#
66bae5e7 |
| 07-May-2023 |
christos <christos@NetBSD.org> |
Import OpenSSL 3.0.8, last import was 1.1.1t
### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
* Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) * F
Import OpenSSL 3.0.8, last import was 1.1.1t
### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
* Fixed NULL dereference during PKCS7 data verification ([CVE-2023-0401]) * Fixed X.400 address type confusion in X.509 GeneralName ([CVE-2023-0286]) * Fixed NULL dereference validating DSA public key ([CVE-2023-0217]) * Fixed Invalid pointer dereference in d2i_PKCS7 functions ([CVE-2023-0216]) * Fixed Use-after-free following BIO_new_NDEF ([CVE-2023-0215]) * Fixed Double free after calling PEM_read_bio_ex ([CVE-2022-4450]) * Fixed Timing Oracle in RSA Decryption ([CVE-2022-4304]) * Fixed X.509 Name Constraints Read Buffer Overflow ([CVE-2022-4203]) * Fixed X.509 Policy Constraints Double Locking ([CVE-2022-3996])
### Major changes between OpenSSL 3.0.6 and OpenSSL 3.0.7 [1 Nov 2022]
* Added RIPEMD160 to the default provider. * Fixed regressions introduced in 3.0.6 version. * Fixed two buffer overflows in punycode decoding functions. ([CVE-2022-3786]) and ([CVE-2022-3602])
### Major changes between OpenSSL 3.0.5 and OpenSSL 3.0.6 [11 Oct 2022]
* Fix for custom ciphers to prevent accidental use of NULL encryption ([CVE-2022-3358])
### Major changes between OpenSSL 3.0.4 and OpenSSL 3.0.5 [5 Jul 2022]
* Fixed heap memory corruption with RSA private key operation ([CVE-2022-2274]) * Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms ([CVE-2022-2097])
### Major changes between OpenSSL 3.0.3 and OpenSSL 3.0.4 [21 Jun 2022]
* Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection ([CVE-2022-2068])
### Major changes between OpenSSL 3.0.2 and OpenSSL 3.0.3 [3 May 2022]
* Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection ([CVE-2022-1292]) * Fixed a bug in the function `OCSP_basic_verify` that verifies the signer certificate on an OCSP response ([CVE-2022-1343]) * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key ([CVE-2022-1434]) * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory occuppied by the removed hash table entries ([CVE-2022-1473])
### Major changes between OpenSSL 3.0.1 and OpenSSL 3.0.2 [15 Mar 2022]
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli ([CVE-2022-0778])
### Major changes between OpenSSL 3.0.0 and OpenSSL 3.0.1 [14 Dec 2021]
* Fixed invalid handling of X509_verify_cert() internal errors in libssl ([CVE-2021-4044]) * Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.
### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0.0 [7 sep 2021]
* Enhanced 'openssl list' with many new options. * Added migration guide to man7. * Implemented support for fully "pluggable" TLSv1.3 groups. * Added suport for Kernel TLS (KTLS). * Changed the license to the Apache License v2.0. * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2, RC4, RC5, and DES to the legacy provider. * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy provider. * Added convenience functions for generating asymmetric key pairs. * Deprecated the `OCSP_REQ_CTX` type and functions. * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions. * Deprecated the `RSA` and `RSA_METHOD` types and functions. * Deprecated the `DSA` and `DSA_METHOD` types and functions. * Deprecated the `DH` and `DH_METHOD` types and functions. * Deprecated the `ERR_load_` functions. * Remove the `RAND_DRBG` API. * Deprecated the `ENGINE` API. * Added `OSSL_LIB_CTX`, a libcrypto library context. * Added various `_ex` functions to the OpenSSL API that support using a non-default `OSSL_LIB_CTX`. * Interactive mode is removed from the 'openssl' program. * The X25519, X448, Ed25519, Ed448, SHAKE128 and SHAKE256 algorithms are included in the FIPS provider. * X509 certificates signed using SHA1 are no longer allowed at security level 1 or higher. The default security level for TLS is 1, so certificates signed using SHA1 are by default no longer trusted to authenticate servers or clients. * enable-crypto-mdebug and enable-crypto-mdebug-backtrace were mostly disabled; the project uses address sanitize/leak-detect instead. * Added a Certificate Management Protocol (CMP, RFC 4210) implementation also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). It is part of the crypto lib and adds a 'cmp' app with a demo configuration. All widely used CMP features are supported for both clients and servers. * Added a proper HTTP client supporting GET with optional redirection, POST, arbitrary request and response content types, TLS, persistent connections, connections via HTTP(s) proxies, connections and exchange via user-defined BIOs (allowing implicit connections), and timeout checks. * Added util/check-format.pl for checking adherence to the coding guidelines. * Added OSSL_ENCODER, a generic encoder API. * Added OSSL_DECODER, a generic decoder API. * Added OSSL_PARAM_BLD, an easier to use API to OSSL_PARAM. * Added error raising macros, ERR_raise() and ERR_raise_data(). * Deprecated ERR_put_error(), ERR_get_error_line(), ERR_get_error_line_data(), ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and ERR_func_error_string(). * Added OSSL_PROVIDER_available(), to check provider availibility. * Added 'openssl mac' that uses the EVP_MAC API. * Added 'openssl kdf' that uses the EVP_KDF API. * Add OPENSSL_info() and 'openssl info' to get built-in data. * Add support for enabling instrumentation through trace and debug output. * Changed our version number scheme and set the next major release to 3.0.0 * Added EVP_MAC, an EVP layer MAC API, and a generic EVP_PKEY to EVP_MAC bridge. Supported MACs are: BLAKE2, CMAC, GMAC, HMAC, KMAC, POLY1305 and SIPHASH. * Removed the heartbeat message in DTLS feature. * Added EVP_KDF, an EVP layer KDF and PRF API, and a generic EVP_PKEY to EVP_KDF bridge. Supported KDFs are: HKDF, KBKDF, KRB5 KDF, PBKDF2, PKCS12 KDF, SCRYPT, SSH KDF, SSKDF, TLS1 PRF, X9.42 KDF and X9.63 KDF. * All of the low-level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256, SHA384, SHA512 and Whirlpool digest functions have been deprecated. * All of the low-level AES, Blowfish, Camellia, CAST, DES, IDEA, RC2, RC4, RC5 and SEED cipher functions have been deprecated. * All of the low-level DH, DSA, ECDH, ECDSA and RSA public key functions have been deprecated. * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0, except when RSA key exchange without SHA1 is used. * Added providers, a new pluggability concept that will replace the ENGINE API and ENGINE implementations.
OpenSSL 1.1.1 -------------
### Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
* Fixed an SM2 Decryption Buffer Overflow ([CVE-2021-3711]) * Fixed various read buffer overruns processing ASN.1 strings ([CVE-2021-3712])
### Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
* Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag ([CVE-2021-3450]) * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client ([CVE-2021-3449])
### Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
* Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function ([CVE-2021-23841]) * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks * Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions ([CVE-2021-23840]) * Fixed SRP_Calc_client_key so that it runs in constant time
### Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
* Fixed NULL pointer deref in GENERAL_NAME_cmp ([CVE-2020-1971])
### Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
* Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts * Oracle Developer Studio will start reporting deprecation warnings
### Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
* Fixed segmentation fault in SSL_check_chain() ([CVE-2020-1967])
### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
* Revert the unexpected EOF reporting via SSL_ERROR_SSL
### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
* Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli ([CVE-2019-1551])
### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
* Fixed a fork protection issue ([CVE-2019-1549]) * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey ([CVE-2019-1563]) * For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters * Compute ECC cofactors if not provided during EC_GROUP construction ([CVE-2019-1547]) * Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems * Correct the extended master secret constant on EBCDIC systems * Use Windows installation paths in the mingw builds ([CVE-2019-1552]) * Changed DH_check to accept parameters with order q and 2q subgroups * Significantly reduce secure memory usage by the randomness pools * Revert the DEVRANDOM_WAIT feature for Linux systems
### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
* Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543])
### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
* Change the info callback signals for the start and end of a post-handshake message exchange in TLSv1.3. * Fix a bug in DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.
### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
* Timing vulnerability in DSA signature generation ([CVE-2018-0734]) * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735])
### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
* Support for TLSv1.3 added. The TLSv1.3 implementation includes: * Fully compliant implementation of RFC8446 (TLSv1.3) on by default * Early data (0-RTT) * Post-handshake authentication and key update * Middlebox Compatibility Mode * TLSv1.3 PSKs * Support for all five RFC8446 ciphersuites * RSA-PSS signature algorithms (backported to TLSv1.2) * Configurable session ticket support * Stateless server support * Rewrite of the packet construction code for "safer" packet handling * Rewrite of the extension handling code For further important information, see the [TLS1.3 page]( https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki.
* Complete rewrite of the OpenSSL random number generator to introduce the following capabilities * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (both Ed25519 and Ed448) including X509 and TLS support * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Significant Side-Channel attack security improvements * Add a new ClientHello callback to provide the ability to adjust the SSL object at an early stage. * Add 'Maximum Fragment Length' TLS extension negotiation and support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. * Move the display of configuration data to configdata.pm. * Allow GNU style "make variables" to be used with Configure. * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes * Rewrite of devcrypto engine
show more ...
|
#
033a4089 |
| 23-Jan-2020 |
christos <christos@NetBSD.org> |
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection i
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case.
A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced.
If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. (CVE-2019-1549) [Matthias St. Pierre]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. (CVE-2019-1563) [Bernd Edlinger]
*) Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. The seeded state is stored for future library initialisations using a system global shared memory segment. The shared memory identifier can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to the desired value. The default identifier is 114. [Paul Dale]
*) Correct the extended master secret constant on EBCDIC systems. Without this fix TLS connections between an EBCDIC system and a non-EBCDIC system that negotiate EMS will fail. Unfortunately this also means that TLS connections between EBCDIC systems with this fix, and EBCDIC systems without this fix will fail if they negotiate EMS. [Matt Caswell]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows paths should be used for installation. (CVE-2019-1552) [Richard Levitte]
*) Changed DH_check to accept parameters with order q and 2q subgroups. With order 2q subgroups the bit 0 of the private key is not secret but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key. [Bernd Edlinger]
*) Significantly reduce secure memory usage by the randomness pools. [Paul Dale]
*) Revert the DEVRANDOM_WAIT feature for Linux systems
The DEVRANDOM_WAIT feature added a select() call to wait for the /dev/random device to become readable before reading from the /dev/urandom device.
It turned out that this change had negative side effects on performance which were not acceptable. After some discussion it was decided to revert this feature and leave it up to the OS resp. the platform maintainer to ensure a proper initialization during early boot time. [Matthias St. Pierre]
show more ...
|
#
05901b04 |
| 23-Sep-2018 |
christos <christos@NetBSD.org> |
OpenSSL CHANGES _______________
This is a high-level summary of the most important changes. For a full list of changes, see the git commit log; for example, https://github.com/openssl/openssl/co
OpenSSL CHANGES _______________
This is a high-level summary of the most important changes. For a full list of changes, see the git commit log; for example, https://github.com/openssl/openssl/commits/ and pick the appropriate release branch.
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
*) Add a new ClientHello callback. Provides a callback interface that gives the application the ability to adjust the nascent SSL object at the earliest stage of ClientHello processing, immediately after extensions have been collected but before they have been processed. In particular, this callback can adjust the supported TLS versions in response to the contents of the ClientHello [Benjamin Kaduk]
*) Add SM2 base algorithm support. [Jack Lloyd]
*) s390x assembly pack: add (improved) hardware-support for the following cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb, aes-cfb/cfb8, aes-ecb. [Patrick Steuer]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. [Richard Levitte]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder step for prime curves. The new implementation is based on formulae from differential addition-and-doubling in homogeneous projective coordinates from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified to work in projective coordinates. [Billy Bob Brumley, Nicola Tuveri]
*) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. [Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64. [Kurt Roeckx]
*) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when moving between systems, and to avoid confusion when a Windows build is done with mingw vs with MSVC. For POSIX installs, there's still a symlink or copy named 'tsget' to avoid that confusion as well. [Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder step for binary curves. The new implementation is based on formulae from differential addition-and-doubling in mixed Lopez-Dahab projective coordinates, modified to independently blind the operands. [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Add a scaffold to optionally enhance the Montgomery ladder implementation for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing EC_METHODs to implement their own specialized "ladder step", to take advantage of more favorable coordinate systems or more efficient differential addition-and-doubling algorithms. [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Modified the random device based seed sources to keep the relevant file descriptors open rather than reopening them on each access. This allows such sources to operate in a chroot() jail without the associated device nodes being available. This behaviour can be controlled using RAND_keep_random_devices_open(). [Paul Dale]
*) Numerous side-channel attack mitigations have been applied. This may have performance impacts for some algorithms for the benefit of improved security. Specific changes are noted in this change log by their respective authors. [Matt Caswell]
*) AIX shared library support overhaul. Switch to AIX "natural" way of handling shared libraries, which means collecting shared objects of different versions and bitnesses in one common archive. This allows to mitigate conflict between 1.0 and 1.1 side-by-side installations. It doesn't affect the way 3rd party applications are linked, only how multi-version installation is managed. [Andy Polyakov]
*) Make ec_group_do_inverse_ord() more robust and available to other EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA mitigations are applied to the fallback BN_mod_inverse(). When using this function rather than BN_mod_inverse() directly, new EC cryptosystem implementations are then safer-by-default. [Billy Bob Brumley]
*) Add coordinate blinding for EC_POINT and implement projective coordinate blinding for generic prime curves as a countermeasure to chosen point SCA attacks. [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
*) Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell]
*) Enforce checking in the pkeyutl command line app to ensure that the input length does not exceed the maximum supported digest length when performing a sign, verify or verifyrecover operation. [Matt Caswell]
*) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking I/O in combination with something like select() or poll() will hang. This can be turned off again using SSL_CTX_clear_mode(). Many applications do not properly handle non-application data records, and TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works around the problems in those applications, but can also break some. It's recommended to read the manpages about SSL_read(), SSL_write(), SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and SSL_CTX_set_read_ahead() again. [Kurt Roeckx]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. [Richard Levitte]
*) Apply blinding to binary field modular inversion and remove patent pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation. [Billy Bob Brumley]
*) Deprecate ec2_mult.c and unify scalar multiplication code paths for binary and prime elliptic curves. [Billy Bob Brumley]
*) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for constant time fixed point multiplication. [Billy Bob Brumley]
*) Revise elliptic curve scalar multiplication with timing attack defenses: ec_wNAF_mul redirects to a constant time implementation when computing fixed point and variable point multiplication (which in OpenSSL are mostly used with secret scalars in keygen, sign, ECDH derive operations). [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García, Sohaib ul Hassan]
*) Updated CONTRIBUTING [Rich Salz]
*) Updated DRBG / RAND to request nonce and additional low entropy randomness from the system. [Matthias St. Pierre]
*) Updated 'openssl rehash' to use OpenSSL consistent default. [Richard Levitte]
*) Moved the load of the ssl_conf module to libcrypto, which helps loading engines that libssl uses before libssl is initialised. [Matt Caswell]
*) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA [Matt Caswell]
*) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases. [Ingo Schwarze, Rich Salz]
*) Added output of accepting IP address and port for 'openssl s_server' [Richard Levitte]
*) Added a new API for TLSv1.3 ciphersuites: SSL_CTX_set_ciphersuites() SSL_set_ciphersuites() [Matt Caswell]
*) Memory allocation failures consistenly add an error to the error stack. [Rich Salz]
*) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values in libcrypto when run as setuid/setgid. [Bernd Edlinger]
*) Load any config file by default when libssl is used. [Matt Caswell]
*) Added new public header file <openssl/rand_drbg.h> and documentation for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview. [Matthias St. Pierre]
*) QNX support removed (cannot find contributors to get their approval for the license change). [Rich Salz]
*) TLSv1.3 replay protection for early data has been implemented. See the SSL_read_early_data() man page for further details. [Matt Caswell]
*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3. In order to avoid issues where legacy TLSv1.2 ciphersuite configuration would otherwise inadvertently disable all TLSv1.3 ciphersuites the configuration has been separated out. See the ciphers man page or the SSL_CTX_set_ciphersuites() man page for more information. [Matt Caswell]
*) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running in responder mode now supports the new "-multi" option, which spawns the specified number of child processes to handle OCSP requests. The "-timeout" option now also limits the OCSP responder's patience to wait to receive the full client request on a newly accepted connection. Child processes are respawned as needed, and the CA index file is automatically reloaded when changed. This makes it possible to run the "ocsp" responder as a long-running service, making the OpenSSL CA somewhat more feature-complete. In this mode, most diagnostic messages logged after entering the event loop are logged via syslog(3) rather than written to stderr. [Viktor Dukhovni]
*) Added support for X448 and Ed448. Heavily based on original work by Mike Hamburg. [Matt Caswell]
*) Extend OSSL_STORE with capabilities to search and to narrow the set of objects loaded. This adds the functions OSSL_STORE_expect() and OSSL_STORE_find() as well as needed tools to construct searches and get the search data out of them. [Richard Levitte]
*) Support for TLSv1.3 added. Note that users upgrading from an earlier version of OpenSSL should review their configuration settings to ensure that they are still appropriate for TLSv1.3. For further information see: https://wiki.openssl.org/index.php/TLS1.3 [Matt Caswell]
*) Grand redesign of the OpenSSL random generator
The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. The new random generator is essentially a port of the default random generator from the OpenSSL FIPS 2.0 object module. It is a hybrid deterministic random bit generator using an AES-CTR bit stream and which seeds and reseeds itself automatically using trusted system entropy sources.
Some of its new features are: o Support for multiple DRBG instances with seed chaining. o The default RAND method makes use of a DRBG. o There is a public and private DRBG instance. o The DRBG instances are fork-safe. o Keep all global DRBG instances on the secure heap if it is enabled. o The public and private DRBG instance are per thread for lock free operation [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
*) Changed Configure so it only says what it does and doesn't dump so much data. Instead, ./configdata.pm should be used as a script to display all sorts of configuration data. [Richard Levitte]
*) Added processing of "make variables" to Configure. [Richard Levitte]
*) Added SHA512/224 and SHA512/256 algorithm support. [Paul Dale]
*) The last traces of Netware support, first removed in 1.1.0, have now been removed. [Rich Salz]
*) Get rid of Makefile.shared, and in the process, make the processing of certain files (rc.obj, or the .def/.map/.opt files produced from the ordinal files) more visible and hopefully easier to trace and debug (or make silent). [Richard Levitte]
*) Make it possible to have environment variable assignments as arguments to config / Configure. [Richard Levitte]
*) Add multi-prime RSA (RFC 8017) support. [Paul Yang]
*) Add SM3 implemented according to GB/T 32905-2016 [ Jack Lloyd <jack.lloyd@ribose.com>, Ronald Tse <ronald.tse@ribose.com>, Erick Borsboom <erick.borsboom@ribose.com> ]
*) Add 'Maximum Fragment Length' TLS extension negotiation and support as documented in RFC6066. Based on a patch from Tomasz Moń [Filipe Raimundo da Silva]
*) Add SM4 implemented according to GB/T 32907-2016. [ Jack Lloyd <jack.lloyd@ribose.com>, Ronald Tse <ronald.tse@ribose.com>, Erick Borsboom <erick.borsboom@ribose.com> ]
*) Reimplement -newreq-nodes and ERR_error_string_n; the original author does not agree with the license change. [Rich Salz]
*) Add ARIA AEAD TLS support. [Jon Spillett]
*) Some macro definitions to support VS6 have been removed. Visual Studio 6 has not worked since 1.1.0 [Rich Salz]
*) Add ERR_clear_last_mark(), to allow callers to clear the last mark without clearing the errors. [Richard Levitte]
*) Add "atfork" functions. If building on a system that without pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application requirements. The RAND facility now uses/requires this. [Rich Salz]
*) Add SHA3. [Andy Polyakov]
*) The UI API becomes a permanent and integral part of libcrypto, i.e. not possible to disable entirely. However, it's still possible to disable the console reading UI method, UI_OpenSSL() (use UI_null() as a fallback).
To disable, configure with 'no-ui-console'. 'no-ui' is still possible to use as an alias. Check at compile time with the macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still possible to check and is an alias for OPENSSL_NO_UI_CONSOLE. [Richard Levitte]
*) Add a STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. The main API is loosely based on a few stdio functions, and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof, OSSL_STORE_error and OSSL_STORE_close. The implementation uses backends called "loaders" to implement arbitrary URI schemes. There is one built in "loader" for the 'file' scheme. [Richard Levitte]
*) Add devcrypto engine. This has been implemented against cryptodev-linux, then adjusted to work on FreeBSD 8.4 as well. Enable by configuring with 'enable-devcryptoeng'. This is done by default on BSD implementations, as cryptodev.h is assumed to exist on all of them. [Richard Levitte]
*) Module names can prefixed with OSSL_ or OPENSSL_. This affects util/mkerr.pl, which is adapted to allow those prefixes, leading to error code calls like this:
OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
With this change, we claim the namespaces OSSL and OPENSSL in a manner that can be encoded in C. For the foreseeable future, this will only affect new modules. [Richard Levitte and Tim Hudson]
*) Removed BSD cryptodev engine. [Rich Salz]
*) Add a build target 'build_all_generated', to build all generated files and only that. This can be used to prepare everything that requires things like perl for a system that lacks perl and then move everything to that system and do the rest of the build there. [Richard Levitte]
*) In the UI interface, make it possible to duplicate the user data. This can be used by engines that need to retain the data for a longer time than just the call where this user data is passed. [Richard Levitte]
*) Ignore the '-named_curve auto' value for compatibility of applications with OpenSSL 1.0.2. [Tomas Mraz <tmraz@fedoraproject.org>]
*) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such alerts across multiple records (some of which could be empty). In practice it make no sense to send an empty alert record, or to fragment one. TLSv1.3 prohibts this altogether and other libraries (BoringSSL, NSS) do not support this at all. Supporting it adds significant complexity to the record layer, and its removal is unlikely to cause inter-operability issues. [Matt Caswell]
*) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed with Z. These are meant to replace LONG and ZLONG and to be size safe. The use of LONG and ZLONG is discouraged and scheduled for deprecation in OpenSSL 1.2.0. [Richard Levitte]
*) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string, 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t. [Richard Levitte, Andy Polyakov]
*) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine() does for RSA, etc. [Richard Levitte]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'. [Richard Levitte]
*) The functions X509_STORE_add_cert and X509_STORE_add_crl return success if they are asked to add an object which already exists in the store. This change cascades to other functions which load certificates and CRLs. [Paul Dale]
*) x86_64 assembly pack: annotate code with DWARF CFI directives to facilitate stack unwinding even from assembly subroutines. [Andy Polyakov]
*) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN. Also remove OPENSSL_GLOBAL entirely, as it became a no-op. [Richard Levitte]
*) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, which is the minimum version we support. [Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. [Emilia Käsper]
*) Add support for ARIA [Paul Dale]
*) s_client will now send the Server Name Indication (SNI) extension by default unless the new "-noservername" option is used. The server name is based on the host provided to the "-connect" option unless overridden by using "-servername". [Matt Caswell]
*) Add support for SipHash [Todd Short]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. [Matt Caswell]
*) 'openssl passwd' can now produce SHA256 and SHA512 based output, using the algorithm defined in https://www.akkadia.org/drepper/SHA-crypt.txt [Richard Levitte]
*) Heartbeat support has been removed; the ABI is changed for now. [Richard Levitte, Rich Salz]
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. [Emilia Käsper]
*) The RSA "null" method, which was partially supported to avoid patent issues, has been replaced to always returns NULL. [Rich Salz]
show more ...
|