doc: add missing CHANGES entries for all versions >= 1.0.0

Up to now, CHANGES entries for older releases where only added to the
corresponding stable branches, so they were missing in the master
branch. This commit adds the missing entries, taking them from the
respective stable branches.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10545)

1 files changed, 2787 insertions, 182 deletions

diff --git a/CHANGES.md b/CHANGES.md
index dcc89f090e..af42a38474 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,3 @@
-
 OpenSSL CHANGES
 ===============
 
@@ -8,49 +7,344 @@ pick the appropriate release branch.
 
   [log]: https://github.com/openssl/openssl/commits/
 
-### Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] ###
+
+OpenSSL Releases
+----------------
+
+ - [OpenSSL 3.0](#openssl-30)
+ - [OpenSSL 1.1.1](#openssl-111)
+ - [OpenSSL 1.1.0](#openssl-110)
+ - [OpenSSL 1.0.2](#openssl-102)
+ - [OpenSSL 1.0.1](#openssl-101)
+ - [OpenSSL 1.0.0](#openssl-100)
+ - [OpenSSL 0.9.x](#openssl-09x)
+
+OpenSSL 3.0
+-----------
+
+### Changes between 1.1.1 and 3.0 [xx XXX xxxx] ###
+
+ * The test suite is changed to preserve results of each test recipe.
+   A new directory test-runs/ with subdirectories named like the
+   test recipes are created in the build tree for this purpose.
+
+   *Richard Levitte*
+
+ * The command line utilities ecparam and ec have been deprecated.  Instead
+   use the pkeyparam, pkey and genpkey programs.
+
+   *Paul Dale*
+
+ * All of the low level RSA functions have been deprecated including:
+
+   RSA_new_method, RSA_bits, RSA_size, RSA_security_bits,
+   RSA_get0_pss_params, RSA_get_version, RSA_get0_engine,
+   RSA_generate_key_ex, RSA_generate_multi_prime_key,
+   RSA_X931_derive_ex, RSA_X931_generate_key_ex, RSA_check_key,
+   RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
+   RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method,
+   RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method,
+   RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify,
+   RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING,
+   RSA_blinding_on, RSA_blinding_off, RSA_setup_blinding,
+   RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
+   RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
+   PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
+   RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
+   RSA_padding_add_SSLv23, RSA_padding_check_SSLv23,
+   RSA_padding_add_none, RSA_padding_check_none, RSA_padding_add_X931,
+   RSA_padding_check_X931, RSA_X931_hash_id, RSA_verify_PKCS1_PSS,
+   RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
+   RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data,
+   RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
+   RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
+   RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_get_pub_enc,
+   RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec,
+   RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec,
+   RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp,
+   RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init,
+   RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish,
+   RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify,
+   RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
+   RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use L<EVP_PKEY_encrypt_init(3)>,
+   L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
+   L<EVP_PKEY_decrypt(3)>.
+
+   *Paul Dale*
+
+ * X509 certificates signed using SHA1 are no longer allowed at security
+   level 1 and above.
+   In TLS/SSL the default security level is 1. It can be set either
+   using the cipher string with @SECLEVEL, or calling
+   SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
+   a call to SSL_CTX_use_certificate() will fail if the security level is not
+   lowered first.
+   Outside TLS/SSL, the default security level is -1 (effectively 0). It can
+   be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
+   options of the apps.
+
+   *Kurt Roeckx*
+
+ * The command line utilities dhparam, dsa, gendsa and dsaparam have been
+   deprecated.  Instead use the pkeyparam, pkey, genpkey and pkeyparam
+   programs respectively.
+
+   *Paul Dale*
+
+ * All of the low level DH functions have been deprecated including:
+
+   DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
+   DH_new_method, DH_bits, DH_size, DH_security_bits, DH_get_ex_new_index,
+   DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex,
+   DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
+   DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
+   DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
+   DH_KDF_X9_42, DH_get0_engine, DH_get_length, DH_set_length, DH_meth_new,
+   DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name,
+   DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data,
+   DH_meth_set0_app_data, DH_meth_get_generate_key,
+   DH_meth_set_generate_key, DH_meth_get_compute_key,
+   DH_meth_set_compute_key, DH_meth_get_bn_mod_exp,
+   DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init,
+   DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params
+   and DH_meth_set_generate_params.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use L<EVP_PKEY_derive_init(3)>
+   and L<EVP_PKEY_derive(3)>.
+
+   *Paul Dale*
+
+ * All of the low level DSA functions have been deprecated including:
+
+   DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
+   DSA_get_default_method, DSA_set_method, DSA_get_method, DSA_new_method,
+   DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
+   DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
+   DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
+   DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
+   DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
+   DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
+   DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
+   DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
+   DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
+   DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
+   DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use L<EVP_DigestSignInit_ex(3)>,
+   L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
+
+   *Paul Dale*
+
+ * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
+   automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
+   This means that applications don't have to look at the curve NID and
+   `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
+   However, they still can, that EVP_PKEY_set_alias_type() call acts as
+   a no-op when the EVP_PKEY is already of the given type.
+
+   Parameter and key generation is also reworked to make it possible
+   to generate EVP_PKEY_SM2 parameters and keys without having to go
+   through EVP_PKEY_EC generation and then change the EVP_PKEY type.
+   However, code that does the latter will still work as before.
+
+   *Richard Levitte*
+
+ * Deprecated low level ECDH and ECDSA functions.  These include:
+
+   ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
+   ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
+   ECDSA_size.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use the EVP_PKEY_derive(3),
+   EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
+
+   *Paul Dale*
+
+ * Deprecated the EC_KEY_METHOD functions.  These include:
+
+   EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
+   EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
+   EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
+   EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
+   EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and
+   EC_KEY_METHOD_get_verify.
+
+   Instead applications and extension writers should use the OSSL_PROVIDER APIs.
+
+   *Paul Dale*
+
+ * Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
+   and EVP_PKEY_decrypt() instead.
+   Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
+   and EVP_PKEY_encrypt() instead.
+
+   *Richard Levitte*
+
+ * Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
+   and EVP_PKEY_security_bits().  Especially EVP_PKEY_size() needed
+   a new formulation to include all the things it can be used for,
+   as well as words of caution.
+
+   *Richard Levitte*
+
+ * The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
+   Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
+
+   *Paul Dale*
+
+ * All of the low level HMAC functions have been deprecated including:
+
+   HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
+   HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
+   and HMAC_CTX_get_md.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
+   L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+   and L<EVP_MAC_final(3)>.
+
+   *Paul Dale*
+
+ * Over two thousand fixes were made to the documentation, including:
+   - Common options (such as -rand/-writerand, TLS version control, etc)
+     were refactored and point to newly-enhanced descriptions in openssl.pod.
+   - Added style conformance for all options (with help from Richard Levitte),
+     documented all reported missing options, added a CI build to check
+     that all options are documented and that no unimplemented options
+     are documented.
+   - Documented some internals, such as all use of environment variables.
+   - Addressed all internal broken L<> references.
+
+   *Rich Salz*
+
+ * All of the low level CMAC functions have been deprecated including:
+
+   CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
+   CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
+
+   Use of these low level functions has been informally discouraged for a long
+   time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
+   L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
+   and L<EVP_MAC_final(3)>.
+
+   *Paul Dale*
+
+ * All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
+   SHA384, SHA512 and Whirlpool digest functions have been deprecated.
+   These include:
+
+   MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
+   MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
+   MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
+   RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
+   RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
+   SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
+   SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
+   SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
+   SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
+   WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final.
+
+   Use of these low level functions has been informally discouraged
+   for a long time.  Applications should use the EVP_DigestInit_ex(3),
+   EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
+
+   *Paul Dale*
+
+ * Corrected the documentation of the return values from the EVP_DigestSign*
+   set of functions.  The documentation mentioned negative values for some
+   errors, but this was never the case, so the mention of negative values
+   was removed.
+
+   Code that followed the documentation and thereby check with something
+   like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
+
+   *Richard Levitte*
+
+ * All of the low level cipher functions have been deprecated including:
+
+   AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
+   AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
+   AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
+   AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
+   BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
+   BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
+   Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
+   Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
+   Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
+   CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
+   CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
+   DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
+   DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
+   DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
+   DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
+   DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
+   DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
+   DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
+   DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
+   DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
+   DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
+   IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
+   IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
+   RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
+   RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
+   RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
+   RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
+   SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
+   SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
+
+   Use of these low level functions has been informally discouraged for
+   a long time. Applications should use the high level EVP APIs, e.g.
+   EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
+   equivalently named decrypt functions instead.
+
+   *Matt Caswell and Paul Dale*
 
  * Removed include/openssl/opensslconf.h.in and replaced it with
    include/openssl/configuration.h.in, which differs in not including
    <openssl/macros.h>.  A short header include/openssl/opensslconf.h
    was added to include both.
-   
+
    This allows internal hacks where one might need to modify the set
    of configured macros, for example this if deprecated symbols are
    still supposed to be available internally:
-   
+
        #include <openssl/configuration.h>
-   
+
        #undef OPENSSL_NO_DEPRECATED
        #define OPENSSL_SUPPRESS_DEPRECATED
-   
+
        #include <openssl/macros.h>
-   
+
    This should not be used by applications that use the exported
    symbols, as that will lead to linking errors.
+
    *Richard Levitte*
 
-* Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
-  used in exponentiation with 512-bit moduli. No EC algorithms are
-  affected. Analysis suggests that attacks against 2-prime RSA1024,
-  3-prime RSA1536, and DSA1024 as a result of this defect would be very
-  difficult to perform and are not believed likely. Attacks against DH512
-  are considered just feasible. However, for an attack the target would
-  have to re-use the DH512 private key, which is not recommended anyway.
-  Also applications directly using the low level API BN_mod_exp may be
-  affected if they use BN_FLG_CONSTTIME.
-  (CVE-2019-1551)
-  *Andy Polyakov*
+ * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
+   used in exponentiation with 512-bit moduli. No EC algorithms are
+   affected. Analysis suggests that attacks against 2-prime RSA1024,
+   3-prime RSA1536, and DSA1024 as a result of this defect would be very
+   difficult to perform and are not believed likely. Attacks against DH512
+   are considered just feasible. However, for an attack the target would
+   have to re-use the DH512 private key, which is not recommended anyway.
+   Also applications directly using the low level API BN_mod_exp may be
+   affected if they use BN_FLG_CONSTTIME.
+   [CVE-2019-1551][]
+
+   *Andy Polyakov*
 
-* Most memory-debug features have been deprecated, and the functionality
-  replaced with no-ops.
-  *Rich Salz*
+ * Most memory-debug features have been deprecated, and the functionality
+   replaced with no-ops.
 
-* Most common options (such as -rand/-writerand, TLS version control, etc)
-  were refactored and point to newly-enhanced descriptions in openssl.pod
-  *Rich Salz*
+   *Rich Salz*
 
-* Introduced a new method type and API, OSSL_SERIALIZER, to
+ * Introduced a new method type and API, OSSL_SERIALIZER, to
    represent generic serializers.  An implementation is expected to
    be able to serialize an object associated with a given name (such
    as an algorithm name for an asymmetric key) into forms given by
@@ -230,7 +524,7 @@ pick the appropriate release branch.
    this change, EC_GROUP_set_generator would accept order and/or cofactor as
    NULL. After this change, only the cofactor parameter can be NULL. It also
    does some minimal sanity checks on the passed order.
-   (CVE-2019-1547)
+   [CVE-2019-1547][]
 
    *Billy Bob Brumley*
 
@@ -610,7 +904,225 @@ pick the appropriate release branch.
 
    *Boris Pismenny*
 
-### Changes between 1.1.1a and 1.1.1b [xx XXX xxxx] ###
+
+OpenSSL 1.1.1
+-------------
+
+### Changes between 1.1.1d and 1.1.1e [xx XXX xxxx] ###
+
+ * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+   The presence of this system service is determined at run-time.
+
+   *Richard Levitte*
+
+ * Added newline escaping functionality to a filename when using openssl dgst.
+   This output format is to replicate the output format found in the '*sum'
+   checksum programs. This aims to preserve backward compatibility.
+
+   *Matt Eaton, Richard Levitte, and Paul Dale*
+
+ * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+   the first value.
+
+   *Jon Spillett*
+
+### Changes between 1.1.1c and 1.1.1d [10 Sep 2019] ###
+
+ * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
+   number generator (RNG). This was intended to include protection in the
+   event of a fork() system call in order to ensure that the parent and child
+   processes did not share the same RNG state. However this protection was not
+   being used in the default case.
+
+   A partial mitigation for this issue is that the output from a high
+   precision timer is mixed into the RNG state so the likelihood of a parent
+   and child process sharing state is significantly reduced.
+
+   If an application already calls OPENSSL_init_crypto() explicitly using
+   OPENSSL_INIT_ATFORK then this problem does not occur at all.
+   [CVE-2019-1549][]
+
+   *Matthias St. Pierre*
+
+ * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+   used even when parsing explicit parameters, when loading a serialized key
+   or calling `EC_GROUP_new_from_ecpkparameters()`/
+   `EC_GROUP_new_from_ecparameters()`.
+   This prevents bypass of security hardening and performance gains,
+   especially for curves with specialized EC_METHODs.
+   By default, if a key encoded with explicit parameters is loaded and later
+   serialized, the output is still encoded with explicit parameters, even if
+   internally a "named" EC_GROUP is used for computation.
+
+   *Nicola Tuveri*
+
+ * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+   this change, EC_GROUP_set_generator would accept order and/or cofactor as
+   NULL. After this change, only the cofactor parameter can be NULL. It also
+   does some minimal sanity checks on the passed order.
+   [CVE-2019-1547][]
+
+   *Billy Bob Brumley*
+
+ * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+   An attack is simple, if the first CMS_recipientInfo is valid but the
+   second CMS_recipientInfo is chosen ciphertext. If the second
+   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+   encryption key will be replaced by garbage, and the message cannot be
+   decoded, but if the RSA decryption fails, the correct encryption key is
+   used and the recipient will not notice the attack.
+   As a work around for this potential attack the length of the decrypted
+   key must be equal to the cipher default key length, in case the
+   certifiate is not given and all recipientInfo are tried out.
+   The old behaviour can be re-enabled in the CMS code by setting the
+   CMS_DEBUG_DECRYPT flag.
+   [CVE-2019-1563][]
+
+   *Bernd Edlinger*
+
+ * Early start up entropy quality from the DEVRANDOM seed source has been
+   improved for older Linux systems.  The RAND subsystem will wait for
+   /dev/random to be producing output before seeding from /dev/urandom.
+   The seeded state is stored for future library initialisations using
+   a system global shared memory segment.  The shared memory identifier
+   can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
+   the desired value.  The default identifier is 114.
+
+   *Paul Dale*
+
+ * Correct the extended master secret constant on EBCDIC systems. Without this
+   fix TLS connections between an EBCDIC system and a non-EBCDIC system that
+   negotiate EMS will fail. Unfortunately this also means that TLS connections
+   between EBCDIC systems with this fix, and EBCDIC systems without this
+   fix will fail if they negotiate EMS.
+
+   *Matt Caswell*
+
+ * Use Windows installation paths in the mingw builds
+
+   Mingw isn't a POSIX environment per se, which means that Windows
+   paths should be used for installation.
+   [CVE-2019-1552][]
+
+   *Richard Levitte*
+
+ * Changed DH_check to accept parameters with order q and 2q subgroups.
+   With order 2q subgroups the bit 0 of the private key is not secret
+   but DH_generate_key works around that by clearing bit 0 of the
+   private key for those. This avoids leaking bit 0 of the private key.
+
+   *Bernd Edlinger*
+
+ * Significantly reduce secure memory usage by the randomness pools.
+
+   *Paul Dale*
+
+ * Revert the DEVRANDOM_WAIT feature for Linux systems
+
+   The DEVRANDOM_WAIT feature added a select() call to wait for the
+   /dev/random device to become readable before reading from the
+   /dev/urandom device.
+
+   It turned out that this change had negative side effects on
+   performance which were not acceptable. After some discussion it
+   was decided to revert this feature and leave it up to the OS
+   resp. the platform maintainer to ensure a proper initialization
+   during early boot time.
+
+   *Matthias St. Pierre*
+
+### Changes between 1.1.1b and 1.1.1c [28 May 2019] ###
+
+ * Add build tests for C++.  These are generated files that only do one
+   thing, to include one public OpenSSL head file each.  This tests that
+   the public header files can be usefully included in a C++ application.
+
+   This test isn't enabled by default.  It can be enabled with the option
+   'enable-buildtest-c++'.
+
+   *Richard Levitte*
+
+ * Enable SHA3 pre-hashing for ECDSA and DSA.
+
+   *Patrick Steuer*
+
+ * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+   This changes the size when using the genpkey app when no size is given. It
+   fixes an omission in earlier changes that changed all RSA, DSA and DH
+   generation apps to use 2048 bits by default.
+
+   *Kurt Roeckx*
+
+ * Reorganize the manual pages to consistently have RETURN VALUES,
+   EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
+   util/fix-doc-nits accordingly.
+
+   *Paul Yang, Joshua Lock*
+
+ * Add the missing accessor EVP_PKEY_get0_engine()
+
+   *Matt Caswell*
+
+ * Have apps like 's_client' and 's_server' output the signature scheme
+   along with other cipher suite parameters when debugging.
+
+   *Lorinczy Zsigmond*
+
+ * Make OPENSSL_config() error agnostic again.
+
+   *Richard Levitte*
+
+ * Do the error handling in RSA decryption constant time.
+
+   *Bernd Edlinger*
+
+ * Prevent over long nonces in ChaCha20-Poly1305.
+
+   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+   for every encryption operation. RFC 7539 specifies that the nonce value
+   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+   and front pads the nonce with 0 bytes if it is less than 12
+   bytes. However it also incorrectly allows a nonce to be set of up to 16
+   bytes. In this case only the last 12 bytes are significant and any
+   additional leading bytes are ignored.
+
+   It is a requirement of using this cipher that nonce values are
+   unique. Messages encrypted using a reused nonce value are susceptible to
+   serious confidentiality and integrity attacks. If an application changes
+   the default nonce length to be longer than 12 bytes and then makes a
+   change to the leading bytes of the nonce expecting the new value to be a
+   new unique nonce then such an application could inadvertently encrypt
+   messages with a reused nonce.
+
+   Additionally the ignored bytes in a long nonce are not covered by the
+   integrity guarantee of this cipher. Any application that relies on the
+   integrity of these ignored leading bytes of a long nonce may be further
+   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
+   is safe because no such use sets such a long nonce value. However user
+   applications that use this cipher directly and set a non-default nonce
+   length to be longer than 12 bytes may be vulnerable.
+
+   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
+   Greef of Ronomon.
+   [CVE-2019-1543][]
+
+   *Matt Caswell*
+
+ * Add DEVRANDOM_WAIT feature for Linux systems
+
+   On older Linux systems where the getrandom() system call is not available,
+   OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
+   Contrary to getrandom(), the /dev/urandom device will not block during
+   early boot when the kernel CSPRNG has not been seeded yet.
+
+   To mitigate this known weakness, use select() to wait for /dev/random to
+   become readable before reading from /dev/urandom.
+
+ * Ensure that SM2 only uses SM3 as digest algorithm
+
+   *Paul Yang*
+
+### Changes between 1.1.1a and 1.1.1b [26 Feb 2019] ###
 
  * Change the info callback signals for the start and end of a post-handshake
    message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
@@ -633,7 +1145,7 @@ pick the appropriate release branch.
    algorithm to recover the private key.
 
    This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
-   (CVE-2018-0734)
+   [CVE-2018-0734][]
 
    *Paul Dale*
 
@@ -644,7 +1156,7 @@ pick the appropriate release branch.
    algorithm to recover the private key.
 
    This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
-   (CVE-2018-0735)
+   [CVE-2018-0735][]
 
    *Paul Dale*
 
@@ -1098,9 +1610,9 @@ pick the appropriate release branch.
    bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
    alerts across multiple records (some of which could be empty). In practice
    it make no sense to send an empty alert record, or to fragment one. TLSv1.3
-   prohibts this altogether and other libraries (BoringSSL, NSS) do not
+   prohibits this altogether and other libraries (BoringSSL, NSS) do not
    support this at all. Supporting it adds significant complexity to the
-   record layer, and its removal is unlikely to cause inter-operability
+   record layer, and its removal is unlikely to cause interoperability
    issues.
 
    *Matt Caswell*
@@ -1197,8 +1709,150 @@ pick the appropriate release branch.
 
    *Rich Salz*
 
+OpenSSL 1.1.0
+-------------
+
+
+### Changes between 1.1.0k and 1.1.0l [10 Sep 2019] ###
+
+ * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+   used even when parsing explicit parameters, when loading a serialized key
+   or calling `EC_GROUP_new_from_ecpkparameters()`/
+   `EC_GROUP_new_from_ecparameters()`.
+   This prevents bypass of security hardening and performance gains,
+   especially for curves with specialized EC_METHODs.
+   By default, if a key encoded with explicit parameters is loaded and later
+   serialized, the output is still encoded with explicit parameters, even if
+   internally a "named" EC_GROUP is used for computation.
+
+   *Nicola Tuveri*
+
+ * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+   this change, EC_GROUP_set_generator would accept order and/or cofactor as
+   NULL. After this change, only the cofactor parameter can be NULL. It also
+   does some minimal sanity checks on the passed order.
+   [CVE-2019-1547][]
+
+   *Billy Bob Brumley*
+
+ * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+   An attack is simple, if the first CMS_recipientInfo is valid but the
+   second CMS_recipientInfo is chosen ciphertext. If the second
+   recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+   encryption key will be replaced by garbage, and the message cannot be
+   decoded, but if the RSA decryption fails, the correct encryption key is
+   used and the recipient will not notice the attack.
+   As a work around for this potential attack the length of the decrypted
+   key must be equal to the cipher default key length, in case the
+   certifiate is not given and all recipientInfo are tried out.
+   The old behaviour can be re-enabled in the CMS code by setting the
+   CMS_DEBUG_DECRYPT flag.
+   [CVE-2019-1563][]
+
+   *Bernd Edlinger*
 
-### Changes between 1.1.0h and 1.1.0i [xx XXX xxxx] ###
+ * Use Windows installation paths in the mingw builds
+
+   Mingw isn't a POSIX environment per se, which means that Windows
+   paths should be used for installation.
+   [CVE-2019-1552][]
+
+   *Richard Levitte*
+
+### Changes between 1.1.0j and 1.1.0k [28 May 2019] ###
+
+ * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+   This changes the size when using the genpkey app when no size is given. It
+   fixes an omission in earlier changes that changed all RSA, DSA and DH
+   generation apps to use 2048 bits by default.
+
+   *Kurt Roeckx*
+
+ * Prevent over long nonces in ChaCha20-Poly1305.
+
+   ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+   for every encryption operation. RFC 7539 specifies that the nonce value
+   (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+   and front pads the nonce with 0 bytes if it is less than 12
+   bytes. However it also incorrectly allows a nonce to be set of up to 16
+   bytes. In this case only the last 12 bytes are significant and any
+   additional leading bytes are ignored.
+
+   It is a requirement of using this cipher that nonce values are
+   unique. Messages encrypted using a reused nonce value are susceptible to
+   serious confidentiality and integrity attacks. If an application changes
+   the default nonce length to be longer than 12 bytes and then makes a
+   change to the leading bytes of the nonce expecting the new value to be a
+   new unique nonce then such an application could inadvertently encrypt
+   messages with a reused nonce.
+
+   Additionally the ignored bytes in a long nonce are not covered by the
+   integrity guarantee of this cipher. Any application that relies on the
+   integrity of these ignored leading bytes of a long nonce may be further
+   affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
+   is safe because no such use sets such a long nonce value. However user
+   applications that use this cipher directly and set a non-default nonce
+   length to be longer than 12 bytes may be vulnerable.
+
+   This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
+   Greef of Ronomon.
+   [CVE-2019-1543][]
+
+   *Matt Caswell*
+
+ * Added SCA hardening for modular field inversion in EC_GROUP through
+   a new dedicated field_inv() pointer in EC_METHOD.
+   This also addresses a leakage affecting conversions from projective
+   to affine coordinates.
+
+   *Billy Bob Brumley, Nicola Tuveri*
+
+ * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+   re-used X509_PUBKEY object if the second PUBKEY is malformed.
+
+   *Bernd Edlinger*
+
+ * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
+
+   *Richard Levitte*
+
+ * Remove the 'dist' target and add a tarball building script.  The
+   'dist' target has fallen out of use, and it shouldn't be
+   necessary to configure just to create a source distribution.
+
+   *Richard Levitte*
+
+### Changes between 1.1.0i and 1.1.0j [20 Nov 2018] ###
+
+ * Timing vulnerability in DSA signature generation
+
+   The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+   timing side channel attack. An attacker could use variations in the signing
+   algorithm to recover the private key.
+
+   This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+   [CVE-2018-0734][]
+
+   *Paul Dale*
+
+ * Timing vulnerability in ECDSA signature generation
+
+   The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+   timing side channel attack. An attacker could use variations in the signing
+   algorithm to recover the private key.
+
+   This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+   [CVE-2018-0735][]
+
+   *Paul Dale*
+
+ * Add coordinate blinding for EC_POINT and implement projective
+   coordinate blinding for generic prime curves as a countermeasure to
+   chosen point SCA attacks.
+
+   *Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley*
+
+### Changes between 1.1.0h and 1.1.0i [14 Aug 2018] ###
 
  * Client DoS due to large DH parameter
 
@@ -1209,7 +1863,7 @@ pick the appropriate release branch.
    could be exploited in a Denial Of Service attack.
 
    This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
-   (CVE-2018-0732)
+   [CVE-2018-0732][]
 
    *Guido Vranken*
 
@@ -1222,7 +1876,7 @@ pick the appropriate release branch.
 
    This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
    Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
-   (CVE-2018-0737)
+   [CVE-2018-0737][]
 
    *Billy Brumley*
 
@@ -1295,7 +1949,7 @@ pick the appropriate release branch.
 
    This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
    project.
-   (CVE-2018-0739)
+   [CVE-2018-0739][]
 
    *Matt Caswell*
 
@@ -1310,7 +1964,7 @@ pick the appropriate release branch.
 
    This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
    (IBM).
-   (CVE-2018-0733)
+   [CVE-2018-0733][]
 
    *Andy Polyakov*
 
@@ -1358,7 +2012,7 @@ pick the appropriate release branch.
 
    This issue was reported to OpenSSL by David Benjamin (Google). The issue
    was originally found via the OSS-Fuzz project.
-   (CVE-2017-3738)
+   [CVE-2017-3738][]
 
    *Andy Polyakov*
 
@@ -1382,7 +2036,7 @@ pick the appropriate release branch.
    like Intel Broadwell (5th generation) and later or AMD Ryzen.
 
    This issue was reported to OpenSSL by the OSS-Fuzz project.
-   (CVE-2017-3736)
+   [CVE-2017-3736][]
 
    *Andy Polyakov*
 
@@ -1393,7 +2047,7 @@ pick the appropriate release branch.
    would be an erroneous display of the certificate in text format.
 
    This issue was reported to OpenSSL by the OSS-Fuzz project.
-   (CVE-2017-3735)
+   [CVE-2017-3735][]
 
    *Rich Salz*
 
@@ -1420,7 +2074,7 @@ pick the appropriate release branch.
    and servers are affected.
 
    This issue was reported to OpenSSL by Joe Orton (Red Hat).
-   (CVE-2017-3733)
+   [CVE-2017-3733][]
 
    *Matt Caswell*
 
@@ -1433,7 +2087,7 @@ pick the appropriate release branch.
    perform an out-of-bounds read, usually resulting in a crash.
 
    This issue was reported to OpenSSL by Robert Święcki of Google.
-   (CVE-2017-3731)
+   [CVE-2017-3731][]
 
    *Andy Polyakov*
 
@@ -1445,7 +2099,7 @@ pick the appropriate release branch.
    of Service attack.
 
    This issue was reported to OpenSSL by Guido Vranken.
-   (CVE-2017-3730)
+   [CVE-2017-3730][]
 
    *Matt Caswell*
 
@@ -1466,7 +2120,7 @@ pick the appropriate release branch.
    similar to CVE-2015-3193 but must be treated as a separate problem.
 
    This issue was reported to OpenSSL by the OSS-Fuzz project.
-   (CVE-2017-3732)
+   [CVE-2017-3732][]