CHANGES 581.5 KB
Newer Older
1

R
Ralf S. Engelschall 已提交
2
 OpenSSL CHANGES
3 4
 _______________

5 6 7 8 9
 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

H
HJ 已提交
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174
 Changes between 1.1.1j and 1.1.1k [25 Mar 2021]

  *) Fixed a problem with verifying a certificate chain when using the
     X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
     of the certificates present in a certificate chain. It is not set by
     default.

     Starting from OpenSSL version 1.1.1h a check to disallow certificates in
     the chain that have explicitly encoded elliptic curve parameters was added
     as an additional strict check.

     An error in the implementation of this check meant that the result of a
     previous check to confirm that certificates in the chain are valid CA
     certificates was overwritten. This effectively bypasses the check
     that non-CA certificates must not be able to issue other certificates.

     If a "purpose" has been configured then there is a subsequent opportunity
     for checks that the certificate is a valid CA.  All of the named "purpose"
     values implemented in libcrypto perform this check.  Therefore, where
     a purpose is set the certificate chain will still be rejected even when the
     strict flag has been used. A purpose is set by default in libssl client and
     server certificate verification routines, but it can be overridden or
     removed by an application.

     In order to be affected, an application must explicitly set the
     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
     for the certificate verification or, in the case of TLS client or server
     applications, override the default purpose.
     (CVE-2021-3450)
     [Tomáš Mráz]

  *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
     crafted renegotiation ClientHello message from a client. If a TLSv1.2
     renegotiation ClientHello omits the signature_algorithms extension (where
     it was present in the initial ClientHello), but includes a
     signature_algorithms_cert extension then a NULL pointer dereference will
     result, leading to a crash and a denial of service attack.

     A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
     (which is the default configuration). OpenSSL TLS clients are not impacted
     by this issue.
     (CVE-2021-3449)
     [Peter Kästle and Samuel Sapalski]

 Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
     create a unique hash value based on the issuer and serial number data
     contained within an X509 certificate. However it was failing to correctly
     handle any errors that may occur while parsing the issuer field (which might
     occur if the issuer field is maliciously constructed). This may subsequently
     result in a NULL pointer deref and a crash leading to a potential denial of
     service attack.
     (CVE-2021-23841)
     [Matt Caswell]

  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
     padding mode to correctly check for rollback attacks. This is considered a
     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
     CVE-2021-23839.
     [Matt Caswell]

  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
     functions. Previously they could overflow the output length argument in some
     cases where the input length is close to the maximum permissable length for
     an integer on the platform. In such cases the return value from the function
     call would be 1 (indicating success), but the output length value would be
     negative. This could cause applications to behave incorrectly or crash.
     (CVE-2021-23840)
     [Matt Caswell]

  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
     could be exploited in a side channel attack to recover the password. Since
     the attack is local host only this is outside of the current OpenSSL
     threat model and therefore no CVE is assigned.

     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
     issue.
     [Matt Caswell]

 Changes between 1.1.1h and 1.1.1i [8 Dec 2020]

  *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
     This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
     If an attacker can control both items being compared  then this could lead
     to a possible denial of service attack. OpenSSL itself uses the
     GENERAL_NAME_cmp function for two purposes:
     1) Comparing CRL distribution point names between an available CRL and a
        CRL distribution point embedded in an X509 certificate
     2) When verifying that a timestamp response token signer matches the
        timestamp authority name (exposed via the API functions
        TS_RESP_verify_response and TS_RESP_verify_token)
     (CVE-2020-1971)
     [Matt Caswell]

  *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
     [Stuart Carnie]

  *) The security callback, which can be customised by application code, supports
     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
     in the "other" parameter. In most places this is what is passed. All these
     places occur server side. However there was one client side call of this
     security operation and it passed a DH object instead. This is incorrect
     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
     of the other locations. Therefore this client side call has been changed to
     pass an EVP_PKEY instead.
     [Matt Caswell]

  *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
     when validating a certificate path. This check is restored in 1.1.1i.
     [David von Oheimb]

 Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
  
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]

  *) Accidentally, an expired trusted (root) certificate is not anymore rejected
     when validating a certificate path.
     [David von Oheimb]

  *) The Oracle Developer Studio compiler will start reporting deprecated APIs

 Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

  *) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]

M
Matt Caswell 已提交
175
 Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
M
Matt Caswell 已提交
176

177 178 179 180 181 182 183
  *) Revert the change of EOF detection while reading in libssl to avoid
     regressions in applications depending on the current way of reporting
     the EOF. As the existing method is not fully accurate the change to
     reporting the EOF via SSL_ERROR_SSL is kept on the current development
     branch and will be present in the 3.0 release.
     [Tomas Mraz]

184 185 186 187 188 189 190 191
  *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
     when primes for RSA keys are computed.
     Since we previously always generated primes == 2 (mod 3) for RSA keys,
     the 2-prime and 3-prime RSA modules were easy to distinguish, since
     N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
     2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
     This avoids possible fingerprinting of newly generated RSA modules.
     [Bernd Edlinger]
M
Matt Caswell 已提交
192

M
Matt Caswell 已提交
193
 Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212
  *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
     while reading in libssl then we would report an error back to the
     application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
     an error to the stack (which means we instead return SSL_ERROR_SSL) and
     therefore give a hint as to what went wrong.
     [Matt Caswell]

  *) Check that ed25519 and ed448 are allowed by the security level. Previously
     signature algorithms not using an MD were not being checked that they were
     allowed by the security level.
     [Kurt Roeckx]

  *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
     was not quite right. The behaviour was not consistent between resumption
     and normal handshakes, and also not quite consistent with historical
     behaviour. The behaviour in various scenarios has been clarified and
     it has been updated to make it match historical behaviour as closely as
     possible.
     [Matt Caswell]
M
Matt Caswell 已提交
213

214 215 216 217 218 219 220 221 222 223 224 225
  *) [VMS only] The header files that the VMS compilers include automatically,
     __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
     the C++ compiler doesn't understand.  This is a shortcoming in the
     compiler, but can be worked around with __cplusplus guards.

     C++ applications that use OpenSSL libraries must be compiled using the
     qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
     functions.  Otherwise, only functions with symbols of less than 31
     characters can be used, as the linker will not be able to successfully
     resolve symbols with longer names.
     [Richard Levitte]

226 227 228 229 230 231 232 233 234
  *) Corrected the documentation of the return values from the EVP_DigestSign*
     set of functions.  The documentation mentioned negative values for some
     errors, but this was never the case, so the mention of negative values
     was removed.

     Code that followed the documentation and thereby check with something
     like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
     [Richard Levitte]

235 236 237 238 239 240 241 242 243 244 245 246
  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
     used in exponentiation with 512-bit moduli. No EC algorithms are
     affected. Analysis suggests that attacks against 2-prime RSA1024,
     3-prime RSA1536, and DSA1024 as a result of this defect would be very
     difficult to perform and are not believed likely. Attacks against DH512
     are considered just feasible. However, for an attack the target would
     have to re-use the DH512 private key, which is not recommended anyway.
     Also applications directly using the low level API BN_mod_exp may be
     affected if they use BN_FLG_CONSTTIME.
     (CVE-2019-1551)
     [Andy Polyakov]

247 248 249 250
  *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
     The presence of this system service is determined at run-time.
     [Richard Levitte]

251 252 253 254 255
  *) Added newline escaping functionality to a filename when using openssl dgst.
     This output format is to replicate the output format found in the '*sum'
     checksum programs. This aims to preserve backward compatibility.
     [Matt Eaton, Richard Levitte, and Paul Dale]

256 257 258
  *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
     the first value.
     [Jon Spillett]
M
Matt Caswell 已提交
259

M
Matt Caswell 已提交
260
 Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
R
Richard Levitte 已提交
261

262 263 264 265 266 267 268 269 270 271 272 273 274 275 276
  *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
     number generator (RNG). This was intended to include protection in the
     event of a fork() system call in order to ensure that the parent and child
     processes did not share the same RNG state. However this protection was not
     being used in the default case.

     A partial mitigation for this issue is that the output from a high
     precision timer is mixed into the RNG state so the likelihood of a parent
     and child process sharing state is significantly reduced.

     If an application already calls OPENSSL_init_crypto() explicitly using
     OPENSSL_INIT_ATFORK then this problem does not occur at all.
     (CVE-2019-1549)
     [Matthias St. Pierre]

277 278 279 280 281 282 283 284 285 286 287
  *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
     used even when parsing explicit parameters, when loading a serialized key
     or calling `EC_GROUP_new_from_ecpkparameters()`/
     `EC_GROUP_new_from_ecparameters()`.
     This prevents bypass of security hardening and performance gains,
     especially for curves with specialized EC_METHODs.
     By default, if a key encoded with explicit parameters is loaded and later
     serialized, the output is still encoded with explicit parameters, even if
     internally a "named" EC_GROUP is used for computation.
     [Nicola Tuveri]

288 289 290 291
  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
     this change, EC_GROUP_set_generator would accept order and/or cofactor as
     NULL. After this change, only the cofactor parameter can be NULL. It also
     does some minimal sanity checks on the passed order.
292
     (CVE-2019-1547)
293 294
     [Billy Bob Brumley]

295 296 297 298 299 300 301 302 303 304 305 306
  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
     An attack is simple, if the first CMS_recipientInfo is valid but the
     second CMS_recipientInfo is chosen ciphertext. If the second
     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
     encryption key will be replaced by garbage, and the message cannot be
     decoded, but if the RSA decryption fails, the correct encryption key is
     used and the recipient will not notice the attack.
     As a work around for this potential attack the length of the decrypted
     key must be equal to the cipher default key length, in case the
     certifiate is not given and all recipientInfo are tried out.
     The old behaviour can be re-enabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag.
M
Matt Caswell 已提交
307
     (CVE-2019-1563)
308 309
     [Bernd Edlinger]

310 311 312 313 314 315 316 317 318
  *) Early start up entropy quality from the DEVRANDOM seed source has been
     improved for older Linux systems.  The RAND subsystem will wait for
     /dev/random to be producing output before seeding from /dev/urandom.
     The seeded state is stored for future library initialisations using
     a system global shared memory segment.  The shared memory identifier
     can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
     the desired value.  The default identifier is 114.
     [Paul Dale]

319 320 321 322 323 324 325
  *) Correct the extended master secret constant on EBCDIC systems. Without this
     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
     negotiate EMS will fail. Unfortunately this also means that TLS connections
     between EBCDIC systems with this fix, and EBCDIC systems without this
     fix will fail if they negotiate EMS.
     [Matt Caswell]

326 327 328 329 330 331 332
  *) Use Windows installation paths in the mingw builds

     Mingw isn't a POSIX environment per se, which means that Windows
     paths should be used for installation.
     (CVE-2019-1552)
     [Richard Levitte]

333 334
  *) Changed DH_check to accept parameters with order q and 2q subgroups.
     With order 2q subgroups the bit 0 of the private key is not secret
335 336 337 338
     but DH_generate_key works around that by clearing bit 0 of the
     private key for those. This avoids leaking bit 0 of the private key.
     [Bernd Edlinger]

339 340 341
  *) Significantly reduce secure memory usage by the randomness pools.
     [Paul Dale]

342 343 344 345 346 347 348 349 350 351 352
  *) Revert the DEVRANDOM_WAIT feature for Linux systems

     The DEVRANDOM_WAIT feature added a select() call to wait for the
     /dev/random device to become readable before reading from the
     /dev/urandom device.

     It turned out that this change had negative side effects on
     performance which were not acceptable. After some discussion it
     was decided to revert this feature and leave it up to the OS
     resp. the platform maintainer to ensure a proper initialization
     during early boot time.
353
     [Matthias St. Pierre]
R
Richard Levitte 已提交
354

R
Richard Levitte 已提交
355
 Changes between 1.1.1b and 1.1.1c [28 May 2019]
M
Matt Caswell 已提交
356

357
  *) Add build tests for C++.  These are generated files that only do one
358 359 360 361 362 363 364
     thing, to include one public OpenSSL head file each.  This tests that
     the public header files can be usefully included in a C++ application.

     This test isn't enabled by default.  It can be enabled with the option
     'enable-buildtest-c++'.
     [Richard Levitte]

365 366 367
  *) Enable SHA3 pre-hashing for ECDSA and DSA.
     [Patrick Steuer]

368 369 370 371 372
  *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
     This changes the size when using the genpkey app when no size is given. It
     fixes an omission in earlier changes that changed all RSA, DSA and DH
     generation apps to use 2048 bits by default.
     [Kurt Roeckx]
M
Matt Caswell 已提交
373

374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422
  *) Reorganize the manual pages to consistently have RETURN VALUES,
     EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
     util/fix-doc-nits accordingly.
     [Paul Yang, Joshua Lock]

  *) Add the missing accessor EVP_PKEY_get0_engine()
     [Matt Caswell]

  *) Have apps like 's_client' and 's_server' output the signature scheme
     along with other cipher suite parameters when debugging.
     [Lorinczy Zsigmond]

  *) Make OPENSSL_config() error agnostic again.
     [Richard Levitte]

  *) Do the error handling in RSA decryption constant time.
     [Bernd Edlinger]

  *) Prevent over long nonces in ChaCha20-Poly1305.

     ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
     for every encryption operation. RFC 7539 specifies that the nonce value
     (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
     and front pads the nonce with 0 bytes if it is less than 12
     bytes. However it also incorrectly allows a nonce to be set of up to 16
     bytes. In this case only the last 12 bytes are significant and any
     additional leading bytes are ignored.

     It is a requirement of using this cipher that nonce values are
     unique. Messages encrypted using a reused nonce value are susceptible to
     serious confidentiality and integrity attacks. If an application changes
     the default nonce length to be longer than 12 bytes and then makes a
     change to the leading bytes of the nonce expecting the new value to be a
     new unique nonce then such an application could inadvertently encrypt
     messages with a reused nonce.

     Additionally the ignored bytes in a long nonce are not covered by the
     integrity guarantee of this cipher. Any application that relies on the
     integrity of these ignored leading bytes of a long nonce may be further
     affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
     is safe because no such use sets such a long nonce value. However user
     applications that use this cipher directly and set a non-default nonce
     length to be longer than 12 bytes may be vulnerable.

     This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
     Greef of Ronomon.
     (CVE-2019-1543)
     [Matt Caswell]

423 424 425 426 427 428 429 430 431 432
  *) Add DEVRANDOM_WAIT feature for Linux systems

     On older Linux systems where the getrandom() system call is not available,
     OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
     Contrary to getrandom(), the /dev/urandom device will not block during
     early boot when the kernel CSPRNG has not been seeded yet.

     To mitigate this known weakness, use select() to wait for /dev/random to
     become readable before reading from /dev/urandom.

433 434 435
  *) Ensure that SM2 only uses SM3 as digest algorithm
     [Paul Yang]

M
Matt Caswell 已提交
436
 Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
M
Matt Caswell 已提交
437

438 439 440 441 442 443
  *) Added SCA hardening for modular field inversion in EC_GROUP through
     a new dedicated field_inv() pointer in EC_METHOD.
     This also addresses a leakage affecting conversions from projective
     to affine coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

444 445 446 447 448 449 450 451 452 453 454
  *) Change the info callback signals for the start and end of a post-handshake
     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
     confused by this and assume that a TLSv1.2 renegotiation has started. This
     can break KeyUpdate handling. Instead we no longer signal the start and end
     of a post handshake message exchange (although the messages themselves are
     still signalled). This could break some applications that were expecting
     the old signals. However without this KeyUpdate is not usable for many
     applications.
     [Matt Caswell]

455 456 457 458 459 460 461
  *) Fix a bug in the computation of the endpoint-pair shared secret used
     by DTLS over SCTP. This breaks interoperability with older versions
     of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
     switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
     interoperability with such broken implementations. However, enabling
     this switch breaks interoperability with correct implementations.

462 463 464 465
  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
     re-used X509_PUBKEY object if the second PUBKEY is malformed.
     [Bernd Edlinger]

466 467 468
  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
     [Richard Levitte]

469 470 471 472
  *) Remove the 'dist' target and add a tarball building script.  The
     'dist' target has fallen out of use, and it shouldn't be
     necessary to configure just to create a source distribution.
     [Richard Levitte]
M
Matt Caswell 已提交
473

M
Matt Caswell 已提交
474
 Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
M
Matt Caswell 已提交
475

476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495
  *) Timing vulnerability in DSA signature generation

     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
     (CVE-2018-0734)
     [Paul Dale]

  *) Timing vulnerability in ECDSA signature generation

     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
     (CVE-2018-0735)
     [Paul Dale]

A
Antoine Salon 已提交
496 497 498 499
  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.
     [Antoine Salon]
500 501 502 503 504 505 506 507 508 509

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
     categorized as a normal bug, not a security issue, because the DRBG reseeds
     automatically and is fully functional even without additional randomness
     provided by the application.

M
Matt Caswell 已提交
510
 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
511

512 513 514 515 516 517 518 519
  *) Add a new ClientHello callback. Provides a callback interface that gives
     the application the ability to adjust the nascent SSL object at the
     earliest stage of ClientHello processing, immediately after extensions have
     been collected but before they have been processed. In particular, this
     callback can adjust the supported TLS versions in response to the contents
     of the ClientHello
     [Benjamin Kaduk]

520 521 522
  *) Add SM2 base algorithm support.
     [Jack Lloyd]

523 524 525 526 527
  *) s390x assembly pack: add (improved) hardware-support for the following
     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
     aes-cfb/cfb8, aes-ecb.
     [Patrick Steuer]

528 529 530 531 532
  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

B
Billy Brumley 已提交
533 534 535 536 537 538 539 540 541
  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for prime curves. The new implementation is based on formulae from
     differential addition-and-doubling in homogeneous projective coordinates
     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
     to work in projective coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

542 543 544 545 546 547 548
  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

549 550 551
  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

552 553 554 555 556 557
  *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
     moving between systems, and to avoid confusion when a Windows build is
     done with mingw vs with MSVC.  For POSIX installs, there's still a
     symlink or copy named 'tsget' to avoid that confusion as well.
     [Richard Levitte]

558 559 560 561
  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

562
  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
B
Billy Brumley 已提交
563
     step for binary curves. The new implementation is based on formulae from
564 565 566 567
     differential addition-and-doubling in mixed Lopez-Dahab projective
     coordinates, modified to independently blind the operands.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

568 569 570 571 572 573 574
  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
     EC_METHODs to implement their own specialized "ladder step", to take
     advantage of more favorable coordinate systems or more efficient
     differential addition-and-doubling algorithms.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

575 576 577 578 579 580 581
  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

582 583 584 585 586 587
  *) Numerous side-channel attack mitigations have been applied. This may have
     performance impacts for some algorithms for the benefit of improved
     security. Specific changes are noted in this change log by their respective
     authors.
     [Matt Caswell]

588 589 590 591 592 593 594 595
  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

N
Nicola Tuveri 已提交
596 597 598 599 600 601 602
  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

603 604 605 606 607
  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

M
Matt Caswell 已提交
608 609
  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
610 611
     [Matt Caswell]

612 613 614 615
  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]
616

617 618 619 620 621 622 623 624 625 626 627
  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]

628 629 630 631
  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

632 633 634 635
  *) Apply blinding to binary field modular inversion and remove patent
     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
     [Billy Bob Brumley]

636 637 638 639
  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
     binary and prime elliptic curves.
     [Billy Bob Brumley]

640 641 642 643
  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
     constant time fixed point multiplication.
     [Billy Bob Brumley]

N
Nicola Tuveri 已提交
644 645 646 647 648 649 650 651
  *) Revise elliptic curve scalar multiplication with timing attack
     defenses: ec_wNAF_mul redirects to a constant time implementation
     when computing fixed point and variable point multiplication (which
     in OpenSSL are mostly used with secret scalars in keygen, sign,
     ECDH derive operations).
     [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
      Sohaib ul Hassan]

652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679
  *) Updated CONTRIBUTING
     [Rich Salz]

  *) Updated DRBG / RAND to request nonce and additional low entropy
     randomness from the system.
     [Matthias St. Pierre]

  *) Updated 'openssl rehash' to use OpenSSL consistent default.
     [Richard Levitte]

  *) Moved the load of the ssl_conf module to libcrypto, which helps
     loading engines that libssl uses before libssl is initialised.
     [Matt Caswell]

  *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
     [Matt Caswell]

  *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
     [Ingo Schwarze, Rich Salz]

  *) Added output of accepting IP address and port for 'openssl s_server'
     [Richard Levitte]

  *) Added a new API for TLSv1.3 ciphersuites:
        SSL_CTX_set_ciphersuites()
        SSL_set_ciphersuites()
     [Matt Caswell]

A
Antoine Cœur 已提交
680
  *) Memory allocation failures consistently add an error to the error
681 682 683
     stack.
     [Rich Salz]

684 685 686 687
  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
     in libcrypto when run as setuid/setgid.
     [Bernd Edlinger]

688 689 690
  *) Load any config file by default when libssl is used.
     [Matt Caswell]

691 692 693 694
  *) Added new public header file <openssl/rand_drbg.h> and documentation
     for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
     [Matthias St. Pierre]

R
Rich Salz 已提交
695 696 697 698
  *) QNX support removed (cannot find contributors to get their approval
     for the license change).
     [Rich Salz]

699 700 701 702
  *) TLSv1.3 replay protection for early data has been implemented. See the
     SSL_read_early_data() man page for further details.
     [Matt Caswell]

703 704 705 706 707
  *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
     configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
     below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
     In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
     would otherwise inadvertently disable all TLSv1.3 ciphersuites the
708
     configuration has been separated out. See the ciphers man page or the
709 710 711
     SSL_CTX_set_ciphersuites() man page for more information.
     [Matt Caswell]

712 713 714 715 716 717 718 719 720 721 722 723 724 725
  *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
     in responder mode now supports the new "-multi" option, which
     spawns the specified number of child processes to handle OCSP
     requests.  The "-timeout" option now also limits the OCSP
     responder's patience to wait to receive the full client request
     on a newly accepted connection. Child processes are respawned
     as needed, and the CA index file is automatically reloaded
     when changed.  This makes it possible to run the "ocsp" responder
     as a long-running service, making the OpenSSL CA somewhat more
     feature-complete.  In this mode, most diagnostic messages logged
     after entering the event loop are logged via syslog(3) rather than
     written to stderr.
     [Viktor Dukhovni]

726 727
  *) Added support for X448 and Ed448. Heavily based on original work by
     Mike Hamburg.
M
Matt Caswell 已提交
728 729
     [Matt Caswell]

R
Richard Levitte 已提交
730 731 732 733 734 735
  *) Extend OSSL_STORE with capabilities to search and to narrow the set of
     objects loaded.  This adds the functions OSSL_STORE_expect() and
     OSSL_STORE_find() as well as needed tools to construct searches and
     get the search data out of them.
     [Richard Levitte]

M
Matt Caswell 已提交
736 737
  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
     version of OpenSSL should review their configuration settings to ensure
738
     that they are still appropriate for TLSv1.3. For further information see:
739
     https://wiki.openssl.org/index.php/TLS1.3
M
Matt Caswell 已提交
740 741
     [Matt Caswell]

742 743 744 745 746 747 748 749 750 751 752
  *) Grand redesign of the OpenSSL random generator

     The default RAND method now utilizes an AES-CTR DRBG according to
     NIST standard SP 800-90Ar1. The new random generator is essentially
     a port of the default random generator from the OpenSSL FIPS 2.0
     object module. It is a hybrid deterministic random bit generator
     using an AES-CTR bit stream and which seeds and reseeds itself
     automatically using trusted system entropy sources.

     Some of its new features are:
      o Support for multiple DRBG instances with seed chaining.
K
Kurt Roeckx 已提交
753 754 755
      o The default RAND method makes use of a DRBG.
      o There is a public and private DRBG instance.
      o The DRBG instances are fork-safe.
756
      o Keep all global DRBG instances on the secure heap if it is enabled.
K
Kurt Roeckx 已提交
757 758
      o The public and private DRBG instance are per thread for lock free
        operation
759 760
     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]

761 762 763 764 765
  *) Changed Configure so it only says what it does and doesn't dump
     so much data.  Instead, ./configdata.pm should be used as a script
     to display all sorts of configuration data.
     [Richard Levitte]

766 767 768
  *) Added processing of "make variables" to Configure.
     [Richard Levitte]

P
Pauli 已提交
769 770 771
  *) Added SHA512/224 and SHA512/256 algorithm support.
     [Paul Dale]

R
Rich Salz 已提交
772 773 774 775
  *) The last traces of Netware support, first removed in 1.1.0, have
     now been removed.
     [Rich Salz]

776 777 778 779 780 781
  *) Get rid of Makefile.shared, and in the process, make the processing
     of certain files (rc.obj, or the .def/.map/.opt files produced from
     the ordinal files) more visible and hopefully easier to trace and
     debug (or make silent).
     [Richard Levitte]

782 783 784 785
  *) Make it possible to have environment variable assignments as
     arguments to config / Configure.
     [Richard Levitte]

P
Paul Yang 已提交
786 787 788
  *) Add multi-prime RSA (RFC 8017) support.
     [Paul Yang]

J
Jack Lloyd 已提交
789 790 791 792 793
  *) Add SM3 implemented according to GB/T 32905-2016
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

794 795 796 797 798
  *) Add 'Maximum Fragment Length' TLS extension negotiation and support
     as documented in RFC6066.
     Based on a patch from Tomasz Moń
     [Filipe Raimundo da Silva]

R
Ronald Tse 已提交
799 800 801 802 803
  *) Add SM4 implemented according to GB/T 32907-2016.
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

R
Rich Salz 已提交
804 805 806 807
  *) Reimplement -newreq-nodes and ERR_error_string_n; the
     original author does not agree with the license change.
     [Rich Salz]

808 809 810
  *) Add ARIA AEAD TLS support.
     [Jon Spillett]

811 812 813 814
  *) Some macro definitions to support VS6 have been removed.  Visual
     Studio 6 has not worked since 1.1.0
     [Rich Salz]

R
Richard Levitte 已提交
815 816 817 818
  *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
     without clearing the errors.
     [Richard Levitte]

R
Rich Salz 已提交
819 820 821 822 823
  *) Add "atfork" functions.  If building on a system that without
     pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
     requirements.  The RAND facility now uses/requires this.
     [Rich Salz]

A
Andy Polyakov 已提交
824 825 826
  *) Add SHA3.
     [Andy Polyakov]

827 828 829 830 831 832 833 834 835 836 837
  *) The UI API becomes a permanent and integral part of libcrypto, i.e.
     not possible to disable entirely.  However, it's still possible to
     disable the console reading UI method, UI_OpenSSL() (use UI_null()
     as a fallback).

     To disable, configure with 'no-ui-console'.  'no-ui' is still
     possible to use as an alias.  Check at compile time with the
     macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
     possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
     [Richard Levitte]

838 839 840 841 842 843 844 845 846
  *) Add a STORE module, which implements a uniform and URI based reader of
     stores that can contain keys, certificates, CRLs and numerous other
     objects.  The main API is loosely based on a few stdio functions,
     and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
     OSSL_STORE_error and OSSL_STORE_close.
     The implementation uses backends called "loaders" to implement arbitrary
     URI schemes.  There is one built in "loader" for the 'file' scheme.
     [Richard Levitte]

847 848 849 850 851 852
  *) Add devcrypto engine.  This has been implemented against cryptodev-linux,
     then adjusted to work on FreeBSD 8.4 as well.
     Enable by configuring with 'enable-devcryptoeng'.  This is done by default
     on BSD implementations, as cryptodev.h is assumed to exist on all of them.
     [Richard Levitte]

853 854 855 856 857 858 859 860 861 862 863
  *) Module names can prefixed with OSSL_ or OPENSSL_.  This affects
     util/mkerr.pl, which is adapted to allow those prefixes, leading to
     error code calls like this:

         OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);

     With this change, we claim the namespaces OSSL and OPENSSL in a manner
     that can be encoded in C.  For the foreseeable future, this will only
     affect new modules.
     [Richard Levitte and Tim Hudson]

R
Rich Salz 已提交
864 865 866
  *) Removed BSD cryptodev engine.
     [Rich Salz]

867 868 869 870 871 872
  *) Add a build target 'build_all_generated', to build all generated files
     and only that.  This can be used to prepare everything that requires
     things like perl for a system that lacks perl and then move everything
     to that system and do the rest of the build there.
     [Richard Levitte]

873 874 875 876 877
  *) In the UI interface, make it possible to duplicate the user data.  This
     can be used by engines that need to retain the data for a longer time
     than just the call where this user data is passed.
     [Richard Levitte]

878 879 880 881
  *) Ignore the '-named_curve auto' value for compatibility of applications
     with OpenSSL 1.0.2.
     [Tomas Mraz <tmraz@fedoraproject.org>]

M
Matt Caswell 已提交
882 883 884 885
  *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
     bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
     alerts across multiple records (some of which could be empty). In practice
     it make no sense to send an empty alert record, or to fragment one. TLSv1.3
886
     prohibits this altogether and other libraries (BoringSSL, NSS) do not
M
Matt Caswell 已提交
887
     support this at all. Supporting it adds significant complexity to the
888
     record layer, and its removal is unlikely to cause interoperability
M
Matt Caswell 已提交
889 890 891
     issues.
     [Matt Caswell]

R
Richard Levitte 已提交
892 893 894 895 896 897
  *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
     with Z.  These are meant to replace LONG and ZLONG and to be size safe.
     The use of LONG and ZLONG is discouraged and scheduled for deprecation
     in OpenSSL 1.2.0.
     [Richard Levitte]

898 899 900
  *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
     'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
     [Richard Levitte, Andy Polyakov]
901

R
Richard Levitte 已提交
902 903 904 905
  *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
     does for RSA, etc.
     [Richard Levitte]

906 907 908 909
  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
     platform rather than 'mingw'.
     [Richard Levitte]

R
Rich Salz 已提交
910 911 912 913 914 915
  *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
     success if they are asked to add an object which already exists
     in the store. This change cascades to other functions which load
     certificates and CRLs.
     [Paul Dale]

916 917 918 919
  *) x86_64 assembly pack: annotate code with DWARF CFI directives to
     facilitate stack unwinding even from assembly subroutines.
     [Andy Polyakov]

920 921 922 923
  *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
     Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
     [Richard Levitte]

924 925 926 927 928
  *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
     VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
     which is the minimum version we support.
     [Richard Levitte]

929 930 931 932 933
  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

934 935 936
  *) Add support for ARIA
     [Paul Dale]

937 938 939 940 941 942
  *) s_client will now send the Server Name Indication (SNI) extension by
     default unless the new "-noservername" option is used. The server name is
     based on the host provided to the "-connect" option unless overridden by
     using "-servername".
     [Matt Caswell]

943 944 945
  *) Add support for SipHash
     [Todd Short]

946 947 948 949 950
  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     prevent issues where no progress is being made and the peer continually
     sends unrecognised record types, using up resources processing them.
     [Matt Caswell]
951

952 953 954 955 956
  *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
     using the algorithm defined in
     https://www.akkadia.org/drepper/SHA-crypt.txt
     [Richard Levitte]

R
Richard Levitte 已提交
957 958 959
  *) Heartbeat support has been removed; the ABI is changed for now.
     [Richard Levitte, Rich Salz]

E
Emilia Kasper 已提交
960 961 962
  *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
     [Emilia Käsper]

963 964 965 966
  *) The RSA "null" method, which was partially supported to avoid patent
     issues, has been replaced to always returns NULL.
     [Rich Salz]

967 968 969

 Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025
  *) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043
  *) Fixed a text canonicalisation bug in CMS

     Where a CMS detached signature is used with text content the text goes
     through a canonicalisation process first prior to signing or verifying a
     signature. This process strips trailing space at the end of lines, converts
     line terminators to CRLF and removes additional trailing line terminators
     at the end of a file. A bug in the canonicalisation process meant that
     some characters, such as form-feed, were incorrectly treated as whitespace
     and removed. This is contrary to the specification (RFC5485). This fix
     could mean that detached text data signed with an earlier version of
     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
     signed with a fixed OpenSSL may fail to verify with an earlier version of
     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
     and use the "-binary" flag (for the "cms" command line application) or set
     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
     [Matt Caswell]

 Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
1044

1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090
  *) Constructed ASN.1 types with a recursive definition could exceed the stack

     Constructed ASN.1 types with a recursive definition (such as can be found
     in PKCS7) could eventually exceed the stack given malicious input with
     excessive recursion. This could result in a Denial Of Service attack. There
     are no such structures used within SSL/TLS that come from untrusted sources
     so this is considered safe.

     This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
     project.
     (CVE-2018-0739)
     [Matt Caswell]

  *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC

     Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
     effectively reduced to only comparing the least significant bit of each
     byte. This allows an attacker to forge messages that would be considered as
     authenticated in an amount of tries lower than that guaranteed by the
     security claims of the scheme. The module can only be compiled by the
     HP-UX assembler, so that only HP-UX PA-RISC targets are affected.

     This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
     (IBM).
     (CVE-2018-0733)
     [Andy Polyakov]

  *) Add a build target 'build_all_generated', to build all generated files
     and only that.  This can be used to prepare everything that requires
     things like perl for a system that lacks perl and then move everything
     to that system and do the rest of the build there.
     [Richard Levitte]

  *) Backport SSL_OP_NO_RENGOTIATION

     OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
     (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
     changes this is no longer possible in 1.1.0. Therefore the new
     SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
     1.1.0 to provide equivalent functionality.

     Note that if an application built against 1.1.0h headers (or above) is run
     using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
     accepted but nothing will happen, i.e. renegotiation will not be prevented.
     [Matt Caswell]

1091 1092 1093 1094
  *) Removed the OS390-Unix config target.  It relied on a script that doesn't
     exist.
     [Rich Salz]

1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114
  *) rsaz_1024_mul_avx2 overflow bug on x86_64

     There is an overflow bug in the AVX2 Montgomery multiplication procedure
     used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
     Analysis suggests that attacks against RSA and DSA as a result of this
     defect would be very difficult to perform and are not believed likely.
     Attacks against DH1024 are considered just feasible, because most of the
     work necessary to deduce information about a private key may be performed
     offline. The amount of resources required for such an attack would be
     significant. However, for an attack on TLS to be meaningful, the server
     would have to share the DH1024 private key among multiple clients, which is
     no longer an option since CVE-2016-0701.

     This only affects processors that support the AVX2 but not ADX extensions
     like Intel Haswell (4th generation).

     This issue was reported to OpenSSL by David Benjamin (Google). The issue
     was originally found via the OSS-Fuzz project.
     (CVE-2017-3738)
     [Andy Polyakov]
1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148

 Changes between 1.1.0f and 1.1.0g [2 Nov 2017]

  *) bn_sqrx8x_internal carry bug on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients.

     This only affects processors that support the BMI1, BMI2 and ADX extensions
     like Intel Broadwell (5th generation) and later or AMD Ryzen.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3736)
     [Andy Polyakov]

  *) Malformed X.509 IPAddressFamily could cause OOB read

     If an X.509 certificate has a malformed IPAddressFamily extension,
     OpenSSL could do a one-byte buffer overread. The most likely result
     would be an erroneous display of the certificate in text format.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3735)
     [Rich Salz]

1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159
 Changes between 1.1.0e and 1.1.0f [25 May 2017]

  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
     platform rather than 'mingw'.
     [Richard Levitte]

  *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
     VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
     which is the minimum version we support.
     [Richard Levitte]

1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172
 Changes between 1.1.0d and 1.1.0e [16 Feb 2017]

  *) Encrypt-Then-Mac renegotiation crash

     During a renegotiation handshake if the Encrypt-Then-Mac extension is
     negotiated where it was not in the original handshake (or vice-versa) then
     this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
     and servers are affected.

     This issue was reported to OpenSSL by Joe Orton (Red Hat).
     (CVE-2017-3733)
     [Matt Caswell]

1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216
 Changes between 1.1.0c and 1.1.0d [26 Jan 2017]

  *) Truncated packet could crash via OOB read

     If one side of an SSL/TLS path is running on a 32-bit host and a specific
     cipher is being used, then a truncated packet can cause that host to
     perform an out-of-bounds read, usually resulting in a crash.

     This issue was reported to OpenSSL by Robert Święcki of Google.
     (CVE-2017-3731)
     [Andy Polyakov]

  *) Bad (EC)DHE parameters cause a client crash

     If a malicious server supplies bad parameters for a DHE or ECDHE key
     exchange then this can result in the client attempting to dereference a
     NULL pointer leading to a client crash. This could be exploited in a Denial
     of Service attack.

     This issue was reported to OpenSSL by Guido Vranken.
     (CVE-2017-3730)
     [Matt Caswell]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients. For example this can occur by
     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
     similar to CVE-2015-3193 but must be treated as a separate problem.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3732)
     [Andy Polyakov]

 Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
1217

M
Matt Caswell 已提交
1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263
  *) ChaCha20/Poly1305 heap-buffer-overflow

     TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
     a DoS attack by corrupting larger payloads. This can result in an OpenSSL
     crash. This issue is not considered to be exploitable beyond a DoS.

     This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
     (CVE-2016-7054)
     [Richard Levitte]

  *) CMS Null dereference

     Applications parsing invalid CMS structures can crash with a NULL pointer
     dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
     type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
     structure callback if an attempt is made to free certain invalid encodings.
     Only CHOICE structures using a callback which do not handle NULL value are
     affected.

     This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
     (CVE-2016-7053)
     [Stephen Henson]

  *) Montgomery multiplication may produce incorrect results

     There is a carry propagating bug in the Broadwell-specific Montgomery
     multiplication procedure that handles input lengths divisible by, but
     longer than 256 bits. Analysis suggests that attacks against RSA, DSA
     and DH private keys are impossible. This is because the subroutine in
     question is not used in operations with the private key itself and an input
     of the attacker's direct choice. Otherwise the bug can manifest itself as
     transient authentication and key negotiation failures or reproducible
     erroneous outcome of public-key operations with specially crafted input.
     Among EC algorithms only Brainpool P-512 curves are affected and one
     presumably can attack ECDH key negotiation. Impact was not analyzed in
     detail, because pre-requisites for attack are considered unlikely. Namely
     multiple clients have to choose the curve in question and the server has to
     share the private key among them, neither of which is default behaviour.
     Even then only clients that chose the curve will be affected.

     This issue was publicly reported as transient failures and was not
     initially recognized as a security issue. Thanks to Richard Morgan for
     providing reproducible case.
     (CVE-2016-7055)
     [Andy Polyakov]

1264 1265 1266 1267
  *) Removed automatic addition of RPATH in shared libraries and executables,
     as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
     [Richard Levitte]

1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284
 Changes between 1.1.0a and 1.1.0b [26 Sep 2016]

  *) Fix Use After Free for large message sizes

     The patch applied to address CVE-2016-6307 resulted in an issue where if a
     message larger than approx 16k is received then the underlying buffer to
     store the incoming message is reallocated and moved. Unfortunately a
     dangling pointer to the old location is left which results in an attempt to
     write to the previously freed location. This is likely to result in a
     crash, however it could potentially lead to execution of arbitrary code.

     This issue only affects OpenSSL 1.1.0a.

     This issue was reported to OpenSSL by Robert Święcki.
     (CVE-2016-6309)
     [Matt Caswell]

1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324
 Changes between 1.1.0 and 1.1.0a [22 Sep 2016]

  *) OCSP Status Request extension unbounded memory growth

     A malicious client can send an excessively large OCSP Status Request
     extension. If that client continually requests renegotiation, sending a
     large OCSP Status Request extension each time, then there will be unbounded
     memory growth on the server. This will eventually lead to a Denial Of
     Service attack through memory exhaustion. Servers with a default
     configuration are vulnerable even if they do not support OCSP. Builds using
     the "no-ocsp" build time option are not affected.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     (CVE-2016-6304)
     [Matt Caswell]

  *) SSL_peek() hang on empty record

     OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
     sends an empty record. This could be exploited by a malicious peer in a
     Denial Of Service attack.

     This issue was reported to OpenSSL by Alex Gaynor.
     (CVE-2016-6305)
     [Matt Caswell]

  *) Excessive allocation of memory in tls_get_message_header() and
     dtls1_preprocess_fragment()

     A (D)TLS message includes 3 bytes for its length in the header for the
     message. This would allow for messages up to 16Mb in length. Messages of
     this length are excessive and OpenSSL includes a check to ensure that a
     peer is sending reasonably sized messages in order to avoid too much memory
     being consumed to service a connection. A flaw in the logic of version
     1.1.0 means that memory for the message is allocated too early, prior to
     the excessive message length check. Due to way memory is allocated in
     OpenSSL this could mean an attacker could force up to 21Mb to be allocated
     to service a connection. This could lead to a Denial of Service through
     memory exhaustion. However, the excessive message length check still takes
     place, and this would cause the connection to immediately fail. Assuming
F
FdaSilvaYY 已提交
1325
     that the application calls SSL_free() on the failed connection in a timely
1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359
     manner then the 21Mb of allocated memory will then be immediately freed
     again. Therefore the excessive memory allocation will be transitory in
     nature. This then means that there is only a security impact if:

     1) The application does not call SSL_free() in a timely manner in the event
     that the connection fails
     or
     2) The application is working in a constrained environment where there is
     very little free memory
     or
     3) The attacker initiates multiple connection attempts such that there are
     multiple connections in a state where memory has been allocated for the
     connection; SSL_free() has not yet been called; and there is insufficient
     memory to service the multiple requests.

     Except in the instance of (1) above any Denial Of Service is likely to be
     transitory because as soon as the connection fails the memory is
     subsequently freed again in the SSL_free() call. However there is an
     increased risk during this period of application crashes due to the lack of
     memory - which would then mean a more serious Denial of Service.

     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     (CVE-2016-6307 and CVE-2016-6308)
     [Matt Caswell]

  *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
     had to be removed. Primary reason is that vendor assembler can't
     assemble our modules with -KPIC flag. As result it, assembly
     support, was not even available as option. But its lack means
     lack of side-channel resistant code, which is incompatible with
     security by todays standards. Fortunately gcc is readily available
     prepackaged option, which we firmly point at...
     [Andy Polyakov]

1360
 Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
1361

1362 1363 1364 1365 1366 1367 1368 1369
  *) Windows command-line tool supports UTF-8 opt-in option for arguments
     and console input. Setting OPENSSL_WIN32_UTF8 environment variable
     (to any value) allows Windows user to access PKCS#12 file generated
     with Windows CryptoAPI and protected with non-ASCII password, as well
     as files generated under UTF-8 locale on Linux also protected with
     non-ASCII password.
     [Andy Polyakov]

R
Rich Salz 已提交
1370 1371 1372
  *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
     have been disabled by default and removed from DEFAULT, just like RC4.
     See the RC4 item below to re-enable both.
1373 1374
     [Rich Salz]

1375 1376
  *) The method for finding the storage location for the Windows RAND seed file
     has changed. First we check %RANDFILE%. If that is not set then we check
1377 1378
     the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
     all else fails we fall back to C:\.
1379 1380
     [Matt Caswell]

1381 1382 1383 1384 1385
  *) The EVP_EncryptUpdate() function has had its return type changed from void
     to int. A return of 0 indicates and error while a return of 1 indicates
     success.
     [Matt Caswell]

1386 1387 1388 1389 1390 1391
  *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
     DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
     off the constant time implementation for RSA, DSA and DH have been made
     no-ops and deprecated.
     [Matt Caswell]

R
Rich Salz 已提交
1392 1393 1394 1395 1396
  *) Windows RAND implementation was simplified to only get entropy by
     calling CryptGenRandom(). Various other RAND-related tickets
     were also closed.
     [Joseph Wylie Yandle, Rich Salz]

1397 1398 1399 1400 1401
  *) The stack and lhash API's were renamed to start with OPENSSL_SK_
     and OPENSSL_LH_, respectively.  The old names are available
     with API compatibility.  They new names are now completely documented.
     [Rich Salz]

1402 1403 1404 1405 1406 1407 1408
  *) Unify TYPE_up_ref(obj) methods signature.
     SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
     X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
     int (instead of void) like all others TYPE_up_ref() methods.
     So now these methods also check the return value of CRYPTO_atomic_add(),
     and the validity of object reference counter.
     [fdasilvayy@gmail.com]
1409

1410 1411 1412 1413 1414 1415
  *) With Windows Visual Studio builds, the .pdb files are installed
     alongside the installed libraries and executables.  For a static
     library installation, ossl_static.pdb is the associate compiler
     generated .pdb file to be used when linking programs.
     [Richard Levitte]

R
Richard Levitte 已提交
1416 1417 1418
  *) Remove openssl.spec.  Packaging files belong with the packagers.
     [Richard Levitte]

1419 1420 1421 1422 1423 1424 1425 1426 1427
  *) Automatic Darwin/OSX configuration has had a refresh, it will now
     recognise x86_64 architectures automatically.  You can still decide
     to build for a different bitness with the environment variable
     KERNEL_BITS (can be 32 or 64), for example:

         KERNEL_BITS=32 ./config

     [Richard Levitte]

D
Dr. Stephen Henson 已提交
1428 1429 1430 1431
  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
     256 bit AES and HMAC with SHA256.
     [Steve Henson]

A
Andy Polyakov 已提交
1432 1433 1434
  *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
     [Andy Polyakov]

R
Rich Salz 已提交
1435
  *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
R
Rich Salz 已提交
1436
     [Rich Salz]
R
Rich Salz 已提交
1437

1438 1439 1440 1441 1442 1443 1444
  *) To enable users to have their own config files and build file templates,
     Configure looks in the directory indicated by the environment variable
     OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
     directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
     name and is used as is.
     [Richard Levitte]

R
Rich Salz 已提交
1445 1446 1447 1448 1449
  *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
     X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
     X509_CERT_FILE_CTX was removed.
     [Rich Salz]

M
Matt Caswell 已提交
1450 1451 1452 1453
  *) "shared" builds are now the default. To create only static libraries use
     the "no-shared" Configure option.
     [Matt Caswell]

1454 1455 1456 1457 1458
  *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
     All of these option have not worked for some while and are fundamental
     algorithms.
     [Matt Caswell]

1459 1460 1461 1462 1463 1464 1465 1466 1467 1468
  *) Make various cleanup routines no-ops and mark them as deprecated. Most
     global cleanup functions are no longer required because they are handled
     via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
     Explicitly de-initing can cause problems (e.g. where a library that uses
     OpenSSL de-inits, but an application is still using it). The affected
     functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
     EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
     RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
     COMP_zlib_cleanup().
     [Matt Caswell]
1469

1470 1471 1472 1473 1474
  *) --strict-warnings no longer enables runtime debugging options
     such as REF_DEBUG. Instead, debug options are automatically
     enabled with '--debug' builds.
     [Andy Polyakov, Emilia Käsper]

1475 1476 1477 1478 1479
  *) Made DH and DH_METHOD opaque. The structures for managing DH objects
     have been moved out of the public header files. New functions for managing
     these have been added.
     [Matt Caswell]

1480 1481 1482 1483 1484
  *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
     objects have been moved out of the public header files. New
     functions for managing these have been added.
     [Richard Levitte]

M
Matt Caswell 已提交
1485 1486 1487 1488 1489
  *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
     have been moved out of the public header files. New functions for managing
     these have been added.
     [Matt Caswell]

1490 1491 1492 1493 1494
  *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
     moved out of the public header files. New functions for managing these
     have been added.
     [Matt Caswell]

M
Matt Caswell 已提交
1495
  *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
1496
     [Matt Caswell]
M
Matt Caswell 已提交
1497

1498 1499 1500
  *) Removed the mk1mf build scripts.
     [Richard Levitte]

R
Rich Salz 已提交
1501 1502 1503 1504
  *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
     it is always safe to #include a header now.
     [Rich Salz]

R
Richard Levitte 已提交
1505 1506 1507
  *) Removed the aged BC-32 config and all its supporting scripts
     [Richard Levitte]

R
Rich Salz 已提交
1508
  *) Removed support for Ultrix, Netware, and OS/2.
R
Rich Salz 已提交
1509 1510
     [Rich Salz]

E
Emilia Kasper 已提交
1511 1512 1513
  *) Add support for HKDF.
     [Alessandro Ghedini]

K
Kurt Roeckx 已提交
1514 1515 1516
  *) Add support for blake2b and blake2s
     [Bill Cox]

M
Matt Caswell 已提交
1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530
  *) Added support for "pipelining". Ciphers that have the
     EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
     encryptions/decryptions simultaneously. There are currently no built-in
     ciphers with this property but the expectation is that engines will be able
     to offer it to significantly improve throughput. Support has been extended
     into libssl so that multiple records for a single connection can be
     processed in one go (for >=TLS 1.1).
     [Matt Caswell]

  *) Added the AFALG engine. This is an async capable engine which is able to
     offload work to the Linux kernel. In this initial version it only supports
     AES128-CBC. The kernel must be version 4.1.0 or greater.
     [Catriona Lucey]

1531 1532 1533 1534 1535 1536 1537 1538
  *) OpenSSL now uses a new threading API. It is no longer necessary to
     set locking callbacks to use OpenSSL in a multi-threaded environment. There
     are two supported threading models: pthreads and windows threads. It is
     also possible to configure OpenSSL at compile time for "no-threads". The
     old threading API should no longer be used. The functions have been
     replaced with "no-op" compatibility macros.
     [Alessandro Ghedini, Matt Caswell]

T
Todd Short 已提交
1539 1540 1541 1542
  *) Modify behavior of ALPN to invoke callback after SNI/servername
     callback, such that updates to the SSL_CTX affect ALPN.
     [Todd Short]

T
Todd Short 已提交
1543 1544 1545
  *) Add SSL_CIPHER queries for authentication and key-exchange.
     [Todd Short]

E
Emilia Kasper 已提交
1546 1547 1548 1549 1550 1551 1552 1553 1554
  *) Changes to the DEFAULT cipherlist:
       - Prefer (EC)DHE handshakes over plain RSA.
       - Prefer AEAD ciphers over legacy ciphers.
       - Prefer ECDSA over RSA when both certificates are available.
       - Prefer TLSv1.2 ciphers/PRF.
       - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
         default cipherlist.
     [Emilia Käsper]

R
Rich Salz 已提交
1555 1556 1557 1558
  *) Change the ECC default curve list to be this, in order: x25519,
     secp256r1, secp521r1, secp384r1.
     [Rich Salz]

1559 1560 1561 1562 1563
  *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
     disabled by default. They can be re-enabled using the
     enable-weak-ssl-ciphers option to Configure.
     [Matt Caswell]

1564 1565 1566 1567 1568 1569
  *) If the server has ALPN configured, but supports no protocols that the
     client advertises, send a fatal "no_application_protocol" alert.
     This behaviour is SHALL in RFC 7301, though it isn't universally
     implemented by other servers.
     [Emilia Käsper]

1570
  *) Add X25519 support.
D
Dr. Stephen Henson 已提交
1571
     Add ASN.1 and EVP_PKEY methods for X25519. This includes support
1572
     for public and private key encoding using the format documented in
F
FdaSilvaYY 已提交
1573
     draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
D
Dr. Stephen Henson 已提交
1574 1575 1576 1577
     key generation and key derivation.

     TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
     X25519(29).
1578 1579
     [Steve Henson]

1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594
  *) Deprecate SRP_VBASE_get_by_user.
     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
     In order to fix an unavoidable memory leak (CVE-2016-0798),
     SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
     seed, even if the seed is configured.

     Users should use SRP_VBASE_get1_by_user instead. Note that in
     SRP_VBASE_get1_by_user, caller must free the returned value. Note
     also that even though configuring the SRP seed attempts to hide
     invalid usernames by continuing the handshake with fake
     credentials, this behaviour is not constant time and no strong
     guarantees are made that the handshake is indistinguishable from
     that of a valid user.
     [Emilia Käsper]

1595
  *) Configuration change; it's now possible to build dynamic engines
1596 1597 1598 1599 1600 1601 1602
     without having to build shared libraries and vice versa.  This
     only applies to the engines in engines/, those in crypto/engine/
     will always be built into libcrypto (i.e. "static").

     Building dynamic engines is enabled by default; to disable, use
     the configuration option "disable-dynamic-engine".

R
Richard Levitte 已提交
1603
     The only requirements for building dynamic engines are the
1604 1605
     presence of the DSO module and building with position independent
     code, so they will also automatically be disabled if configuring
R
Richard Levitte 已提交
1606
     with "disable-dso" or "disable-pic".
1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618

     The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
     are also taken away from openssl/opensslconf.h, as they are
     irrelevant.
     [Richard Levitte]

  *) Configuration change; if there is a known flag to compile
     position independent code, it will always be applied on the
     libcrypto and libssl object files, and never on the application
     object files.  This means other libraries that use routines from
     libcrypto / libssl can be made into shared libraries regardless
     of how OpenSSL was configured.
1619 1620 1621 1622

     If this isn't desirable, the configuration options "disable-pic"
     or "no-pic" can be used to disable the use of PIC.  This will
     also disable building shared libraries and dynamic engines.
1623 1624
     [Richard Levitte]

R
Rich Salz 已提交
1625 1626 1627
  *) Removed JPAKE code.  It was experimental and has no wide use.
     [Rich Salz]

1628 1629 1630 1631 1632 1633
  *) The INSTALL_PREFIX Makefile variable has been renamed to
     DESTDIR.  That makes for less confusion on what this variable
     is for.  Also, the configuration option --install_prefix is
     removed.
     [Richard Levitte]

1634 1635 1636 1637 1638
  *) Heartbeat for TLS has been removed and is disabled by default
     for DTLS; configure with enable-heartbeats.  Code that uses the
     old #define's might need to be updated.
     [Emilia Käsper, Rich Salz]

R
Rich Salz 已提交
1639 1640 1641
  *) Rename REF_CHECK to REF_DEBUG.
     [Rich Salz]

1642 1643 1644 1645 1646
  *) New "unified" build system

     The "unified" build system is aimed to be a common system for all
     platforms we support.  With it comes new support for VMS.

F
FdaSilvaYY 已提交
1647
     This system builds supports building in a different directory tree
1648 1649 1650 1651 1652 1653 1654 1655 1656
     than the source tree.  It produces one Makefile (for unix family
     or lookalikes), or one descrip.mms (for VMS).

     The source of information to make the Makefile / descrip.mms is
     small files called 'build.info', holding the necessary
     information for each directory with source to compile, and a
     template in Configurations, like unix-Makefile.tmpl or
     descrip.mms.tmpl.

1657 1658 1659 1660 1661 1662
     With this change, the library names were also renamed on Windows
     and on VMS.  They now have names that are closer to the standard
     on Unix, and include the major version number, and in certain
     cases, the architecture they are built for.  See "Notes on shared
     libraries" in INSTALL.

1663 1664 1665
     We rely heavily on the perl module Text::Template.
     [Richard Levitte]

1666 1667
  *) Added support for auto-initialisation and de-initialisation of the library.
     OpenSSL no longer requires explicit init or deinit routines to be called,
1668 1669
     except in certain circumstances. See the OPENSSL_init_crypto() and
     OPENSSL_init_ssl() man pages for further information.
1670
     [Matt Caswell]
D
Dr. Stephen Henson 已提交
1671

1672 1673 1674
  *) The arguments to the DTLSv1_listen function have changed. Specifically the
     "peer" argument is now expected to be a BIO_ADDR object.

1675 1676 1677 1678 1679 1680 1681 1682 1683 1684
  *) Rewrite of BIO networking library. The BIO library lacked consistent
     support of IPv6, and adding it required some more extensive
     modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
     which hold all types of addresses and chains of address information.
     It also introduces a new API, with functions like BIO_socket,
     BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
     The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
     have been adapted accordingly.
     [Richard Levitte]

E
RT4148  
Emilia Kasper 已提交
1685 1686 1687 1688
  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
     the leading 0-byte.
     [Emilia Käsper]

E
Emilia Kasper 已提交
1689 1690 1691 1692 1693 1694
  *) CRIME protection: disable compression by default, even if OpenSSL is
     compiled with zlib enabled. Applications can still enable compression
     by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
     using the SSL_CONF library to configure compression.
     [Emilia Käsper]

E
Emilia Kasper 已提交
1695 1696 1697 1698 1699 1700
  *) The signature of the session callback configured with
     SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
     was explicitly marked as 'const unsigned char*' instead of
     'unsigned char*'.
     [Emilia Käsper]

E
Emilia Kasper 已提交
1701 1702 1703 1704
  *) Always DPURIFY. Remove the use of uninitialized memory in the
     RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
     [Emilia Käsper]

1705 1706 1707 1708 1709 1710 1711 1712
  *) Removed many obsolete configuration items, including
        DES_PTR, DES_RISC1, DES_RISC2, DES_INT
        MD2_CHAR, MD2_INT, MD2_LONG
        BF_PTR, BF_PTR2
        IDEA_SHORT, IDEA_LONG
        RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
     [Rich Salz, with advice from Andy Polyakov]

R
Rich Salz 已提交
1713 1714 1715
  *) Many BN internals have been moved to an internal header file.
     [Rich Salz with help from Andy Polyakov]

1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729
  *) Configuration and writing out the results from it has changed.
     Files such as Makefile include/openssl/opensslconf.h and are now
     produced through general templates, such as Makefile.in and
     crypto/opensslconf.h.in and some help from the perl module
     Text::Template.

     Also, the center of configuration information is no longer
     Makefile.  Instead, Configure produces a perl module in
     configdata.pm which holds most of the config data (in the hash
     table %config), the target data that comes from the target
     configuration in one of the Configurations/*.conf files (in
     %target).
     [Richard Levitte]

1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750
  *) To clarify their intended purposes, the Configure options
     --prefix and --openssldir change their semantics, and become more
     straightforward and less interdependent.

     --prefix shall be used exclusively to give the location INSTALLTOP
     where programs, scripts, libraries, include files and manuals are
     going to be installed.  The default is now /usr/local.

     --openssldir shall be used exclusively to give the default
     location OPENSSLDIR where certificates, private keys, CRLs are
     managed.  This is also where the default openssl.cnf gets
     installed.
     If the directory given with this option is a relative path, the
     values of both the --prefix value and the --openssldir value will
     be combined to become OPENSSLDIR.
     The default for --openssldir is INSTALLTOP/ssl.

     Anyone who uses --openssldir to specify where OpenSSL is to be
     installed MUST change to use --prefix instead.
     [Richard Levitte]

M
Matt Caswell 已提交
1751 1752 1753 1754 1755 1756 1757
  *) The GOST engine was out of date and therefore it has been removed. An up
     to date GOST engine is now being maintained in an external repository.
     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
     support for GOST ciphersuites (these are only activated if a GOST engine
     is present).
     [Matt Caswell]

1758 1759
  *) EGD is no longer supported by default; use enable-egd when
     configuring.
R
Rich Salz 已提交
1760
     [Ben Kaduk and Rich Salz]
1761

R
Rich Salz 已提交
1762 1763 1764 1765 1766
  *) The distribution now has Makefile.in files, which are used to
     create Makefile's when Configure is run.  *Configure must be run
     before trying to build now.*
     [Rich Salz]

1767 1768 1769 1770
  *) The return value for SSL_CIPHER_description() for error conditions
     has changed.
     [Rich Salz]

V
Viktor Dukhovni 已提交
1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784
  *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.

     Obtaining and performing DNSSEC validation of TLSA records is
     the application's responsibility.  The application provides
     the TLSA records of its choice to OpenSSL, and these are then
     used to authenticate the peer.

     The TLSA records need not even come from DNS.  They can, for
     example, be used to implement local end-entity certificate or
     trust-anchor "pinning", where the "pin" data takes the form
     of TLSA records, which can augment or replace verification
     based on the usual WebPKI public certification authorities.
     [Viktor Dukhovni]

1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813
  *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
     continues to support deprecated interfaces in default builds.
     However, applications are strongly advised to compile their
     source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
     the declarations of all interfaces deprecated in 0.9.8, 1.0.0
     or the 1.1.0 releases.

     In environments in which all applications have been ported to
     not use any deprecated interfaces OpenSSL's Configure script
     should be used with the --api=1.1.0 option to entirely remove
     support for the deprecated features from the library and
     unconditionally disable them in the installed headers.
     Essentially the same effect can be achieved with the "no-deprecated"
     argument to Configure, except that this will always restrict
     the build to just the latest API, rather than a fixed API
     version.

     As applications are ported to future revisions of the API,
     they should update their compile-time OPENSSL_API_COMPAT define
     accordingly, but in most cases should be able to continue to
     compile with later releases.

     The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
     0x10000000L and 0x00908000L, respectively.  However those
     versions did not support the OPENSSL_API_COMPAT feature, and
     so applications are not typically tested for explicit support
     of just the undeprecated features of either release.
     [Viktor Dukhovni]