summaryrefslogtreecommitdiffstats
path: root/CHANGES.md
AgeCommit message (Collapse)Author
2021-03-01Remove RSA SSLv23 padding modeRich Salz
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14248)
2021-03-01OSSL_HTTP_parse_url(): Handle any userinfo, query, and fragment componentsDr. David von Oheimb
Now handle [http[s]://][userinfo@]host[:port][/path][?query][#frag] by optionally providing any userinfo, query, and frag components. All usages of this function, which are client-only, silently ignore userinfo and frag components, while the query component is taken as part of the path. Update and extend the unit tests and all affected documentation. Document and deprecat OCSP_parse_url(). Fixes an issue that came up when discussing FR #14001. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14009)
2021-02-24speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsaTomas Mraz
Fixes #13909 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14228)
2021-02-24Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm()Tomas Mraz
The functions are not needed and require returning octet ptr parameters from providers that would like to support them which complicates provider implementations. Fixes #12985 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14279)
2021-02-23changes: note the deprecation of RAND_METHOD APIsPauli
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13652)
2021-02-18Prepare for 3.0 alpha 13Matt Caswell
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-02-18Prepare for release of 3.0 alpha 12openssl-3.0.0-alpha12Matt Caswell
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-02-16Update CHANGES and NEWS for new releaseMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-02-12Update documentation following deprecation of SRPMatt Caswell
Ensure all the man pages correctly reflect the deprecated status of SRP. Fixes #13917 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-12changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option.Pauli
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14126)
2021-02-09CHANGES.md: Mention RSA key generation slowdown related changesTomas Mraz
Fixes #14068 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14073)
2021-02-09Deprecate BN_pseudo_rand() and BN_pseudo_rand_range()Tomas Mraz
The functions are obsolete aliases for BN_rand() and BN_rand_range() since 1.1.0. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14080)
2021-02-05Stop disabling TLSv1.3 if ec and dh are disabledMatt Caswell
Even if EC and DH are disabled then we may still be able to use TLSv1.3 if we have groups that have been plugged in by an external provider. Fixes #13767 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
2021-02-03Deprecate EVP_MD_CTX_{set_}update_fn()Rich Salz
They are still used internally in legacy code. Also fixed up some minor things in EVP_DigestInit.pod Fixes: #14003 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14008)
2021-02-03Add diacritics to my name in CHANGES.mdTomas Mraz
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14044)
2021-02-02Deprecate X509_certificate_typeRich Salz
Fixes: #13997 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14002)
2021-01-28Prepare for 3.0 alpha 12Richard Levitte
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-01-28Prepare for release of 3.0 alpha 11openssl-3.0.0-alpha11Richard Levitte
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-01-26Deprecate EC_KEY + Update ec apps to use EVP_PKEYShane Lontis
Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139)
2021-01-25bn: Deprecate the X9.31 RSA key generation related functionsTomas Mraz
This key generation method is obsolete. Fixes #10111 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13921)
2021-01-23rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_lineDr. David von Oheimb
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898)
2021-01-20Ensure SRP BN_mod_exp follows the constant time pathMatt Caswell
SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13888)
2021-01-20apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> reqDr. David von Oheimb
Fixes #3638 Fixes #6481 Fixes #10458 Partly fixes #13708 Supersedes #9449 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711)
2021-01-19Deprecate OCSP_xxx API for OSSL_HTTP_xxxRich Salz
Deprecations made: OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES text inline. Some of the original functions had no documentation: OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio, OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod Fixes #12234 Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13742)
2021-01-13apps/req.c: Add -copy_extensions option for use with -x509; default: noneDr. David von Oheimb
Fixes #13708 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-13apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by ↵Dr. David von Oheimb
default Fixes #13603 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13658)
2021-01-08Add SM2 private key range validationNicola Tuveri
According to the relevant standards, the valid range for SM2 private keys is [1, n-1), where n is the order of the curve generator. For this reason we cannot reuse the EC validation function as it is, and we introduce a new internal function `sm2_key_private_check()`. Partially fixes https://github.com/openssl/openssl/issues/8435 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13359)
2021-01-08[apps/pkey] Return error on failed `-[pub]check`Nicola Tuveri
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13359)
2021-01-07Add a CHANGES entry for ignore unknown ciphers in set_ciphersuites.Otto Hollmann
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12100)
2021-01-07Prepare for 3.0 alpha 11Matt Caswell
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2021-01-07Prepare for release of 3.0 alpha 10openssl-3.0.0-alpha10Matt Caswell
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
2020-12-17dsa: add additional deprecated functions to CHANGES entry.Pauli
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13638)
2020-12-15Documenting the options deprecating in CHANGES.mdDmitry Belyavskiy
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13669)
2020-12-08Update CHANGES and NEWS for new releaseMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org>
2020-11-28ERR: Drop or deprecate dangerous or overly confusing functionsRichard Levitte
ERR_get_error_line() is deprecated, and ERR_get_error_func() and ERR_get_error_data() are removed in favor of ERR_get_error_all(), since they pop the error record, leaving the caller with only partial error record data and no way to get the rest if the wish. If it's desirable to retrieve data piecemeal, the caller should consider using the diverse ERR_peek functions and finish off with ERR_get_error(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13466)
2020-11-27Updates the CHANGES.md entry regarding DH deprecationMatt Caswell
Extend the existing CHANGES.md entry with information about the additional functions that have also been deprecated. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13138)
2020-11-26Prepare for 3.0 alpha 10Matt Caswell
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-11-26Prepare for release of 3.0 alpha 9openssl-3.0.0-alpha9Matt Caswell
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-11-24Modify the ERR init functions to use the internal ERR string loadersRichard Levitte
This deprecates all the ERR_load_ functions, and moves their definition to separate C source files that can easily be removed when those functions are finally removed. This also reduces include/openssl/kdferr.h to include cryptoerr_legacy.h, moves the declaration of ERR_load_ERR_strings() from include/openssl/err.h to include/openssl/cryptoerr_legacy.h, and finally removes the declaration of ERR_load_DSO_strings(), which was entirely internal anyway. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13390)
2020-11-18Add a CHANGES.md entry for the "tmp_dh" functions/macrosMatt Caswell
Describe the tmp_dh deprecations, and what applications should do instead. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13368)
2020-11-13Remove -C option from x509 commandRich Salz
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13384)
2020-11-13Remove -C from dhparam,dsaparam,ecparamRich Salz
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13384)
2020-11-12apps/passwd: remove the -crypt option.Pauli
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13313)
2020-11-06CHANGES.md: Mention (strict) checks recently added to X509_verify_cert()David von Oheimb
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13312)
2020-11-05Prepare for 3.0 alpha 9Matt Caswell
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-11-05Prepare for release of 3.0 alpha 8openssl-3.0.0-alpha8Matt Caswell
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
2020-11-04Moved OPENSSL_fork_prepare,_parent,_child from init.c to threads_pthread.c.Randall S. Becker
These methods should ultimately be deprecated. The move is to insulate non-UNIX platforms from these undefined symbols. CLA: Permission is granted by the author to the OpenSSL team to use these modifications. Fixes #13273 Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13276)
2020-11-02Add AES KW inverse ciphers to the EVP layerShane Lontis
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13272)
2020-10-20Deprecate EVP_PKEY_set1_tls_encodedpoint()Matt Caswell
Also deprecate EVP_PKEY_get1_tls_encodedpoint(). The preferred alternative is EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key(). Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13105)
2020-10-16Add a CHANGES entry for the SSL_SECOP_TMP_DH changeMatt Caswell
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/13136)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 05:45:09 +0000