openssl/CHANGES

 OpenSSL CHANGES
 _______________

 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

 Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]

  *) X509 certificates signed using SHA1 are no longer allowed at security
     level 1 and above.
     In TLS/SSL the default security level is 1. It can be set either
     using the cipher string with @SECLEVEL, or calling
     SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
     a call to SSL_CTX_use_certificate() will fail if the security level is not
     lowered first.
     Outside TLS/SSL, the default security level is -1 (effectively 0). It can
     be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
     options of the apps.
     [Kurt Roeckx]

  *) The command line utilities dhparam, dsa, gendsa and dsaparam have been
     deprecated.  Instead use the pkeyparam, pkey, genpkey and pkeyparam
     programs respectively.
     [Paul Dale]

  *) All of the low level DSA functions have been deprecated including:

     DSA_do_sign, DSA_do_verify, DSA_OpenSSL, DSA_set_default_method,
     DSA_get_default_method, DSA_set_method, DSA_get_method, DSA_new_method,
     DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
     DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
     DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
     DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
     DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
     DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
     DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
     DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
     DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
     DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
     DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.

     Use of these low level functions has been informally discouraged for a long
     time.  Instead applications should use L<EVP_DigestSignInit_ex(3)>,
     L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
     [Paul Dale]

  *) Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
     automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
     This means that applications don't have to look at the curve NID and
     'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations.
     However, they still can, that EVP_PKEY_set_alias_type() call acts as
     a no-op when the EVP_PKEY is already of the given type.

     Parameter and key generation is also reworked to make it possible
     to generate EVP_PKEY_SM2 parameters and keys without having to go
     through EVP_PKEY_EC generation and then change the EVP_PKEY type.
     However, code that does the latter will still work as before.
     [Richard Levitte]

  *) Deprecated low level ECDH and ECDSA functions.  These include:

     ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
     ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
     ECDSA_size.

     Use of these low level functions has been informally discouraged for a long
     time.  Instead applications should use the EVP_PKEY_derive(3),
     EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
     [Paul Dale]

  *) Deprecated the EC_KEY_METHOD functions.  These include:

     EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
     EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
     EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
     EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
     EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and
     EC_KEY_METHOD_get_verify.

     Instead applications and extension writers should use the OSSL_PROVIDER
     APIs.
     [Paul Dale]

  *) Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
     and EVP_PKEY_decrypt() instead.
     Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
     and EVP_PKEY_encrypt() instead.
     [Richard Levitte]

  *) Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
     and EVP_PKEY_security_bits().  Especially EVP_PKEY_size() needed
     a new formulation to include all the things it can be used for,
     as well as words of caution.
     [Richard Levitte]

  *) The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
     Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
     [Paul Dale]

  *) All of the low level HMAC functions have been deprecated including:
     HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
     HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
     and HMAC_CTX_get_md.
     Use of these low level functions has been informally discouraged for a long
     time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
     L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
     and L<EVP_MAC_final(3)>.
     [Paul Dale]

  *) All of the low level CMAC functions have been deprecated including:
     CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
     CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
     Use of these low level functions has been informally discouraged for a long
     time.  Instead applications should use L<EVP_MAC_CTX_new(3)>,
     L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
     and L<EVP_MAC_final(3)>.
     [Paul Dale]

  *) Over two thousand fixes were made to the documentation, including:
     - Common options (such as -rand/-writerand, TLS version control, etc)
       were refactored and point to newly-enhanced descriptions in openssl.pod.
     - Added style conformance for all options (with help from Richard Levitte),
       documented all reported missing options, added a CI build to check
       that all options are documented and that no unimplemented options
       are documented.
     - Documented some internals, such as all use of environment variables.
     - Addressed all internal broken L<> references.
     [Rich Salz]

  *) All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
     SHA384, SHA512 and Whirlpool digest functions have been deprecated.
     These include:

     MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
     MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
     MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
     RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
     RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
     SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
     SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
     SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
     SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
     WHIRLPOOL_Update, WHIRLPOOL_BitUpdate and WHIRLPOOL_Final.

     Use of these low level functions has been informally discouraged
     for a long time.  Applications should use the EVP_DigestInit_ex(3),
     EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
     [Paul Dale]

  *) Corrected the documentation of the return values from the EVP_DigestSign*
     set of functions.  The documentation mentioned negative values for some
     errors, but this was never the case, so the mention of negative values
     was removed.

     Code that followed the documentation and thereby check with something
     like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
     [Richard Levitte]

  *) All of the low level cipher functions have been deprecated including:

     AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
     AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
     AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
     AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
     BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
     BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
     Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
     Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
     Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
     CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
     CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
     DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
     DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
     DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
     DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
     DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
     DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
     DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
     DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
     DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
     DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
     IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
     IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
     RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
     RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
     RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
     RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
     SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
     SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.

     Use of these low level functions has been informally discouraged for
     a long time. Applications should use the high level EVP APIs, e.g.
     EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
     equivalently named decrypt functions instead.
     [Matt Caswell and Paul Dale]

  *) Removed include/openssl/opensslconf.h.in and replaced it with
     include/openssl/configuration.h.in, which differs in not including
     <openssl/macros.h>.  A short header include/openssl/opensslconf.h
     was added to include both.

     This allows internal hacks where one might need to modify the set
     of configured macros, for example this if deprecated symbols are
     still supposed to be available internally:

         #include <openssl/configuration.h>

         #undef OPENSSL_NO_DEPRECATED
         #define OPENSSL_SUPPRESS_DEPRECATED

         #include <openssl/macros.h>

     This should not be used by applications that use the exported
     symbols, as that will lead to linking errors.
     [Richard Levitte]

  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
     used in exponentiation with 512-bit moduli. No EC algorithms are
     affected. Analysis suggests that attacks against 2-prime RSA1024,
     3-prime RSA1536, and DSA1024 as a result of this defect would be very
     difficult to perform and are not believed likely. Attacks against DH512
     are considered just feasible. However, for an attack the target would
     have to re-use the DH512 private key, which is not recommended anyway.
     Also applications directly using the low level API BN_mod_exp may be
     affected if they use BN_FLG_CONSTTIME.
     (CVE-2019-1551)
     [Andy Polyakov]

  *) Most memory-debug features have been deprecated, and the functionality
     replaced with no-ops.
     [Rich Salz]

  *) Introduced a new method type and API, OSSL_SERIALIZER, to
     represent generic serializers.  An implementation is expected to
     be able to serialize an object associated with a given name (such
     as an algorithm name for an asymmetric key) into forms given by
     implementation properties.

     Serializers are primarily used from inside libcrypto, through
     calls to functions like EVP_PKEY_print_private(),
     PEM_write_bio_PrivateKey() and similar.

     Serializers are specified in such a way that they can be made to
     directly handle the provider side portion of an object, if this
     provider side part comes from the same provider as the serializer
     itself, but can also be made to handle objects in parametrized
     form (as an OSSL_PARAM array of data).  This allows a provider to
     offer generic serializers as a service for any other provider.
     [Richard Levitte]

  *) Added a .pragma directive to the syntax of configuration files, to
     allow varying behavior in a supported and predictable manner.
     Currently added pragma:

     .pragma dollarid:on

     This allows dollar signs to be a keyword character unless it's
     followed by a opening brace or parenthesis.  This is useful for
     platforms where dollar signs are commonly used in names, such as
     volume names and system directory names on VMS.
     [Richard Levitte]

  *) Added functionality to create an EVP_PKEY from user data.  This
     is effectively the same as creating a RSA, DH or DSA object and
     then assigning them to an EVP_PKEY, but directly using algorithm
     agnostic EVP functions.  A benefit is that this should be future
     proof for public key algorithms to come.
     [Richard Levitte]

  *) Change the interpretation of the '--api' configuration option to
     mean that this is a desired API compatibility level with no
     further meaning.  The previous interpretation, that this would
     also mean to remove all deprecated symbols up to and including
     the given version, no requires that 'no-deprecated' is also used
     in the configuration.

     When building applications, the desired API compatibility level
     can be set with the OPENSSL_API_COMPAT macro like before.  For
     API compatibility version below 3.0, the old style numerical
     value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
     For version 3.0 and on, the value is expected to be the decimal
     value calculated from the major and minor version like this:

         MAJOR * 10000 + MINOR * 100

     Examples:

         -DOPENSSL_API_COMPAT=30000             For 3.0
         -DOPENSSL_API_COMPAT=30200             For 3.2

     To hide declarations that are deprecated up to and including the
     given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
     given when building the application as well.
     [Richard Levitte]

  *) Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow
     access to certificate and CRL stores via URIs and OSSL_STORE
     loaders.

     This adds the following functions:

     X509_LOOKUP_store()
     X509_STORE_load_file()
     X509_STORE_load_path()
     X509_STORE_load_store()
     SSL_add_store_cert_subjects_to_stack()
     SSL_CTX_set_default_verify_store()
     SSL_CTX_load_verify_file()
     SSL_CTX_load_verify_dir()
     SSL_CTX_load_verify_store()

     Also, the following functions are now deprecated:

     - X509_STORE_load_locations() (use X509_STORE_load_file(),
       X509_STORE_load_path() or X509_STORE_load_store() instead)
     - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(),
       SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead)
     [Richard Levitte]

  *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
     The presence of this system service is determined at run-time.
     [Richard Levitte]

  *) Added functionality to create an EVP_PKEY context based on data
     for methods from providers.  This takes an algorithm name and a
     property query string and simply stores them, with the intent
     that any operation that uses this context will use those strings
     to fetch the needed methods implicitly, thereby making the port
     of application written for pre-3.0 OpenSSL easier.
     [Richard Levitte]

  *) The undocumented function NCONF_WIN32() has been deprecated; for
     conversion details see the HISTORY section of doc/man5/config.pod
     [Rich Salz]

  *) Introduced the new functions EVP_DigestSignInit_ex() and
     EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
     EVP_DigestVerifyUpdate() have been converted to functions. See the man
     pages for further details.
     [Matt Caswell]

  *) s390x assembly pack: add hardware-support for P-256, P-384, P-521,
     X25519, X448, Ed25519 and Ed448.
     [Patrick Steuer]

  *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
     the first value.
     [Jon Spillett]

  *) Deprecated the public definition of ERR_STATE as well as the function
     ERR_get_state().  This is done in preparation of making ERR_STATE an
     opaque type.
     [Richard Levitte]

  *) Added ERR functionality to give callers access to the stored function
     names that have replaced the older function code based functions.

     New functions are ERR_get_error_func(), ERR_peek_error_func(),
     ERR_peek_last_error_func(), ERR_get_error_data(), ERR_peek_error_data(),
     ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all()
     and ERR_peek_last_error_all().

     These functions have become deprecated: ERR_get_error_line_data(),
     ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
     ERR_func_error_string().
     [Richard Levitte]

  *) Extended testing to be verbose for failing tests only.  The make variables
     VERBOSE_FAILURE or VF can be used to enable this:

     $ make VF=1 test                                   # Unix
     $ mms /macro=(VF=1) test                           ! OpenVMS
     $ nmake VF=1 test                                  # Windows

     [Richard Levitte]

  *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
     used even when parsing explicit parameters, when loading a serialized key
     or calling `EC_GROUP_new_from_ecpkparameters()`/
     `EC_GROUP_new_from_ecparameters()`.
     This prevents bypass of security hardening and performance gains,
     especially for curves with specialized EC_METHODs.
     By default, if a key encoded with explicit parameters is loaded and later
     serialized, the output is still encoded with explicit parameters, even if
     internally a "named" EC_GROUP is used for computation.
     [Nicola Tuveri]

  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
     this change, EC_GROUP_set_generator would accept order and/or cofactor as
     NULL. After this change, only the cofactor parameter can be NULL. It also
     does some minimal sanity checks on the passed order.
     (CVE-2019-1547)
     [Billy Bob Brumley]

  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
     An attack is simple, if the first CMS_recipientInfo is valid but the
     second CMS_recipientInfo is chosen ciphertext. If the second
     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
     encryption key will be replaced by garbage, and the message cannot be
     decoded, but if the RSA decryption fails, the correct encryption key is
     used and the recipient will not notice the attack.
     As a work around for this potential attack the length of the decrypted
     key must be equal to the cipher default key length, in case the
     certifiate is not given and all recipientInfo are tried out.
     The old behaviour can be re-enabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag.
     [Bernd Edlinger]

  *) Early start up entropy quality from the DEVRANDOM seed source has been
     improved for older Linux systems.  The RAND subsystem will wait for
     /dev/random to be producing output before seeding from /dev/urandom.
     The seeded state is stored for future library initialisations using
     a system global shared memory segment.  The shared memory identifier
     can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
     the desired value.  The default identifier is 114.
     [Paul Dale]

  *) Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
     when primes for RSA keys are computed.
     Since we previously always generated primes == 2 (mod 3) for RSA keys,
     the 2-prime and 3-prime RSA modules were easy to distinguish, since
     N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
     2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
     This avoids possible fingerprinting of newly generated RSA modules.
     [Bernd Edlinger]

  *) Correct the extended master secret constant on EBCDIC systems. Without this
     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
     negotiate EMS will fail. Unfortunately this also means that TLS connections
     between EBCDIC systems with this fix, and EBCDIC systems without this
     fix will fail if they negotiate EMS.
     [Matt Caswell]

  *) Changed the library initialisation so that the config file is now loaded
     by default. This was already the case for libssl. It now occurs for both
     libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
     OPENSSL_init_crypto() to suppress automatic loading of a config file.
     [Matt Caswell]

  *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(),
     where the former acts as a replacement for ERR_put_error(), and the
     latter replaces the combination ERR_put_error()+ERR_add_error_data().
     ERR_raise_data() adds more flexibility by taking a format string and
     an arbitrary number of arguments following it, to be processed with
     BIO_snprintf().
     [Richard Levitte]

  *) Introduced a new function, OSSL_PROVIDER_available(), which can be used
     to check if a named provider is loaded and available.  When called, it
     will also activate all fallback providers if such are still present.
     [Richard Levitte]

  *) Enforce a minimum DH modulus size of 512 bits.
     [Bernd Edlinger]

  *) Changed DH parameters to generate the order q subgroup instead of 2q.
     Previously generated DH parameters are still accepted by DH_check
     but DH_generate_key works around that by clearing bit 0 of the
     private key for those. This avoids leaking bit 0 of the private key.
     [Bernd Edlinger]

  *) Significantly reduce secure memory usage by the randomness pools.
     [Paul Dale]

  *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been
     deprecated.
     [Rich Salz]

  *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange
     algorithms. An implementation of a key exchange algorithm can be obtained
     by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be
     used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
     the older EVP_PKEY_derive_init() function. See the man pages for the new
     functions for further details.
     [Matt Caswell]

  *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
     [Matt Caswell]

  *) Removed the function names from error messages and deprecated the
     xxx_F_xxx define's.

  *) Removed NextStep support and the macro OPENSSL_UNISTD
     [Rich Salz]

  *) Removed DES_check_key.  Also removed OPENSSL_IMPLEMENT_GLOBAL,
     OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
     Also removed "export var as function" capability; we do not export
     variables, only functions.
     [Rich Salz]

  *) RC5_32_set_key has been changed to return an int type, with 0 indicating
     an error and 1 indicating success. In previous versions of OpenSSL this
     was a void type. If a key was set longer than the maximum possible this
     would crash.
     [Matt Caswell]

  *) Support SM2 signing and verification schemes with X509 certificate.
     [Paul Yang]

  *) Use SHA256 as the default digest for TS query in the ts app.
     [Tomas Mraz]

  *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
     This checks that the salt length is at least 128 bits, the derived key
     length is at least 112 bits, and that the iteration count is at least 1000.
     For backwards compatibility these checks are disabled by default in the
     default provider, but are enabled by default in the fips provider.
     To enable or disable these checks use the control
     EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE.
     [Shane Lontis]

  *) Default cipher lists/suites are now available via a function, the
     #defines are deprecated.
     [Todd Short]

  *) Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
     VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
     for Windows Store apps easier. Also, the "no-uplink" option has been added.
     [Kenji Mouri]

  *) Join the directories crypto/x509 and crypto/x509v3
     [Richard Levitte]

  *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
     This changes the size when using the genpkey app when no size is given. It
     fixes an omission in earlier changes that changed all RSA, DSA and DH
     generation apps to use 2048 bits by default.
     [Kurt Roeckx]

  *) Added command 'openssl kdf' that uses the EVP_KDF API.
     [Shane Lontis]

  *) Added command 'openssl mac' that uses the EVP_MAC API.
     [Shane Lontis]

  *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such
     as default directories.  Also added the command 'openssl info'
     for scripting purposes.
     [Richard Levitte]

  *) The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
     deprecated. These undocumented functions were never integrated into the EVP
     layer and implement the AES Infinite Garble Extension (IGE) mode and AES
     Bi-directional IGE mode. These modes were never formally standardised and
     usage of these functions is believed to be very small. In particular
     AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one
     is ever used. The security implications are believed to be minimal, but
     this issue was never fixed for backwards compatibility reasons. New code
     should not use these modes.
     [Matt Caswell]

  *) Add prediction resistance to the DRBG reseeding process.
     [Paul Dale]

  *) Limit the number of blocks in a data unit for AES-XTS to 2^20 as
     mandated by IEEE Std 1619-2018.
     [Paul Dale]

  *) Added newline escaping functionality to a filename when using openssl dgst.
     This output format is to replicate the output format found in the '*sum'
     checksum programs. This aims to preserve backward compatibility.
     [Matt Eaton, Richard Levitte, and Paul Dale]

  *) Removed the heartbeat message in DTLS feature, as it has very
     little usage and doesn't seem to fulfill a valuable purpose.
     The configuration option is now deprecated.
     [Richard Levitte]

  *) Changed the output of 'openssl {digestname} < file' to display the
     digest name in its output.
     [Richard Levitte]

  *) Added a new generic trace API which provides support for enabling
     instrumentation through trace output. This feature is mainly intended
     as an aid for developers and is disabled by default. To utilize it,
     OpenSSL needs to be configured with the `enable-trace` option.

     If the tracing API is enabled, the application can activate trace output
     by registering BIOs as trace channels for a number of tracing and debugging
     categories.

     The 'openssl' application has been expanded to enable any of the types
     available via environment variables defined by the user, and serves as
     one possible example on how to use this functionality.
     [Richard Levitte & Matthias St. Pierre]

  *) Added build tests for C++.  These are generated files that only do one
     thing, to include one public OpenSSL head file each.  This tests that
     the public header files can be usefully included in a C++ application.

     This test isn't enabled by default.  It can be enabled with the option
     'enable-buildtest-c++'.
     [Richard Levitte]

  *) Add Single Step KDF (EVP_KDF_SS) to EVP_KDF.
     [Shane Lontis]

  *) Add KMAC to EVP_MAC.
     [Shane Lontis]

  *) Added property based algorithm implementation selection framework to
     the core.
     [Paul Dale]

  *) Added SCA hardening for modular field inversion in EC_GROUP through
     a new dedicated field_inv() pointer in EC_METHOD.
     This also addresses a leakage affecting conversions from projective
     to affine coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
     implementations.  This includes an EVP_PKEY to EVP_KDF bridge for
     those algorithms that were already supported through the EVP_PKEY API
     (scrypt, TLS1 PRF and HKDF).  The low-level KDF functions for PBKDF2
     and scrypt are now wrappers that call EVP_KDF.
     [David Makepeace]

  *) Build devcrypto engine as a dynamic engine.
     [Eneas U de Queiroz]

  *) Add keyed BLAKE2 to EVP_MAC.
     [Antoine Salon]

  *) Fix a bug in the computation of the endpoint-pair shared secret used
     by DTLS over SCTP. This breaks interoperability with older versions
     of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
     switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
     interoperability with such broken implementations. However, enabling
     this switch breaks interoperability with correct implementations.

  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
     re-used X509_PUBKEY object if the second PUBKEY is malformed.
     [Bernd Edlinger]

  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
     [Richard Levitte]

  *) Change the license to the Apache License v2.0.
     [Richard Levitte]

  *) Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.

     o Major releases (indicated by incrementing the MAJOR release number)
       may introduce incompatible API/ABI changes.
     o Minor releases (indicated by incrementing the MINOR release number)
       may introduce new features but retain API/ABI compatibility.
     o Patch releases (indicated by incrementing the PATCH number)
       are intended for bug fixes and other improvements of existing
       features only (like improving performance or adding documentation)
       and retain API/ABI compatibility.
     [Richard Levitte]

  *) Add support for RFC5297 SIV mode (siv128), including AES-SIV.
     [Todd Short]

  *) Remove the 'dist' target and add a tarball building script.  The
     'dist' target has fallen out of use, and it shouldn't be
     necessary to configure just to create a source distribution.
     [Richard Levitte]

  *) Recreate the OS390-Unix config target.  It no longer relies on a
     special script like it did for OpenSSL pre-1.1.0.
     [Richard Levitte]

  *) Instead of having the source directories listed in Configure, add
     a 'build.info' keyword SUBDIRS to indicate what sub-directories to
     look into.
     [Richard Levitte]

  *) Add GMAC to EVP_MAC.
     [Paul Dale]

  *) Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
     [Richard Levitte]

  *) Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
     implementations.  This includes a generic EVP_PKEY to EVP_MAC bridge,
     to facilitate the continued use of MACs through raw private keys in
     functionality such as EVP_DigestSign* and EVP_DigestVerify*.
     [Richard Levitte]

  *) Deprecate ECDH_KDF_X9_62() and mark its replacement as internal. Users
     should use the EVP interface instead (EVP_PKEY_CTX_set_ecdh_kdf_type).
     [Antoine Salon]

  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.
     [Antoine Salon]

  *) AES-XTS mode now enforces that its two keys are different to mitigate
     the attacked described in "Efficient Instantiations of Tweakable
     Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
     Details of this attack can be obtained from:
     http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf
     [Paul Dale]

  *) Rename the object files, i.e. give them other names than in previous
     versions.  Their names now include the name of the final product, as
     well as its type mnemonic (bin, lib, shlib).
     [Richard Levitte]

  *) Added new option for 'openssl list', '-objects', which will display the
     list of built in objects, i.e. OIDs with names.
     [Richard Levitte]

  *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
     improves application performance by removing data copies and providing
     applications with zero-copy system calls such as sendfile and splice.
     [Boris Pismenny]

 Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]

  *) Change the info callback signals for the start and end of a post-handshake
     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
     confused by this and assume that a TLSv1.2 renegotiation has started. This
     can break KeyUpdate handling. Instead we no longer signal the start and end
     of a post handshake message exchange (although the messages themselves are
     still signalled). This could break some applications that were expecting
     the old signals. However without this KeyUpdate is not usable for many
     applications.
     [Matt Caswell]

 Changes between 1.1.1 and 1.1.1a [20 Nov 2018]

  *) Timing vulnerability in DSA signature generation

     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
     (CVE-2018-0734)
     [Paul Dale]

  *) Timing vulnerability in ECDSA signature generation

     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
     (CVE-2018-0735)
     [Paul Dale]

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
     categorized as a normal bug, not a security issue, because the DRBG reseeds
     automatically and is fully functional even without additional randomness
     provided by the application.

 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

  *) Add a new ClientHello callback. Provides a callback interface that gives
     the application the ability to adjust the nascent SSL object at the
     earliest stage of ClientHello processing, immediately after extensions have
     been collected but before they have been processed. In particular, this
     callback can adjust the supported TLS versions in response to the contents
     of the ClientHello
     [Benjamin Kaduk]

  *) Add SM2 base algorithm support.
     [Jack Lloyd]

  *) s390x assembly pack: add (improved) hardware-support for the following
     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
     aes-cfb/cfb8, aes-ecb.
     [Patrick Steuer]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for prime curves. The new implementation is based on formulae from
     differential addition-and-doubling in homogeneous projective coordinates
     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
     to work in projective coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
     moving between systems, and to avoid confusion when a Windows build is
     done with mingw vs with MSVC.  For POSIX installs, there's still a
     symlink or copy named 'tsget' to avoid that confusion as well.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for binary curves. The new implementation is based on formulae from
     differential addition-and-doubling in mixed Lopez-Dahab projective
     coordinates, modified to independently blind the operands.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
     EC_METHODs to implement their own specialized "ladder step", to take
     advantage of more favorable coordinate systems or more efficient
     differential addition-and-doubling algorithms.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

  *) Numerous side-channel attack mitigations have been applied. This may have
     performance impacts for some algorithms for the benefit of improved
     security. Specific changes are noted in this change log by their respective
     authors.
     [Matt Caswell]

  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]

  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Apply blinding to binary field modular inversion and remove patent
     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
     [Billy Bob Brumley]

  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
     binary and prime elliptic curves.
     [Billy Bob Brumley]

  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
     constant time fixed point multiplication.
     [Billy Bob Brumley]

  *) Revise elliptic curve scalar multiplication with timing attack
     defenses: ec_wNAF_mul redirects to a constant time implementation
     when computing fixed point and variable point multiplication (which
     in OpenSSL are mostly used with secret scalars in keygen, sign,