+ * The OBJ_ calls are now thread safe using a global lock.
+
+ *Paul Dale*
+
+ * New parameter `-digest` for openssl cms command allowing signing
+ pre-computed digests and new CMS API functions supporting that
+ functionality.
+
+ *Viktor Söderqvist*
+
+ * OPENSSL_malloc() and other allocation functions now raise errors on
+ allocation failures. The callers do not need to explicitly raise errors
+ unless they want to for tracing purposes.
+
+ *David von Oheimb*
+
+ * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
+ decryption as a protection against Bleichenbacher-like attacks.
+ The RSA decryption API will now return a randomly generated deterministic
+ message instead of an error in case it detects an error when checking
+ padding during PKCS#1 v1.5 decryption. This is a general protection against
+ issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
+ disabled by calling
+ `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")`
+ on the RSA decryption context.
+
+ *Hubert Kario*
+
+ * Added support for Brainpool curves in TLS-1.3.
+
+ *Bernd Edlinger and Matt Caswell*
+
+ * Added OpenBSD specific build targets.
+
+ *David Carlier*
+
+ * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with
+ a basic thread pool implementation for select platforms.
+
+ *Čestmír Kalina*
+
+OpenSSL 3.1
+-----------
+
+### Changes between 3.1.2 and 3.1.3 [xx XXX xxxx]
+
+ * Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
+
+ The POLY1305 MAC (message authentication code) implementation in OpenSSL
+ does not save the contents of non-volatile XMM registers on Windows 64
+ platform when calculating the MAC of data larger than 64 bytes. Before
+ returning to the caller all the XMM registers are set to zero rather than
+ restoring their previous content. The vulnerable code is used only on newer
+ x86_64 processors supporting the AVX512-IFMA instructions.
+
+ The consequences of this kind of internal application state corruption can
+ be various - from no consequences, if the calling application does not
+ depend on the contents of non-volatile XMM registers at all, to the worst
+ consequences, where the attacker could get complete control of the
+ application process. However given the contents of the registers are just
+ zeroized so the attacker cannot put arbitrary values inside, the most likely
+ consequence, if any, would be an incorrect result of some application
+ dependent calculations or a crash leading to a denial of service.
+
+ ([CVE-2023-4807])
+
+ *Bernd Edlinger*
+
+### Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
+
+ * Fix excessive time spent checking DH q parameter value.
+
+ The function DH_check() performs various checks on DH parameters. After
+ fixing CVE-2023-3446 it was discovered that a large q parameter value can
+ also trigger an overly long computation during some of these checks.
+ A correct q value, if present, cannot be larger than the modulus p
+ parameter, thus it is unnecessary to perform these checks if q is larger
+ than p.
+
+ If DH_check() is called with such q parameter value,
+ DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
+ intensive checks are skipped.
+
+ ([CVE-2023-3817])
+
+ *Tomáš Mráz*
+
+ * Fix DH_check() excessive time with over sized modulus.
+
+ The function DH_check() performs various checks on DH parameters. One of
+ those checks confirms that the modulus ("p" parameter) is not too large.
+ Trying to use a very large modulus is slow and OpenSSL will not normally use
+ a modulus which is over 10,000 bits in length.
+
+ However the DH_check() function checks numerous aspects of the key or
+ parameters that have been supplied. Some of those checks use the supplied
+ modulus value even if it has already been found to be too large.
+
+ A new limit has been added to DH_check of 32,768 bits. Supplying a
+ key/parameters with a modulus over this size will simply cause DH_check() to
+ fail.
+
+ ([CVE-2023-3446])
+
+ *Matt Caswell*
+
+ * Do not ignore empty associated data entries with AES-SIV.
+
+ The AES-SIV algorithm allows for authentication of multiple associated
+ data entries along with the encryption. To authenticate empty data the
+ application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
+ with NULL pointer as the output buffer and 0 as the input buffer length.
+ The AES-SIV implementation in OpenSSL just returns success for such call
+ instead of performing the associated data authentication operation.
+ The empty data thus will not be authenticated. ([CVE-2023-2975])
+
+ Thanks to Juerg Wullschleger (Google) for discovering the issue.
+
+ The fix changes the authentication tag value and the ciphertext for
+ applications that use empty associated data entries with AES-SIV.
+ To decrypt data encrypted with previous versions of OpenSSL the application
+ has to skip calls to `EVP_DecryptUpdate()` for empty associated data
+ entries.
+
+ *Tomáš Mráz*
+
+ * When building with the `enable-fips` option and using the resulting
+ FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
+ master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
+ not operate with truncated digests (FIPS 140-3 IG G.R).
+
+ *Paul Dale*
+
+### Changes between 3.1.0 and 3.1.1 [30 May 2023]
+
+ * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
+
+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
+ numeric text form. For gigantic sub-identifiers, this would take a very
+ long time, the time complexity being O(n^2) where n is the size of that
+ sub-identifier. ([CVE-2023-2650])
+
+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
+ IDENTIFIER to canonical numeric text form if the size of that OBJECT
+ IDENTIFIER is 586 bytes or less, and fail otherwise.
+
+ The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
+ most 128 sub-identifiers, and that the maximum value that each sub-
+ identifier may have is 2^32-1 (4294967295 decimal).
+
+ For each byte of every sub-identifier, only the 7 lower bits are part of
+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586
+ bytes.
+
+ *Richard Levitte*
+
+ * Multiple algorithm implementation fixes for ARM BE platforms.
+
+ *Liu-ErMeng*
+
+ * Added a -pedantic option to fipsinstall that adjusts the various
+ settings to ensure strict FIPS compliance rather than backwards
+ compatibility.
+
+ *Paul Dale*
+
+ * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
+ happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can
+ trigger a crash of an application using AES-XTS decryption if the memory
+ just after the buffer being decrypted is not mapped.
+ Thanks to Anton Romanov (Amazon) for discovering the issue.
+ ([CVE-2023-1255])
+
+ *Nevine Ebeid*
+
+ * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
+ The previous fix for this timing side channel turned out to cause
+ a severe 2-3x performance regression in the typical use case
+ compared to 3.0.7. The new fix uses existing constant time
+ code paths, and restores the previous performance level while
+ fully eliminating all existing timing side channels.
+ The fix was developed by Bernd Edlinger with testing support
+ by Hubert Kario.
+
+ *Bernd Edlinger*
+
+ * Add FIPS provider configuration option to disallow the use of
+ truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.).
+ The option '-no_drbg_truncated_digests' can optionally be
+ supplied to 'openssl fipsinstall'.
+
+ *Paul Dale*
+
+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+ that it does not enable policy checking. Thanks to David Benjamin for
+ discovering this issue.
+ ([CVE-2023-0466])
+
+ *Tomáš Mráz*
+
+ * Fixed an issue where invalid certificate policies in leaf certificates are
+ silently ignored by OpenSSL and other certificate policy checks are skipped
+ for that certificate. A malicious CA could use this to deliberately assert
+ invalid certificate policies in order to circumvent policy checking on the
+ certificate altogether.
+ ([CVE-2023-0465])
+
+ *Matt Caswell*
+
+ * Limited the number of nodes created in a policy tree to mitigate
+ against CVE-2023-0464. The default limit is set to 1000 nodes, which
+ should be sufficient for most installations. If required, the limit
+ can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+ time define to a desired maximum number of nodes or zero to allow
+ unlimited growth.
+ ([CVE-2023-0464])
+
+ *Paul Dale*
+
+### Changes between 3.0 and 3.1.0 [14 Mar 2023]
+
+ * Add FIPS provider configuration option to enforce the
+ Extended Master Secret (EMS) check during the TLS1_PRF KDF.
+ The option '-ems-check' can optionally be supplied to
+ 'openssl fipsinstall'.
+
+ *Shane Lontis*
+
+ * The FIPS provider includes a few non-approved algorithms for
+ backward compatibility purposes and the "fips=yes" property query
+ must be used for all algorithm fetches to ensure FIPS compliance.
+
+ The algorithms that are included but not approved are Triple DES ECB,
+ Triple DES CBC and EdDSA.
+
+ *Paul Dale*
+
+ * Added support for KMAC in KBKDF.
+
+ *Shane Lontis*
+
+ * RNDR and RNDRRS support in provider functions to provide
+ random number generation for Arm CPUs (aarch64).
+
+ *Orr Toledano*
+
+ * s_client and s_server apps now explicitly say when the TLS version
+ does not include the renegotiation mechanism. This avoids confusion
+ between that scenario versus when the TLS version includes secure
+ renegotiation but the peer lacks support for it.
+
+ *Felipe Gasper*
+
+ * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
+
+ *Tomasz Kantecki, Andrey Matyukov*
+
+ * The various OBJ_* functions have been made thread safe.
+
+ *Paul Dale*
+
+ * Parallel dual-prime 1536/2048-bit modular exponentiation for
+ AVX512_IFMA capable processors.
+
+ *Sergey Kirillov, Andrey Matyukov (Intel Corp)*
+
+ * The functions `OPENSSL_LH_stats`, `OPENSSL_LH_node_stats`,
+ `OPENSSL_LH_node_usage_stats`, `OPENSSL_LH_stats_bio`,
+ `OPENSSL_LH_node_stats_bio` and `OPENSSL_LH_node_usage_stats_bio` are now
+ marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
+ `OPENSSL_NO_DEPRECATED_3_1`.
+
+ The macro `DEFINE_LHASH_OF` is now deprecated in favour of the macro
+ `DEFINE_LHASH_OF_EX`, which omits the corresponding type-specific function
+ definitions for these functions regardless of whether
+ `OPENSSL_NO_DEPRECATED_3_1` is defined.
+
+ Users of `DEFINE_LHASH_OF` may start receiving deprecation warnings for these
+ functions regardless of whether they are using them. It is recommended that
+ users transition to the new macro, `DEFINE_LHASH_OF_EX`.
+
+ *Hugo Landau*
+
+ * When generating safe-prime DH parameters set the recommended private key
+ length equivalent to minimum key lengths as in RFC 7919.
+
+ *Tomáš Mráz*
+
+ * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
+ maximum size that is smaller or equal to the digest length to comply with
+ FIPS 186-4 section 5. This is implemented by a new option
+ `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
+ `rsa_pss_saltlen` parameter, which is now the default. Signature
+ verification is not affected by this change and continues to work as before.
+
+ *Clemens Lang*
+