### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Add ".pragma abspath:true" to prevent relative file inclusion in
+ config files.
+
+ * Rich Salz *
+
+ * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
+ validated. The module is implemented as an OpenSSL provider, the so-called
+ FIPS provider. A list of all changes related to the FIPS provider would go
+ beyond the scope of this CHANGES file, please consult the README-FIPS and
+ README-PROVIDERS files, as well as the migration guide.
+
+ The FIPS provider is disabled by default and needs to be enabled explicitly
+ at configuration time using the `enable-fips` option. If it is enabled,
+ the FIPS provider gets built and installed in addition to the default and
+ the legacy provider. No separate installation procedure is necessary.
+ There is however a dedicated `install_fips` make target, which serves the
+ special purpose of installing only the FIPS provider into an existing
+ OpenSSL installation.
+
+ *OpenSSL team members and many third party contributors*
+
+ * For the key types DH and DHX the allowed settable parameters are now different.
+ Previously (in 1.1.1) these conflicting parameters were allowed, but will now
+ result in errors. See EVP_PKEY-DH(7) for further details. This affects the
+ behaviour of openssl-genpkey(1) for DH parameter generation.
+
+ *Shane Lontis*
+
+ * Added enhanced PKCS#12 APIs which accept a library context `OSSL_LIB_CTX`
+ and (where relevant) a property query. Other APIs which handle PKCS#7 and
+ PKCS#8 objects have also been enhanced where required. This includes:
+
+ PKCS12_add_key_ex(), PKCS12_add_safe_ex(), PKCS12_add_safes_ex(),
+ PKCS12_create_ex(), PKCS12_decrypt_skey_ex(), PKCS12_init_ex(),
+ PKCS12_item_decrypt_d2i_ex(), PKCS12_item_i2d_encrypt_ex(),
+ PKCS12_key_gen_asc_ex(), PKCS12_key_gen_uni_ex(), PKCS12_key_gen_utf8_ex(),
+ PKCS12_pack_p7encdata_ex(), PKCS12_pbe_crypt_ex(), PKCS12_PBE_keyivgen_ex(),
+ PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(), PKCS5_pbe2_set_iv_ex(),
+ PKCS5_pbe_set0_algor_ex(), PKCS5_pbe_set_ex(), PKCS5_pbkdf2_set_ex(),
+ PKCS5_v2_PBE_keyivgen_ex(), PKCS5_v2_scrypt_keyivgen_ex(),
+ PKCS8_decrypt_ex(), PKCS8_encrypt_ex(), PKCS8_set0_pbe_ex().
+
+ As part of this change the EVP_PBE_xxx APIs can also accept a library
+ context and property query and will call an extended version of the key/IV
+ derivation function which supports these parameters. This includes
+ EVP_PBE_CipherInit_ex(), EVP_PBE_find_ex() and EVP_PBE_scrypt_ex().
+
+ *Jon Spillett*
+
+ * The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
+
+ *Matt Caswell*
+
+ * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it
+ must be compiled in using the "enable-ktls" compile time option. It must
+ also be enabled at run time using the SSL_OP_ENABLE_KTLS option.
+
+ *Boris Pismenny, John Baldwin and Andrew Gallatin*
+
+ * The signature of the `copy` functional parameter of the
+ EVP_PKEY_meth_set_copy() function has changed so its `src` argument is
+ now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly
+ the signature of the `pub_decode` functional parameter of the
+ EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is
+ now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
+
+ *David von Oheimb*
+
+ * The error return values from some control calls (ctrl) have changed.
+ One significant change is that controls which used to return -2 for
+ invalid inputs, now return -1 indicating a generic error condition instead.
+
+ *Paul Dale*
+
+ * A public key check is now performed during EVP_PKEY_derive_set_peer().
+ Previously DH was internally doing this during EVP_PKEY_derive().
+ To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This
+ may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than
+ during EVP_PKEY_derive().
+
+ *Shane Lontis*
+
+ * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
+ EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
+ EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
+ are deprecated. They are not invoked by the OpenSSL library anymore and
+ are replaced by direct checks of the key operation against the key type
+ when the operation is initialized.
+
+ *Tomáš Mráz*
+
* The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
more key types including RSA, DSA, ED25519, X25519, ED448 and X448.
Previously (in 1.1.1) they would return -2. For key types that do not have
* Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
- OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
+ OCSP_REQ_CTX_i2d() and its special form OCSP_REQ_CTX_set1_req(),
+ OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These
were used to collect all necessary data to form a HTTP request, and to
perform the HTTP transfer with that request. With OpenSSL 3.0, the
*Paul Dale*
- * Deprecated EVP_PKEY_set_alias_type(). This function was previously
+ * Removed EVP_PKEY_set_alias_type(). This function was previously
needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
type is internally recognised so the workaround is no longer needed.
- Functionality is still retained as it is, but will only work with
- EVP_PKEYs with a legacy internal key.
+ This is a breaking change from previous OpenSSL versions.
*Richard Levitte*
*Richard Levitte*
- * Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and
- `EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`.
- While the old function names have been retained for backward compatibility
- they should not be used in new developments
- because their return values are confusing: Unlike other `_cmp()` functions
- they do not return 0 in case their arguments are equal.
+ * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()` since their
+ return values were confusing: Unlike other `_cmp()` functions
+ they do not return 0 when their arguments are equal.
+ The new replacement functions `EVP_PKEY_eq()` and `EVP_PKEY_parameters_eq()`
+ should be used.
- *David von Oheimb*
+ *David von Oheimb and Shane Lontis*
* Deprecated `EC_METHOD_get_field_type()`. Applications should switch to
`EC_GROUP_get_field_type()`.
L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
L<EVP_PKEY_decrypt(3)>.
+ All of these low level RSA functions have been deprecated without
+ replacement:
+
+ RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version,
+ RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and
+ RSA_test_flags.
+
+ All of these RSA flags have been deprecated without replacement:
+
+ RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC,
+ RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and
+ RSA_METHOD_FLAG_NO_CHECK.
+
*Paul Dale*
* X509 certificates signed using SHA1 are no longer allowed at security
time. Instead applications should use L<EVP_PKEY_derive_init(3)>
and L<EVP_PKEY_derive(3)>.
+ These low level DH functions have been deprecated without replacement:
+
+ DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256,
+ DH_set_flags and DH_test_flags.
+
+ The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement.
+ The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. Use
+ EVP_PKEY_is_a() to determine the type of a key. There is no replacement for
+ setting these flags.
+
Additionally functions that read and write DH objects such as d2i_DHparams,
i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams and other similar
functions have also been deprecated. Applications should instead use the
OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.
- Finaly functions that assign or obtain DH objects from an EVP_PKEY such as
+ Finally functions that assign or obtain DH objects from an EVP_PKEY such as
`EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and
`EVP_PKEY_set1_DH()` are also deprecated.
Applications should instead either read or write an
time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
- Finaly functions that assign or obtain DSA objects from an EVP_PKEY such as
+ These low level DSA functions have been deprecated without replacement:
+
+ DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and
+ DSA_test_flags.
+
+ The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement.
+
+ Finally functions that assign or obtain DSA objects from an EVP_PKEY such as
`EVP_PKEY_assign_DSA()`, `EVP_PKEY_get0_DSA()`, `EVP_PKEY_get1_DSA()`, and
`EVP_PKEY_set1_DSA()` are also deprecated.
Applications should instead either read or write an
*Paul Dale*
* Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
- automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
- This means that applications don't have to look at the curve NID and
- `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
- However, they still can, that `EVP_PKEY_set_alias_type()` call acts as
- a no-op when the EVP_PKEY is already of the given type.
+ automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking
+ change from previous OpenSSL versions.
+
+ Unlike in previous OpenSSL versions, this means that applications must not
+ call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
+ The `EVP_PKEY_set_alias_type` function has now been removed.
Parameter and key generation is also reworked to make it possible
- to generate EVP_PKEY_SM2 parameters and keys without having to go
- through EVP_PKEY_EC generation and then change the EVP_PKEY type.
- However, code that does the latter will still work as before.
+ to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate
+ SM2 keys directly and must not create an EVP_PKEY_EC key first.
*Richard Levitte*
*Randall S. Becker*
+ * Added support for FFDHE key exchange in TLS 1.3.
+
+ *Raja Ashok*
+
OpenSSL 1.1.1
-------------
### Changes between 1.1.1j and 1.1.1k [xx XXX xxxx]
+ * Fixed a problem with verifying a certificate chain when using the
+ X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of
+ the certificates present in a certificate chain. It is not set by default.
+
+ Starting from OpenSSL version 1.1.1h a check to disallow certificates in
+ the chain that have explicitly encoded elliptic curve parameters was added
+ as an additional strict check.
+
+ An error in the implementation of this check meant that the result of a
+ previous check to confirm that certificates in the chain are valid CA
+ certificates was overwritten. This effectively bypasses the check
+ that non-CA certificates must not be able to issue other certificates.
+
+ If a "purpose" has been configured then there is a subsequent opportunity
+ for checks that the certificate is a valid CA. All of the named "purpose"
+ values implemented in libcrypto perform this check. Therefore, where
+ a purpose is set the certificate chain will still be rejected even when the
+ strict flag has been used. A purpose is set by default in libssl client and
+ server certificate verification routines, but it can be overridden or
+ removed by an application.
+
+ In order to be affected, an application must explicitly set the
+ X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
+ for the certificate verification or, in the case of TLS client or server
+ applications, override the default purpose.
+ ([CVE-2021-3450])
+
+ *Tomáš Mráz*
+
+ * Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
+ crafted renegotiation ClientHello message from a client. If a TLSv1.2
+ renegotiation ClientHello omits the signature_algorithms extension (where it
+ was present in the initial ClientHello), but includes a
+ signature_algorithms_cert extension then a NULL pointer dereference will
+ result, leading to a crash and a denial of service attack.
+
+ A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
+ (which is the default configuration). OpenSSL TLS clients are not impacted by
+ this issue.
+ ([CVE-2021-3449])
+
+ *Peter Kästle and Samuel Sapalski*
+
### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
* Fixed the X509_issuer_and_serial_hash() function. It attempts to