslconf.h.in and replaced it with + include/openssl/configuration.h.in, which differs in not including + . A short header include/openssl/opensslconf.h + was added to include both. + + This allows internal hacks where one might need to modify the set + of configured macros, for example this if deprecated symbols are + still supposed to be available internally: + + #include + + #undef OPENSSL_NO_DEPRECATED + #define OPENSSL_SUPPRESS_DEPRECATED + + #include + + This should not be used by applications that use the exported + symbols, as that will lead to linking errors. + [Richard Levitte] + + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] + + *) Most memory-debug features have been deprecated, and the functionality + replaced with no-ops. + [Rich Salz] + + *) Introduced a new method type and API, OSSL_SERIALIZER, to + represent generic serializers. An implementation is expected to + be able to serialize an object associated with a given name (such + as an algorithm name for an asymmetric key) into forms given by + implementation properties. + + Serializers are primarily used from inside libcrypto, through + calls to functions like EVP_PKEY_print_private(), + PEM_write_bio_PrivateKey() and similar. + + Serializers are specified in such a way that they can be made to + directly handle the provider side portion of an object, if this + provider side part comes from the same provider as the serializer + itself, but can also be made to handle objects in parametrized + form (as an OSSL_PARAM array of data). This allows a provider to + offer generic serializers as a service for any other provider. + [Richard Levitte] + + *) Added a .pragma directive to the syntax of configuration files, to + allow varying behavior in a supported and predictable manner. + Currently added pragma: + + .pragma dollarid:on + + This allows dollar signs to be a keyword character unless it's + followed by a opening brace or parenthesis. This is useful for + platforms where dollar signs are commonly used in names, such as + volume names and system directory names on VMS. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY from user data. This + is effectively the same as creating a RSA, DH or DSA object and + then assigning them to an EVP_PKEY, but directly using algorithm + agnostic EVP functions. A benefit is that this should be future + proof for public key algorithms to come. + [Richard Levitte] + + *) Change the interpretation of the '--api' configuration option to + mean that this is a desired API compatibility level with no + further meaning. The previous interpretation, that this would + also mean to remove all deprecated symbols up to and including + the given version, no requires that 'no-deprecated' is also used + in the configuration. + + When building applications, the desired API compatibility level + can be set with the OPENSSL_API_COMPAT macro like before. For + API compatibility version below 3.0, the old style numerical + value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. + For version 3.0 and on, the value is expected to be the decimal + value calculated from the major and minor version like this: + + MAJOR * 10000 + MINOR * 100 + + Examples: + + -DOPENSSL_API_COMPAT=30000 For 3.0 + -DOPENSSL_API_COMPAT=30200 For 3.2 + + To hide declarations that are deprecated up to and including the + given API compatibility level, -DOPENSSL_NO_DEPRECATED must be + given when building the application as well. + [Richard Levitte] + + *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow + access to certificate and CRL stores via URIs and OSSL_STORE + loaders. + + This adds the following functions: + + X509_LOOKUP_store() + X509_STORE_load_file() + X509_STORE_load_path() + X509_STORE_load_store() + SSL_add_store_cert_subjects_to_stack() + SSL_CTX_set_default_verify_store() + SSL_CTX_load_verify_file() + SSL_CTX_load_verify_dir() + SSL_CTX_load_verify_store() + + Also, the following functions are now deprecated: + + - X509_STORE_load_locations() (use X509_STORE_load_file(), + X509_STORE_load_path() or X509_STORE_load_store() instead) + - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(), + SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead) + [Richard Levitte] + + *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. + The presence of this system service is determined at run-time. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY context based on data + for methods from providers. This takes an algorithm name and a + property query string and simply stores them, with the intent + that any operation that uses this context will use those strings + to fetch the needed methods implicitly, thereby making the port + of application written for pre-3.0 OpenSSL easier. + [Richard Levitte] + + *) The undocumented function NCONF_WIN32() has been deprecated; for + conversion details see the HISTORY section of doc/man5/config.pod + [Rich Salz] + + *) Introduced the new functions EVP_DigestSignInit_ex() and + EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and + EVP_DigestVerifyUpdate() have been converted to functions. See the man + pages for further details. + [Matt Caswell] + + *) Most common options (such as -rand/-writerand, TLS version control, etc) + were refactored and point to newly-enhanced descriptions in openssl.pod + [Rich Salz] + + *) Over two thousand fixes were made to the documentation, including: + adding missing command flags, better style conformance, documentation + of internals, etc. + [Rich Salz, Richard Levitte] + + *) s390x assembly pack: add hardware-support for P-256, P-384, P-521, + X25519, X448, Ed25519 and Ed448. + [Patrick Steuer] + + *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just + the first value. + [Jon Spillett] + + *) Deprecated the public definition of ERR_STATE as well as the function + ERR_get_state(). This is done in preparation of making ERR_STATE an + opaque type. + [Richard Levitte] + + *) Added ERR functionality to give callers access to the stored function + names that have replaced the older function code based functions. + + New functions are ERR_get_error_func(), ERR_peek_error_func(), + ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(), + ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() + and ERR_peek_last_error_all(). + + These functions have become deprecated: ERR_get_error_line_data(), + ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and + ERR_func_error_string(). + [Richard Levitte] + + *) Extended testing to be verbose for failing tests only. The make variables + VERBOSE_FAILURE or VF can be used to enable this: + + $ make VF=1 test # Unix + $ mms /macro=(VF=1) test ! OpenVMS + $ nmake VF=1 test # Windows + + [Richard Levitte] + + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters, when loading a serialized key + or calling `EC_GROUP_new_from_ecpkparameters()`/ + `EC_GROUP_new_from_ecparameters()`. + This prevents bypass of security hardening and performance gains, + especially for curves with specialized EC_METHODs. + By default, if a key encoded with explicit parameters is loaded and later + serialized, the output is still encoded with explicit parameters, even if + internally a "named" EC_GROUP is used for computation. + [Nicola Tuveri] + + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + + *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + An attack is simple, if the first CMS_recipientInfo is valid but the + second CMS_recipientInfo is chosen ciphertext. If the second + recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct + encryption key will be replaced by garbage, and the message cannot be + decoded, but if the RSA decryption fails, the correct encryption key is + used and the recipient will not notice the attack. + As a work around for this potential attack the length of the decrypted + key must be equal to the cipher default key length, in case the + certifiate is not given and all recipientInfo are tried out. + The old behaviour can be re-enabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag. + [Bernd Edlinger] + + *) Early start up entropy quality from the DEVRANDOM seed source has been + improved for older Linux systems. The RAND subsystem will wait for + /dev/random to be producing output before seeding from /dev/urandom. + The seeded state is stored for future library initialisations using + a system global shared memory segment. The shared memory identifier + can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to + the desired value. The default identifier is 114. + [Paul Dale] + + *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 + when primes for RSA keys are computed. + Since we previously always generated primes == 2 (mod 3) for RSA keys, + the 2-prime and 3-prime RSA modules were easy to distinguish, since + N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. + This avoids possible fingerprinting of newly generated RSA modules. + [Bernd Edlinger] + + *) Correct the extended master secret constant on EBCDIC systems. Without this + fix TLS connections between an EBCDIC system and a non-EBCDIC system that + negotiate EMS will fail. Unfortunately this also means that TLS connections + between EBCDIC systems with this fix, and EBCDIC systems without this + fix will fail if they negotiate EMS. + [Matt Caswell] + + *) Changed the library initialisation so that the config file is now loaded + by default. This was already the case for libssl. It now occurs for both + libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to + OPENSSL_init_crypto() to suppress automatic loading of a config file. + [Matt Caswell] + + *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(), + where the former acts as a replacement for ERR_put_error(), and the + latter replaces the combination ERR_put_error()+ERR_add_error_data(). + ERR_raise_data() adds more flexibility by taking a format string and + an arbitrary number of arguments following it, to be processed with + BIO_snprintf(). + [Richard Levitte] + + *) Introduced a new function, OSSL_PROVIDER_available(), which can be used + to check if a named provider is loaded and available. When called, it + will also activate all fallback providers if such are still present. + [Richard Levitte] + + *) Enforce a minimum DH modulus size of 512 bits. + [Bernd Edlinger] + + *) Changed DH parameters to generate the order q subgroup instead of 2q. + Previously generated DH parameters are still accepted by DH_check + but DH_generate_key works around that by clearing bit 0 of the + private key for those. This avoids leaking bit 0 of the private key. + [Bernd Edlinger] + + *) Significantly reduce secure memory usage by the randomness pools. + [Paul Dale] + + *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been + deprecated. + [Rich Salz] + *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange algorithms. An implementation of a key exchange algorithm can be obtained by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be @@ -22,7 +442,6 @@ *) Removed the function names from error messages and deprecated the xxx_F_xxx define's. - [Rich Salz] *) Removed NextStep support and the macro OPENSSL_UNISTD [Rich Salz] @@ -183,15 +602,6 @@ *) Change the license to the Apache License v2.0. [Richard Levitte] - *) Change the possible version information given with OPENSSL_API_COMPAT. - It may be a pre-3.0.0 style numerical version number as it was defined - in 1.1.0, and it may also simply take the major version number. - - Because of the version numbering of pre-3.0.0 releases, the values 0, - 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and - 0x10100000L (1.1.0), respectively. - [Richard Levitte] - *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. o Major releases (indicated by incrementing the MAJOR release number)