diff options
| -rw-r--r-- | ACKNOWLEDGEMENTS.md | 10 | ||||
| -rw-r--r-- | AUTHORS.md | 79 | ||||
| -rw-r--r-- | CHANGES.md | 29289 | ||||
| -rw-r--r-- | CONTRIBUTING.md | 53 | ||||
| -rw-r--r-- | FAQ.md | 8 | ||||
| -rw-r--r-- | NEWS.md | 1984 | ||||
| -rw-r--r-- | README.md | 125 |
7 files changed, 16727 insertions, 14821 deletions
diff --git a/ACKNOWLEDGEMENTS.md b/ACKNOWLEDGEMENTS.md index d21dccbb79..baf7743c8e 100644 --- a/ACKNOWLEDGEMENTS.md +++ b/ACKNOWLEDGEMENTS.md @@ -1,2 +1,8 @@ -Please https://www.openssl.org/community/thanks.html for the current -acknowledgements. +Acknowlegements +=============== + +Please see our [Thanks!][] page for the current acknowledgements. + + +[Thanks!]: https://www.openssl.org/community/thanks.html + diff --git a/AUTHORS.md b/AUTHORS.md index ac93b2e7b9..e9ff5441b9 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -1,35 +1,46 @@ -# This is the list of OpenSSL authors for copyright purposes. -# -# This does not necessarily list everyone who has contributed code, since in -# some cases, their employer may be the copyright holder. To see the full list -# of contributors, see the revision history in source control. -OpenSSL Software Services, Inc. -OpenSSL Software Foundation, Inc. +Authors +======= -# Individuals -Andy Polyakov -Ben Laurie -Ben Kaduk -Bernd Edlinger -Bodo Möller -David Benjamin -Emilia Käsper -Eric Young -Geoff Thorpe -Holger Reif -Kurt Roeckx -Lutz Jänicke -Mark J. Cox -Matt Caswell -Matthias St. Pierre -Nils Larsch -Paul Dale -Paul C. Sutton -Ralf S. Engelschall -Rich Salz -Richard Levitte -Stephen Henson -Steve Marquess -Tim Hudson -Ulf Möller -Viktor Dukhovni +This is the list of OpenSSL authors for copyright purposes. +It does not necessarily list everyone who has contributed code, +since in some cases, their employer may be the copyright holder. +To see the full list of contributors, see the revision history in +source control. + + +Groups +------ + + * OpenSSL Software Services, Inc. + * OpenSSL Software Foundation, Inc. + + +Individuals +----------- + + * Andy Polyakov + * Ben Laurie + * Ben Kaduk + * Bernd Edlinger + * Bodo Möller + * David Benjamin + * Emilia Käsper + * Eric Young + * Geoff Thorpe + * Holger Reif + * Kurt Roeckx + * Lutz Jänicke + * Mark J. Cox + * Matt Caswell + * Matthias St. Pierre + * Nils Larsch + * Paul Dale + * Paul C. Sutton + * Ralf S. Engelschall + * Rich Salz + * Richard Levitte + * Stephen Henson + * Steve Marquess + * Tim Hudson + * Ulf Möller + * Viktor Dukhovni diff --git a/CHANGES.md b/CHANGES.md index ee4d953f71..dcc89f090e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,13926 +1,15715 @@ - OpenSSL CHANGES - _______________ - - This is a high-level summary of the most important changes. - For a full list of changes, see the git commit log; for example, - https://github.com/openssl/openssl/commits/ and pick the appropriate - release branch. - - Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] - - *) The test suite is changed to preserve results of each test recipe. - A new directory test-runs/ with subdirectories named like the - test recipes are created in the build tree for this purpose. - [Richard Levitte] - - *) The command line utilities ecparam and ec have been deprecated. Instead - use the pkeyparam, pkey and genpkey programs. - [Paul Dale] - - *) All of the low level RSA functions have been deprecated including: - - RSA_new_method, RSA_bits, RSA_size, RSA_security_bits, - RSA_get0_pss_params, RSA_get_version, RSA_get0_engine, - RSA_generate_key_ex, RSA_generate_multi_prime_key, - RSA_X931_derive_ex, RSA_X931_generate_key_ex, RSA_check_key, - RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt, - RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method, - RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method, - RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify, - RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING, - RSA_blinding_on, RSA_blinding_off, RSA_setup_blinding, - RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, - RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, - PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, - RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, - RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, - RSA_padding_add_none, RSA_padding_check_none, RSA_padding_add_X931, - RSA_padding_check_X931, RSA_X931_hash_id, RSA_verify_PKCS1_PSS, - RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1, - RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data, - RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name, - RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags, - RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_get_pub_enc, - RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec, - RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec, - RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp, - RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init, - RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish, - RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify, - RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen, - RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen. - - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L<EVP_PKEY_encrypt_init(3)>, - L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and - L<EVP_PKEY_decrypt(3)>. - [Paul Dale] - - *) X509 certificates signed using SHA1 are no longer allowed at security - level 1 and above. - In TLS/SSL the default security level is 1. It can be set either - using the cipher string with @SECLEVEL, or calling - SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, - a call to SSL_CTX_use_certificate() will fail if the security level is not - lowered first. - Outside TLS/SSL, the default security level is -1 (effectively 0). It can - be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level - options of the apps. - [Kurt Roeckx] - - *) The command line utilities dhparam, dsa, gendsa and dsaparam have been - deprecated. Instead use the pkeyparam, pkey, genpkey and pkeyparam - programs respectively. - [Paul Dale] - - *) All of the low level DH functions have been deprecated including: - - DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method, - DH_new_method, DH_bits, DH_size, DH_security_bits, DH_get_ex_new_index, - DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex, - DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex, - DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key, - DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid, - DH_KDF_X9_42, DH_get0_engine, DH_get_length, DH_set_length, DH_meth_new, - DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name, - DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data, - DH_meth_set0_app_data, DH_meth_get_generate_key, - DH_meth_set_generate_key, DH_meth_get_compute_key, - DH_meth_set_compute_key, DH_meth_get_bn_mod_exp, - DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init, - DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params - and DH_meth_set_generate_params. - - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L<EVP_PKEY_derive_init(3)> - and L<EVP_PKEY_derive(3)>. - [Paul Dale] - - *) All of the low level DSA functions have been deprecated including: - - DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method, - DSA_get_default_method, DSA_set_method, DSA_get_method, DSA_new_method, - DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index, - DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex, - DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free, - DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags, - DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data, - DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup, - DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify, - DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp, - DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init, - DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen, - DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen. - - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L<EVP_DigestSignInit_ex(3)>, - L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>. - [Paul Dale] - - *) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to - automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. - This means that applications don't have to look at the curve NID and - 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations. - However, they still can, that EVP_PKEY_set_alias_type() call acts as - a no-op when the EVP_PKEY is already of the given type. - - Parameter and key generation is also reworked to make it possible - to generate EVP_PKEY_SM2 parameters and keys without having to go - through EVP_PKEY_EC generation and then change the EVP_PKEY type. - However, code that does the latter will still work as before. - [Richard Levitte] - - *) Deprecated low level ECDH and ECDSA functions. These include: - - ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify, - ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and - ECDSA_size. - - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use the EVP_PKEY_derive(3), - EVP_DigestSign(3) and EVP_DigestVerify(3) functions. - [Paul Dale] - - *) Deprecated the EC_KEY_METHOD functions. These include: - - EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init, - EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key, - EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify, - EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen, - EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and - EC_KEY_METHOD_get_verify. - - Instead applications and extension writers should use the OSSL_PROVIDER - APIs. - [Paul Dale] - - *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init() - and EVP_PKEY_decrypt() instead. - Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init() - and EVP_PKEY_encrypt() instead. - [Richard Levitte] - - *) Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits() - and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed - a new formulation to include all the things it can be used for, - as well as words of caution. - [Richard Levitte] - - *) The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated. - Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function. - [Paul Dale] - - *) All of the low level HMAC functions have been deprecated including: - HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, - HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags - and HMAC_CTX_get_md. - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L<EVP_MAC_CTX_new(3)>, - L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)> - and L<EVP_MAC_final(3)>. - [Paul Dale] - - *) All of the low level CMAC functions have been deprecated including: - CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx, - CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume. - Use of these low level functions has been informally discouraged for a long - time. Instead applications should use L<EVP_MAC_CTX_new(3)>, - L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)> - and L<EVP_MAC_final(3)>. - [Paul Dale] - - *) Over two thousand fixes were made to the documentation, including: - - Common options (such as -rand/-writerand, TLS version control, etc) - were refactored and point to newly-enhanced descriptions in openssl.pod. - - Added style conformance for all options (with help from Richard Levitte), - documented all reported missing options, added a CI build to check - that all options are documented and that no unimplemented options - are documented. - - Documented some internals, such as all use of environment variables. - - Addressed all internal broken L<> references. - [Rich Salz] - - *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, - SHA384, SHA512 and Whirlpool digest functions have been deprecated. - These include: - - MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init, - MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update, - MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final, - RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, - RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform, - SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init, - SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init, - SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, - SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init, - WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final. - - Use of these low level functions has been informally discouraged - for a long time. Applications should use the EVP_DigestInit_ex(3), - EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead. - [Paul Dale] - - *) Corrected the documentation of the return values from the EVP_DigestSign* - set of functions. The documentation mentioned negative values for some - errors, but this was never the case, so the mention of negative values - was removed. - - Code that followed the documentation and thereby check with something - like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed. - [Richard Levitte] - - *) All of the low level cipher functions have been deprecated including: - - AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt, - AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt, - AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt, - AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt, - BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, - BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt, - Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt, - Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt, - Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt, - CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt, - CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2, - DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt, - DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt, - DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key, - DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key, - DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, - DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity, - DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, - DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt, - DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt, - DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options, - IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key, - IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key, - RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt, - RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key, - RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt, - RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt, - SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt, - SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt. - - Use of these low level functions has been informally discouraged for - a long time. Applications should use the high level EVP APIs, e.g. - EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the - equivalently named decrypt functions instead. - [Matt Caswell and Paul Dale] - - *) Removed include/openssl/opensslconf.h.in and replaced it with - include/openssl/configuration.h.in, which differs in not including - <openssl/macros.h>. A short header include/openssl/opensslconf.h - was added to include both. - - This allows internal hacks where one might need to modify the set - of configured macros, for example this if deprecated symbols are - still supposed to be available internally: - - #include <openssl/configuration.h> - - #undef OPENSSL_NO_DEPRECATED - #define OPENSSL_SUPPRESS_DEPRECATED - - #include <openssl/macros.h> - - This should not be used by applications that use the exported - symbols, as that will lead to linking errors. - [Richard Levitte] - - *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure - used in exponentiation with 512-bit moduli. No EC algorithms are - affected. Analysis suggests that attacks against 2-prime RSA1024, - 3-prime RSA1536, and DSA1024 as a result of this defect would be very - difficult to perform and are not believed likely. Attacks against DH512 - are considered just feasible. However, for an attack the target would - have to re-use the DH512 private key, which is not recommended anyway. - Also applications directly using the low level API BN_mod_exp may be - affected if they use BN_FLG_CONSTTIME. - (CVE-2019-1551) - [Andy Polyakov] - - *) Most memory-debug features have been deprecated, and the functionality - replaced with no-ops. - [Rich Salz] - - *) Introduced a new method type and API, OSSL_SERIALIZER, to - represent generic serializers. An implementation is expected to - be able to serialize an object associated with a given name (such - as an algorithm name for an asymmetric key) into forms given by - implementation properties. - - Serializers are primarily used from inside libcrypto, through - calls to functions like EVP_PKEY_print_private(), - PEM_write_bio_PrivateKey() and similar. - - Serializers are specified in such a way that they can be made to - directly handle the provider side portion of an object, if this - provider side part comes from the same provider as the serializer - itself, but can also be made to handle objects in parametrized - form (as an OSSL_PARAM array of data). This allows a provider to - offer generic serializers as a service for any other provider. - [Richard Levitte] - - *) Added a .pragma directive to the syntax of configuration files, to - allow varying behavior in a supported and predictable manner. - Currently added pragma: - - .pragma dollarid:on - - This allows dollar signs to be a keyword character unless it's - followed by a opening brace or parenthesis. This is useful for - platforms where dollar signs are commonly used in names, such as - volume names and system directory names on VMS. - [Richard Levitte] - - *) Added functionality to create an EVP_PKEY from user data. This - is effectively the same as creating a RSA, DH or DSA object and - then assigning them to an EVP_PKEY, but directly using algorithm - agnostic EVP functions. A benefit is that this should be future - proof for public key algorithms to come. - [Richard Levitte] - - *) Change the interpretation of the '--api' configuration option to - mean that this is a desired API compatibility level with no - further meaning. The previous interpretation, that this would - also mean to remove all deprecated symbols up to and including - the given version, no requires that 'no-deprecated' is also used - in the configuration. - - When building applications, the desired API compatibility level - can be set with the OPENSSL_API_COMPAT macro like before. For - API compatibility version below 3.0, the old style numerical - value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. - For version 3.0 and on, the value is expected to be the decimal - value calculated from the major and minor version like this: - - MAJOR * 10000 + MINOR * 100 - - Examples: - - -DOPENSSL_API_COMPAT=30000 For 3.0 - -DOPENSSL_API_COMPAT=30200 For 3.2 - - To hide declarations that are deprecated up to and including the - given API compatibility level, -DOPENSSL_NO_DEPRECATED must be - given when building the application as well. - [Richard Levitte] - - *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow - access to certificate and CRL stores via URIs and OSSL_STORE - loaders. - - This adds the following functions: - - X509_LOOKUP_store() - X509_STORE_load_file() - X509_STORE_load_path() - X509_STORE_load_store() - SSL_add_store_cert_subjects_to_stack() - SSL_CTX_set_default_verify_store() - SSL_CTX_load_verify_file() - SSL_CTX_load_verify_dir() - SSL_CTX_load_verify_store() - - Also, the following functions are now deprecated: - - - X509_STORE_load_locations() (use X509_STORE_load_file(), - X509_STORE_load_path() or X509_STORE_load_store() instead) - - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(), - SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead) - [Richard Levitte] - - *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. - The presence of this system service is determined at run-time. - [Richard Levitte] - - *) Added functionality to create an EVP_PKEY context based on data - for methods from providers. This takes an algorithm name and a - property query string and simply stores them, with the intent - that any operation that uses this context will use those strings - to fetch the needed methods implicitly, thereby making the port - of application written for pre-3.0 OpenSSL easier. - [Richard Levitte] - - *) The undocumented function NCONF_WIN32() has been deprecated; for - conversion details see the HISTORY section of doc/man5/config.pod - [Rich Salz] - - *) Introduced the new functions EVP_DigestSignInit_ex() and - EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and - EVP_DigestVerifyUpdate() have been converted to functions. See the man - pages for further details. - [Matt Caswell] - - *) s390x assembly pack: add hardware-support for P-256, P-384, P-521, - X25519, X448, Ed25519 and Ed448. - [Patrick Steuer] - - *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just - the first value. - [Jon Spillett] - - *) Deprecated the public definition of ERR_STATE as well as the function - ERR_get_state(). This is done in preparation of making ERR_STATE an - opaque type. - [Richard Levitte] - - *) Added ERR functionality to give callers access to the stored function - names that have replaced the older function code based functions. - - New functions are ERR_get_error_func(), ERR_peek_error_func(), - ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(), - ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() - and ERR_peek_last_error_all(). - - These functions have become deprecated: ERR_get_error_line_data(), - ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and - ERR_func_error_string(). - [Richard Levitte] - - *) Extended testing to be verbose for failing tests only. The make variables - VERBOSE_FAILURE or VF can be used to enable this: - - $ make VF=1 test # Unix - $ mms /macro=(VF=1) test ! OpenVMS - $ nmake VF=1 test # Windows - - [Richard Levitte] - - *) For built-in EC curves, ensure an EC_GROUP built from the curve name is - used even when parsing explicit parameters, when loading a serialized key - or calling `EC_GROUP_new_from_ecpkparameters()`/ - `EC_GROUP_new_from_ecparameters()`. - This prevents bypass of security hardening and performance gains, - especially for curves with specialized EC_METHODs. - By default, if a key encoded with explicit parameters is loaded and later - serialized, the output is still encoded with explicit parameters, even if - internally a "named" EC_GROUP is used for computation. - [Nicola Tuveri] - - *) Compute ECC cofactors if not provided during EC_GROUP construction. Before - this change, EC_GROUP_set_generator would accept order and/or cofactor as - NULL. After this change, only the cofactor parameter can be NULL. It also - does some minimal sanity checks on the passed order. - (CVE-2019-1547) - [Billy Bob Brumley] - - *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. - An attack is simple, if the first CMS_recipientInfo is valid but the - second CMS_recipientInfo is chosen ciphertext. If the second - recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct - encryption key will be replaced by garbage, and the message cannot be - decoded, but if the RSA decryption fails, the correct encryption key is - used and the recipient will not notice the attack. - As a work around for this potential attack the length of the decrypted - key must be equal to the cipher default key length, in case the - certifiate is not given and all recipientInfo are tried out. - The old behaviour can be re-enabled in the CMS code by setting the - CMS_DEBUG_DECRYPT flag. - [Bernd Edlinger] - - *) Early start up entropy quality from the DEVRANDOM seed source has been - improved for older Linux systems. The RAND subsystem will wait for - /dev/random to be producing output before seeding from /dev/urandom. - The seeded state is stored for future library initialisations using - a system global shared memory segment. The shared memory identifier - can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to - the desired value. The default identifier is 114. - [Paul Dale] - - *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 - when primes for RSA keys are computed. - Since we previously always generated primes == 2 (mod 3) for RSA keys, - the 2-prime and 3-prime RSA modules were easy to distinguish, since - N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting - 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. - This avoids possible fingerprinting of newly generated RSA modules. - [Bernd Edlinger] - - *) Correct the extended master secret constant on EBCDIC systems. Without this - fix TLS connections between an EBCDIC system and a non-EBCDIC system that - negotiate EMS will fail. Unfortunately this also means that TLS connections - between EBCDIC systems with this fix, and EBCDIC systems without this - fix will fail if they negotiate EMS. - [Matt Caswell] - - *) Changed the library initialisation so that the config file is now loaded - by default. This was already the case for libssl. It now occurs for both - libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to - OPENSSL_init_crypto() to suppress automatic loading of a config file. - [Matt Caswell] - - *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(), - where the former acts as a replacement for ERR_put_error(), and the - latter replaces the combination ERR_put_error()+ERR_add_error_data(). - ERR_raise_data() adds more flexibility by taking a format string and - an arbitrary number of arguments following it, to be processed with - BIO_snprintf(). - [Richard Levitte] - - *) Introduced a new function, OSSL_PROVIDER_available(), which can be used - to check if a named provider is loaded and available. When called, it - will also activate all fallback providers if such are still present. - [Richard Levitte] - - *) Enforce a minimum DH modulus size of 512 bits. - [Bernd Edlinger] - - *) Changed DH parameters to generate the order q subgroup instead of 2q. - Previously generated DH parameters are still accepted by DH_check - but DH_generate_key works around that by clearing bit 0 of the - private key for those. This avoids leaking bit 0 of the private key. - [Bernd Edlinger] - - *) Significantly reduce secure memory usage by the randomness pools. - [Paul Dale] - - *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been - deprecated. - [Rich Salz] - - *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange - algorithms. An implementation of a key exchange algorithm can be obtained - by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be - used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to - the older EVP_PKEY_derive_init() function. See the man pages for the new - functions for further details. - [Matt Caswell] - - *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. - [Matt Caswell] - - *) Removed the function names from error messages and deprecated the - xxx_F_xxx define's. - - *) Removed NextStep support and the macro OPENSSL_UNISTD - [Rich Salz] - - *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, - OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. - Also removed "export var as function" capability; we do not export - variables, only functions. - [Rich Salz] - - *) RC5_32_set_key has been changed to return an int type, with 0 indicating - an error and 1 indicating success. In previous versions of OpenSSL this - was a void type. If a key was set longer than the maximum possible this - would crash. - [Matt Caswell] - - *) Support SM2 signing and verification schemes with X509 certificate. - [Paul Yang] - - *) Use SHA256 as the default digest for TS query in the ts app. - [Tomas Mraz] - - *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. - This checks that the salt length is at least 128 bits, the derived key - length is at least 112 bits, and that the iteration count is at least 1000. - For backwards compatibility these checks are disabled by default in the - default provider, but are enabled by default in the fips provider. - To enable or disable these checks use the control - EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE. - [Shane Lontis] - - *) Default cipher lists/suites are now available via a function, the - #defines are deprecated. - [Todd Short] - - *) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and - VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries - for Windows Store apps easier. Also, the "no-uplink" option has been added. - [Kenji Mouri] - - *) Join the directories crypto/x509 and crypto/x509v3 - [Richard Levitte] - - *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - This changes the size when using the genpkey app when no size is given. It - fixes an omission in earlier changes that changed all RSA, DSA and DH - generation apps to use 2048 bits by default. - [Kurt Roeckx] - - *) Added command 'openssl kdf' that uses the EVP_KDF API. - [Shane Lontis] - - *) Added command 'openssl mac' that uses the EVP_MAC API. - [Shane Lontis] - - *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such - as default directories. Also added the command 'openssl info' - for scripting purposes. - [Richard Levitte] - - *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been - deprecated. These undocumented functions were never integrated into the EVP - layer and implement the AES Infinite Garble Extension (IGE) mode and AES - Bi-directional IGE mode. These modes were never formally standardised and - usage of these functions is believed to be very small. In particular - AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one - is ever used. The security implications are believed to be minimal, but - this issue was never fixed for backwards compatibility reasons. New code - should not use these modes. - [Matt Caswell] - - *) Add prediction resistance to the DRBG reseeding process. - [Paul Dale] - - *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as - mandated by IEEE Std 1619-2018. - [Paul Dale] - - *) Added newline escaping functionality to a filename when using openssl dgst. - This output format is to replicate the output format found in the '*sum' - checksum programs. This aims to preserve backward compatibility. - [Matt Eaton, Richard Levitte, and Paul Dale] - - *) Removed the heartbeat message in DTLS feature, as it has very - little usage and doesn't seem to fulfill a valuable purpose. - The configuration option is now deprecated. - [Richard Levitte] - - *) Changed the output of 'openssl {digestname} < file' to display the - digest name in its output. - [Richard Levitte] - - *) Added a new generic trace API which provides support for enabling - instrumentation through trace output. This feature is mainly intended - as an aid for developers and is disabled by default. To utilize it, - OpenSSL needs to be configured with the `enable-trace` option. - - If the tracing API is enabled, the application can activate trace output - by registering BIOs as trace channels for a number of tracing and debugging - categories. - - The 'openssl' application has been expanded to enable any of the types - available via environment variables defined by the user, and serves as - one possible example on how to use this functionality. - [Richard Levitte & Matthias St. Pierre] - - *) Added build tests for C++. These are generated files that only do one - thing, to include one public OpenSSL head file each. This tests that - the public header files can be usefully included in a C++ application. - - This test isn't enabled by default. It can be enabled with the option - 'enable-buildtest-c++'. - [Richard Levitte] - - *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF. - [Shane Lontis] - - *) Add KMAC to EVP_MAC. - [Shane Lontis] - - *) Added property based algorithm implementation selection framework to - the core. - [Paul Dale] - - *) Added SCA hardening for modular field inversion in EC_GROUP through - a new dedicated field_inv() pointer in EC_METHOD. - This also addresses a leakage affecting conversions from projective - to affine coordinates. - [Billy Bob Brumley, Nicola Tuveri] - - *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF - implementations. This includes an EVP_PKEY to EVP_KDF bridge for - those algorithms that were already supported through the EVP_PKEY API - (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 - and scrypt are now wrappers that call EVP_KDF. - [David Makepeace] - - *) Build devcrypto engine as a dynamic engine. - [Eneas U de Queiroz] - - *) Add keyed BLAKE2 to EVP_MAC. - [Antoine Salon] - - *) Fix a bug in the computation of the endpoint-pair shared secret used - by DTLS over SCTP. This breaks interoperability with older versions - of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime - switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling - interoperability with such broken implementations. However, enabling - this switch breaks interoperability with correct implementations. - - *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a - re-used X509_PUBKEY object if the second PUBKEY is malformed. - [Bernd Edlinger] - - *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). - [Richard Levitte] - - *) Change the license to the Apache License v2.0. - [Richard Levitte] - - *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH. - - o Major releases (indicated by incrementing the MAJOR release number) - may introduce incompatible API/ABI changes. - o Minor releases (indicated by incrementing the MINOR release number) - may introduce new features but retain API/ABI compatibility. - o Patch releases (indicated by incrementing the PATCH number) - are intended for bug fixes and other improvements of existing - features only (like improving performance or adding documentation) - and retain API/ABI compatibility. - [Richard Levitte] - - *) Add support for RFC5297 SIV mode (siv128), including AES-SIV. - [Todd Short] - - *) Remove the 'dist' target and add a tarball building script. The - 'dist' target has fallen out of use, and it shouldn't be - necessary to configure just to create a source distribution. - [Rich |