Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+ *) Added functionality to create an EVP_PKEY context based on data
+ for methods from providers. This takes an algorithm name and a
+ property query string and simply stores them, with the intent
+ that any operation that uses this context will use those strings
+ to fetch the needed methods implicitly, thereby making the port
+ of application written for pre-3.0 OpenSSL easier.
+ [Richard Levitte]
+
+ *) The undocumented function NCONF_WIN32() has been deprecated; for
+ conversion details see the HISTORY section of doc/man5/config.pod
+ [Rich Salz]
+
+ *) Introduced the new functions EVP_DigestSignInit_ex() and
+ EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
+ EVP_DigestVerifyUpdate() have been converted to functions. See the man
+ pages for further details.
+ [Matt Caswell]
+
+ *) Over two thousand fixes were made to the documentation, including:
+ adding missing command flags, better style conformance, documentation
+ of internals, etc.
+ [Rich Salz, Richard Levitte]
+
+ *) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
+ X25519, X448, Ed25519 and Ed448.
+ [Patrick Steuer]
+
+ *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+ the first value.
+ [Jon Spillett]
+
+ *) Deprecated the public definition of ERR_STATE as well as the function
+ ERR_get_state(). This is done in preparation of making ERR_STATE an
+ opaque type.
+ [Richard Levitte]
+
+ *) Added ERR functionality to give callers access to the stored function
+ names that have replaced the older function code based functions.
+
+ New functions are ERR_get_error_func(), ERR_peek_error_func(),
+ ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(),
+ ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all()
+ and ERR_peek_last_error_all().
+
+ These functions have become deprecated: ERR_get_error_line_data(),
+ ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
+ ERR_func_error_string().
+ [Richard Levitte]
+
+ *) Extended testing to be verbose for failing tests only. The make variables
+ VERBOSE_FAILURE or VF can be used to enable this:
+
+ $ make VF=1 test # Unix
+ $ mms /macro=(VF=1) test ! OpenVMS
+ $ nmake VF=1 test # Windows
+
+ [Richard Levitte]
+
+ *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
+ used even when parsing explicit parameters, when loading a serialized key
+ or calling `EC_GROUP_new_from_ecpkparameters()`/
+ `EC_GROUP_new_from_ecparameters()`.
+ This prevents bypass of security hardening and performance gains,
+ especially for curves with specialized EC_METHODs.
+ By default, if a key encoded with explicit parameters is loaded and later
+ serialized, the output is still encoded with explicit parameters, even if
+ internally a "named" EC_GROUP is used for computation.
+ [Nicola Tuveri]
+
+ *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
+ this change, EC_GROUP_set_generator would accept order and/or cofactor as
+ NULL. After this change, only the cofactor parameter can be NULL. It also
+ does some minimal sanity checks on the passed order.
+ (CVE-2019-1547)
+ [Billy Bob Brumley]
+
+ *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+ An attack is simple, if the first CMS_recipientInfo is valid but the
+ second CMS_recipientInfo is chosen ciphertext. If the second
+ recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
+ encryption key will be replaced by garbage, and the message cannot be
+ decoded, but if the RSA decryption fails, the correct encryption key is
+ used and the recipient will not notice the attack.
+ As a work around for this potential attack the length of the decrypted
+ key must be equal to the cipher default key length, in case the
+ certifiate is not given and all recipientInfo are tried out.
+ The old behaviour can be re-enabled in the CMS code by setting the
+ CMS_DEBUG_DECRYPT flag.
+ [Bernd Edlinger]
+
*) Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems. The RAND subsystem will wait for
/dev/random to be producing output before seeding from /dev/urandom.