X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=7b18d510771574615ad92122a103bbb47c628399;hp=ff61ff438398d8bee6a070646f7edc76d565a5a9;hb=b744f915ca8bb37631909728dd2529289bda8438;hpb=ac4033d658e4dc210ed4552b88069b57532ba3d7 diff --git a/CHANGES b/CHANGES index ff61ff4383..7b18d51077 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,557 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] + *) X509 certificates signed using SHA1 are no longer allowed at security + level 1 and above. + In TLS/SSL the default security level is 1. It can be set either + using the cipher string with @SECLEVEL, or calling + SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, + a call to SSL_CTX_use_certificate() will fail if the security level is not + lowered first. + Outside TLS/SSL, the default security level is -1 (effectively 0). It can + be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level + options of the apps. + [Kurt Roeckx] + + *) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to + automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. + This means that applications don't have to look at the curve NID and + 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations. + However, they still can, that EVP_PKEY_set_alias_type() call acts as + a no-op when the EVP_PKEY is already of the given type. + + Parameter and key generation is also reworked to make it possible + to generate EVP_PKEY_SM2 parameters and keys without having to go + through EVP_PKEY_EC generation and then change the EVP_PKEY type. + However, code that does the latter will still work as before. + [Richard Levitte] + + *) Deprecated low level ECDH and ECDSA functions. These include: + + ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify, + ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and + ECDSA_size. + + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use the EVP_PKEY_derive(3), + EVP_DigestSign(3) and EVP_DigestVerify(3) functions. + [Paul Dale] + + *) Deprecated the EC_KEY_METHOD functions. These include: + + EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init, + EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key, + EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify, + EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen, + EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and + EC_KEY_METHOD_get_verify. + + Instead applications and extension writers should use the OSSL_PROVIDER + APIs. + [Paul Dale] + + *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init() + and EVP_PKEY_decrypt() instead. + Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init() + and EVP_PKEY_encrypt() instead. + [Richard Levitte] + + *) Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits() + and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed + a new formulation to include all the things it can be used for, + as well as words of caution. + [Richard Levitte] + + *) The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. + Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function. + [Paul Dale] + + *) All of the low level HMAC functions have been deprecated including: + HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, + HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags + and HMAC_CTX_get_md. + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use L, + L, L, L + and L. + [Paul Dale] + + *) All of the low level CMAC functions have been deprecated including: + CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx, + CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume. + Use of these low level functions has been informally discouraged for a long + time. Instead applications should use L, + L, L, L + and L. + [Paul Dale] + + *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, + SHA384, SHA512 and Whirlpool digest functions have been deprecated. + These include: + + MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, + MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, + MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, + RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, + RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform, + SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init, + SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init, + SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, + SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init, + WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final. + + Use of these low level functions has been informally discouraged + for a long time. Applications should use the EVP_DigestInit_ex(3), + EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead. + [Paul Dale] + + *) Corrected the documentation of the return values from the EVP_DigestSign* + set of functions. The documentation mentioned negative values for some + errors, but this was never the case, so the mention of negative values + was removed. + + Code that followed the documentation and thereby check with something + like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed. + [Richard Levitte] + + *) All of the low level cipher functions have been deprecated including: + + AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, + AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, + AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, + AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt, + BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, + BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt, + Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt, + Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt, + Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt, + CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt, + CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2, + DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt, + DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt, + DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key, + DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key, + DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, + DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity, + DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, + DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt, + DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt, + DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options, + IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key, + IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key, + RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt, + RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key, + RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt, + RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt, + SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt, + SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt. + + Use of these low level functions has been informally discouraged for + a long time. Applications should use the high level EVP APIs, e.g. + EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the + equivalently named decrypt functions instead. + [Matt Caswell and Paul Dale] + + *) Removed include/openssl/opensslconf.h.in and replaced it with + include/openssl/configuration.h.in, which differs in not including + . A short header include/openssl/opensslconf.h + was added to include both. + + This allows internal hacks where one might need to modify the set + of configured macros, for example this if deprecated symbols are + still supposed to be available internally: + + #include + + #undef OPENSSL_NO_DEPRECATED + #define OPENSSL_SUPPRESS_DEPRECATED + + #include + + This should not be used by applications that use the exported + symbols, as that will lead to linking errors. + [Richard Levitte] + + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] + + *) Most memory-debug features have been deprecated, and the functionality + replaced with no-ops. + [Rich Salz] + + *) Introduced a new method type and API, OSSL_SERIALIZER, to + represent generic serializers. An implementation is expected to + be able to serialize an object associated with a given name (such + as an algorithm name for an asymmetric key) into forms given by + implementation properties. + + Serializers are primarily used from inside libcrypto, through + calls to functions like EVP_PKEY_print_private(), + PEM_write_bio_PrivateKey() and similar. + + Serializers are specified in such a way that they can be made to + directly handle the provider side portion of an object, if this + provider side part comes from the same provider as the serializer + itself, but can also be made to handle objects in parametrized + form (as an OSSL_PARAM array of data). This allows a provider to + offer generic serializers as a service for any other provider. + [Richard Levitte] + + *) Added a .pragma directive to the syntax of configuration files, to + allow varying behavior in a supported and predictable manner. + Currently added pragma: + + .pragma dollarid:on + + This allows dollar signs to be a keyword character unless it's + followed by a opening brace or parenthesis. This is useful for + platforms where dollar signs are commonly used in names, such as + volume names and system directory names on VMS. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY from user data. This + is effectively the same as creating a RSA, DH or DSA object and + then assigning them to an EVP_PKEY, but directly using algorithm + agnostic EVP functions. A benefit is that this should be future + proof for public key algorithms to come. + [Richard Levitte] + + *) Change the interpretation of the '--api' configuration option to + mean that this is a desired API compatibility level with no + further meaning. The previous interpretation, that this would + also mean to remove all deprecated symbols up to and including + the given version, no requires that 'no-deprecated' is also used + in the configuration. + + When building applications, the desired API compatibility level + can be set with the OPENSSL_API_COMPAT macro like before. For + API compatibility version below 3.0, the old style numerical + value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. + For version 3.0 and on, the value is expected to be the decimal + value calculated from the major and minor version like this: + + MAJOR * 10000 + MINOR * 100 + + Examples: + + -DOPENSSL_API_COMPAT=30000 For 3.0 + -DOPENSSL_API_COMPAT=30200 For 3.2 + + To hide declarations that are deprecated up to and including the + given API compatibility level, -DOPENSSL_NO_DEPRECATED must be + given when building the application as well. + [Richard Levitte] + + *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow + access to certificate and CRL stores via URIs and OSSL_STORE + loaders. + + This adds the following functions: + + X509_LOOKUP_store() + X509_STORE_load_file() + X509_STORE_load_path() + X509_STORE_load_store() + SSL_add_store_cert_subjects_to_stack() + SSL_CTX_set_default_verify_store() + SSL_CTX_load_verify_file() + SSL_CTX_load_verify_dir() + SSL_CTX_load_verify_store() + + Also, the following functions are now deprecated: + + - X509_STORE_load_locations() (use X509_STORE_load_file(), + X509_STORE_load_path() or X509_STORE_load_store() instead) + - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(), + SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead) + [Richard Levitte] + + *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. + The presence of this system service is determined at run-time. + [Richard Levitte] + + *) Added functionality to create an EVP_PKEY context based on data + for methods from providers. This takes an algorithm name and a + property query string and simply stores them, with the intent + that any operation that uses this context will use those strings + to fetch the needed methods implicitly, thereby making the port + of application written for pre-3.0 OpenSSL easier. + [Richard Levitte] + + *) The undocumented function NCONF_WIN32() has been deprecated; for + conversion details see the HISTORY section of doc/man5/config.pod + [Rich Salz] + + *) Introduced the new functions EVP_DigestSignInit_ex() and + EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and + EVP_DigestVerifyUpdate() have been converted to functions. See the man + pages for further details. + [Matt Caswell] + + *) Most common options (such as -rand/-writerand, TLS version control, etc) + were refactored and point to newly-enhanced descriptions in openssl.pod + [Rich Salz] + + *) Over two thousand fixes were made to the documentation, including: + adding missing command flags, better style conformance, documentation + of internals, etc. + [Rich Salz, Richard Levitte] + + *) s390x assembly pack: add hardware-support for P-256, P-384, P-521, + X25519, X448, Ed25519 and Ed448. + [Patrick Steuer] + + *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just + the first value. + [Jon Spillett] + + *) Deprecated the public definition of ERR_STATE as well as the function + ERR_get_state(). This is done in preparation of making ERR_STATE an + opaque type. + [Richard Levitte] + + *) Added ERR functionality to give callers access to the stored function + names that have replaced the older function code based functions. + + New functions are ERR_get_error_func(), ERR_peek_error_func(), + ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(), + ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() + and ERR_peek_last_error_all(). + + These functions have become deprecated: ERR_get_error_line_data(), + ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and + ERR_func_error_string(). + [Richard Levitte] + + *) Extended testing to be verbose for failing tests only. The make variables + VERBOSE_FAILURE or VF can be used to enable this: + + $ make VF=1 test # Unix + $ mms /macro=(VF=1) test ! OpenVMS + $ nmake VF=1 test # Windows + + [Richard Levitte] + + *) For built-in EC curves, ensure an EC_GROUP built from the curve name is + used even when parsing explicit parameters, when loading a serialized key + or calling `EC_GROUP_new_from_ecpkparameters()`/ + `EC_GROUP_new_from_ecparameters()`. + This prevents bypass of security hardening and performance gains, + especially for curves with specialized EC_METHODs. + By default, if a key encoded with explicit parameters is loaded and later + serialized, the output is still encoded with explicit parameters, even if + internally a "named" EC_GROUP is used for computation. + [Nicola Tuveri] + + *) Compute ECC cofactors if not provided during EC_GROUP construction. Before + this change, EC_GROUP_set_generator would accept order and/or cofactor as + NULL. After this change, only the cofactor parameter can be NULL. It also + does some minimal sanity checks on the passed order. + (CVE-2019-1547) + [Billy Bob Brumley] + + *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + An attack is simple, if the first CMS_recipientInfo is valid but the + second CMS_recipientInfo is chosen ciphertext. If the second + recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct + encryption key will be replaced by garbage, and the message cannot be + decoded, but if the RSA decryption fails, the correct encryption key is + used and the recipient will not notice the attack. + As a work around for this potential attack the length of the decrypted + key must be equal to the cipher default key length, in case the + certifiate is not given and all recipientInfo are tried out. + The old behaviour can be re-enabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag. + [Bernd Edlinger] + + *) Early start up entropy quality from the DEVRANDOM seed source has been + improved for older Linux systems. The RAND subsystem will wait for + /dev/random to be producing output before seeding from /dev/urandom. + The seeded state is stored for future library initialisations using + a system global shared memory segment. The shared memory identifier + can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to + the desired value. The default identifier is 114. + [Paul Dale] + + *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 + when primes for RSA keys are computed. + Since we previously always generated primes == 2 (mod 3) for RSA keys, + the 2-prime and 3-prime RSA modules were easy to distinguish, since + N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting + 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. + This avoids possible fingerprinting of newly generated RSA modules. + [Bernd Edlinger] + + *) Correct the extended master secret constant on EBCDIC systems. Without this + fix TLS connections between an EBCDIC system and a non-EBCDIC system that + negotiate EMS will fail. Unfortunately this also means that TLS connections + between EBCDIC systems with this fix, and EBCDIC systems without this + fix will fail if they negotiate EMS. + [Matt Caswell] + + *) Changed the library initialisation so that the config file is now loaded + by default. This was already the case for libssl. It now occurs for both + libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to + OPENSSL_init_crypto() to suppress automatic loading of a config file. + [Matt Caswell] + + *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(), + where the former acts as a replacement for ERR_put_error(), and the + latter replaces the combination ERR_put_error()+ERR_add_error_data(). + ERR_raise_data() adds more flexibility by taking a format string and + an arbitrary number of arguments following it, to be processed with + BIO_snprintf(). + [Richard Levitte] + + *) Introduced a new function, OSSL_PROVIDER_available(), which can be used + to check if a named provider is loaded and available. When called, it + will also activate all fallback providers if such are still present. + [Richard Levitte] + + *) Enforce a minimum DH modulus size of 512 bits. + [Bernd Edlinger] + + *) Changed DH parameters to generate the order q subgroup instead of 2q. + Previously generated DH parameters are still accepted by DH_check + but DH_generate_key works around that by clearing bit 0 of the + private key for those. This avoids leaking bit 0 of the private key. + [Bernd Edlinger] + + *) Significantly reduce secure memory usage by the randomness pools. + [Paul Dale] + + *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been + deprecated. + [Rich Salz] + + *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange + algorithms. An implementation of a key exchange algorithm can be obtained + by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be + used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to + the older EVP_PKEY_derive_init() function. See the man pages for the new + functions for further details. + [Matt Caswell] + + *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. + [Matt Caswell] + + *) Removed the function names from error messages and deprecated the + xxx_F_xxx define's. + + *) Removed NextStep support and the macro OPENSSL_UNISTD + [Rich Salz] + + *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, + OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. + Also removed "export var as function" capability; we do not export + variables, only functions. + [Rich Salz] + + *) RC5_32_set_key has been changed to return an int type, with 0 indicating + an error and 1 indicating success. In previous versions of OpenSSL this + was a void type. If a key was set longer than the maximum possible this + would crash. + [Matt Caswell] + + *) Support SM2 signing and verification schemes with X509 certificate. + [Paul Yang] + + *) Use SHA256 as the default digest for TS query in the ts app. + [Tomas Mraz] + + *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. + This checks that the salt length is at least 128 bits, the derived key + length is at least 112 bits, and that the iteration count is at least 1000. + For backwards compatibility these checks are disabled by default in the + default provider, but are enabled by default in the fips provider. + To enable or disable these checks use the control + EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE. + [Shane Lontis] + + *) Default cipher lists/suites are now available via a function, the + #defines are deprecated. + [Todd Short] + + *) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and + VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries + for Windows Store apps easier. Also, the "no-uplink" option has been added. + [Kenji Mouri] + + *) Join the directories crypto/x509 and crypto/x509v3 + [Richard Levitte] + + *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. + This changes the size when using the genpkey app when no size is given. It + fixes an omission in earlier changes that changed all RSA, DSA and DH + generation apps to use 2048 bits by default. + [Kurt Roeckx] + + *) Added command 'openssl kdf' that uses the EVP_KDF API. + [Shane Lontis] + + *) Added command 'openssl mac' that uses the EVP_MAC API. + [Shane Lontis] + + *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such + as default directories. Also added the command 'openssl info' + for scripting purposes. + [Richard Levitte] + + *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been + deprecated. These undocumented functions were never integrated into the EVP + layer and implement the AES Infinite Garble Extension (IGE) mode and AES + Bi-directional IGE mode. These modes were never formally standardised and + usage of these functions is believed to be very small. In particular + AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one + is ever used. The security implications are believed to be minimal, but + this issue was never fixed for backwards compatibility reasons. New code + should not use these modes. + [Matt Caswell] + + *) Add prediction resistance to the DRBG reseeding process. + [Paul Dale] + + *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as + mandated by IEEE Std 1619-2018. + [Paul Dale] + + *) Added newline escaping functionality to a filename when using openssl dgst. + This output format is to replicate the output format found in the '*sum' + checksum programs. This aims to preserve backward compatibility. + [Matt Eaton, Richard Levitte, and Paul Dale] + + *) Removed the heartbeat message in DTLS feature, as it has very + little usage and doesn't seem to fulfill a valuable purpose. + The configuration option is now deprecated. + [Richard Levitte] + + *) Changed the output of 'openssl {digestname} < file' to display the + digest name in its output. + [Richard Levitte] + + *) Added a new generic trace API which provides support for enabling + instrumentation through trace output. This feature is mainly intended + as an aid for developers and is disabled by default. To utilize it, + OpenSSL needs to be configured with the `enable-trace` option. + + If the tracing API is enabled, the application can activate trace output + by registering BIOs as trace channels for a number of tracing and debugging + categories. + + The 'openssl' application has been expanded to enable any of the types + available via environment variables defined by the user, and serves as + one possible example on how to use this functionality. + [Richard Levitte & Matthias St. Pierre] + *) Added build tests for C++. These are generated files that only do one thing, to include one public OpenSSL head file each. This tests that the public header files can be usefully included in a C++ application. @@ -17,6 +568,12 @@ 'enable-buildtest-c++'. [Richard Levitte] + *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF. + [Shane Lontis] + + *) Add KMAC to EVP_MAC. + [Shane Lontis] + *) Added property based algorithm implementation selection framework to the core. [Paul Dale] @@ -57,15 +614,6 @@ *) Change the license to the Apache License v2.0. [Richard Levitte] - *) Change the possible version information given with OPENSSL_API_COMPAT. - It may be a pre-3.0.0 style numerical version number as it was defined - in 1.1.0, and it may also simply take the major version number. - - Because of the version numbering of pre-3.0.0 releases, the values 0, - 1 and 2 are equivalent to 0x00908000L (0.9.8), 0x10000000L (1.0.0) and - 0x10100000L (1.1.0), respectively. - [Richard Levitte] - *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. o Major releases (indicated by incrementing the MAJOR release number) @@ -351,7 +899,7 @@ SSL_set_ciphersuites() [Matt Caswell] - *) Memory allocation failures consistenly add an error to the error + *) Memory allocation failures consistently add an error to the error stack. [Rich Salz] @@ -6889,7 +7437,7 @@ reason texts, thereby removing some of the footprint that may not be interesting if those errors aren't displayed anyway. - NOTE: it's still possible for any application or module to have it's + NOTE: it's still possible for any application or module to have its own set of error texts inserted. The routines are there, just not used by default when no-err is given. [Richard Levitte] @@ -8855,7 +9403,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of - memory from it's contents. This is done with a counter that will + memory from its contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can