You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

18919 lines
699 KiB

This is a high-level summary of the most important changes.
For a full list of changes, see the [git commit log][log] and
pick the appropriate release branch.
OpenSSL Releases
- [OpenSSL 3.0](#openssl-30)
- [OpenSSL 1.1.1](#openssl-111)
- [OpenSSL 1.1.0](#openssl-110)
- [OpenSSL 1.0.2](#openssl-102)
- [OpenSSL 1.0.1](#openssl-101)
- [OpenSSL 1.0.0](#openssl-100)
- [OpenSSL 0.9.x](#openssl-09x)
OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
* Deprecated the obsolete X9.31 RSA key generation related functions
BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
*Tomas Mraz*
* Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_new(),
OCSP_REQ_CTX_free(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_add1_header(),
OCSP_REQ_CTX_i2d(), OCSP_REQ_CTX_nbio(), OCSP_REQ_CTX_nbio_d2i(),
OCSP_REQ_CTX_get0_mem_bio() and OCSP_set_max_response_length(). These
were used to collect all necessary data to form a HTTP request, and to
perform the HTTP transfer with that request. With OpenSSL 3.0, the
type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced
OSSL_HTTP_REQ_CTX_set_request_line(), OSSL_HTTP_REQ_CTX_add1_header(),
OSSL_HTTP_REQ_CTX_sendreq_d2i(), OSSL_HTTP_REQ_CTX_get0_mem_bio() and
*Rich Salz and Richard Levitte*
* Validation of SM2 keys has been separated from the validation of regular EC
keys, allowing to improve the SM2 validation process to reject loaded private
keys that are not conforming to the SM2 ISO standard.
In particular, a private scalar `k` outside the range `1 <= k < n-1` is now
correctly rejected.
*Nicola Tuveri*
* Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
switches: a validation failure triggers an early exit, returning a failure
exit status to the parent process.
*Nicola Tuveri*
* Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
to ignore unknown ciphers.
*Otto Hollmann*
* The `-cipher-commands` and `-digest-commands` options
of the command line utility `list` have been deprecated.
Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
*Dmitry Belyavskiy*
* Deprecated all the libcrypto and libssl error string loading
functions: ERR_load_ASN1_strings(), ERR_load_ASYNC_strings(),
ERR_load_BIO_strings(), ERR_load_BN_strings(), ERR_load_BUF_strings(),
ERR_load_CMS_strings(), ERR_load_COMP_strings(), ERR_load_CONF_strings(),
ERR_load_CRYPTO_strings(), ERR_load_CT_strings(), ERR_load_DH_strings(),
ERR_load_DSA_strings(), ERR_load_EC_strings(), ERR_load_ENGINE_strings(),
ERR_load_ERR_strings(), ERR_load_EVP_strings(), ERR_load_KDF_strings(),
ERR_load_OBJ_strings(), ERR_load_OCSP_strings(), ERR_load_PEM_strings(),
ERR_load_PKCS12_strings(), ERR_load_PKCS7_strings(), ERR_load_RAND_strings(),
ERR_load_RSA_strings(), ERR_load_OSSL_STORE_strings(), ERR_load_TS_strings(),
ERR_load_UI_strings(), ERR_load_X509_strings(), ERR_load_X509V3_strings().
Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL
now loads error strings automatically.
*Richard Levitte*
* The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
deprecated. These are used to set the Diffie-Hellman (DH) parameters that
are to be used by servers requiring ephemeral DH keys. Instead applications
should consider using the built-in DH parameters that are available by
calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). If custom parameters are
necessary then applications can use the alternative functions
SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey(). There is no direct
replacement for the "callback" functions. The callback was originally useful
in order to have different parameters for export and non-export ciphersuites.
Export ciphersuites are no longer supported by OpenSSL. Use of the callback
functions should be replaced by one of the other methods described above.
*Matt Caswell*
* The `-crypt` option to the `passwd` command line tool has been removed.
*Paul Dale*
* The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
were removed.
*Rich Salz*
* Add support for AES Key Wrap inverse ciphers to the EVP layer.
The algorithms are:
The inverse ciphers use AES decryption for wrapping, and
AES encryption for unwrapping.
*Shane Lontis*
* Deprecated EVP_PKEY_set1_tls_encodedpoint() and
EVP_PKEY_get1_tls_encodedpoint(). These functions were previously used by
libssl to set or get an encoded public key in/from an EVP_PKEY object. With
OpenSSL 3.0 these are replaced by the more generic functions
EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key().
The old versions have been converted to deprecated macros that just call the
new functions.
*Matt Caswell*
* The security callback, which can be customised by application code, supports
the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
in the "other" parameter. In most places this is what is passed. All these
places occur server side. However there was one client side call of this
security operation and it passed a DH object instead. This is incorrect
according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
*Matt Caswell*
* Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
interface. Their functionality remains unchanged.
*Jordan Montgomery*
* Added new option for 'openssl list', '-providers', which will display the
list of loaded providers, their names, version and status. It optionally
displays their gettable parameters.
*Paul Dale*
* Deprecated EVP_PKEY_set_alias_type(). This function was previously
needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
type is internally recognised so the workaround is no longer needed.
Functionality is still retained as it is, but will only work with
EVP_PKEYs with a legacy internal key.
*Richard Levitte*
* Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
`EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred.
*Jeremy Walch*
* Changed all "STACK" functions to be macros instead of inline functions. Macro
parameters are still checked for type safety at compile time via helper
inline functions.
*Matt Caswell*
* Remove the RAND_DRBG API
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (`RAND_DRBG_set_callbacks()`).
Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.
*Paul Dale and Matthias St. Pierre*
* Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
as well as actual hostnames.
*David Woodhouse*
* The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
`TLSv1_server_method()`) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
*Viktor Dukhovni*
* Deprecated the `ENGINE` API. Engines should be replaced with providers
going forward.
*Paul Dale*
* Reworked the recorded ERR codes to make better space for system errors.
To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the
given code is a system error (true) or an OpenSSL error (false).
*Richard Levitte*
* Reworked the test perl framework to better allow parallel testing.
*Nicola Tuveri and David von Oheimb*
* Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
*Shane Lontis*
* 'Configure' has been changed to figure out the configuration target if
none is given on the command line. Consequently, the 'config' script is
now only a mere wrapper. All documentation is changed to only mention
*Rich Salz and Richard Levitte*
* Added a library context `OSSL_LIB_CTX` that applications as well as
other libraries can use to form a separate context within which
libcrypto operations are performed.
There are two ways this can be used:
- Directly, by passing a library context to functions that take
such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
fetching functions.
- Indirectly, by creating a new library context and then assigning
it as the new default, with `OSSL_LIB_CTX_set0_default`.
All public OpenSSL functions that take an `OSSL_LIB_CTX` pointer,
apart from the functions directly related to `OSSL_LIB_CTX`, accept
NULL to indicate that the default library context should be used.
Library code that changes the default library context using
`OSSL_LIB_CTX_set0_default` should take care to restore it with a
second call before returning to the caller.
_(Note: the library context was initially called `OPENSSL_CTX` and
renamed to `OSSL_LIB_CTX` in version 3.0.0 alpha7.)_
*Richard Levitte*
* Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
*Tomas Mraz*
* Dropped interactive mode from the `openssl` program. From now on,
running it without arguments is equivalent to `openssl help`.
*Richard Levitte*
* Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and
`EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`.
While the old function names have been retained for backward compatibility
they should not be used in new developments
because their return values are confusing: Unlike other `_cmp()` functions
they do not return 0 in case their arguments are equal.
*David von Oheimb*
* Deprecated `EC_METHOD_get_field_type()`. Applications should switch to
*Billy Bob Brumley*
* Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
Applications should rely on the library automatically assigning a suitable
EC_METHOD internally upon EC_GROUP construction.
*Billy Bob Brumley*
* Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
EC_METHOD is now an internal-only concept and a suitable EC_METHOD is
assigned internally without application intervention.
Users of EC_GROUP_new() should switch to a different suitable constructor.
*Billy Bob Brumley*
* Add CAdES-BES signature verification support, mostly derived
from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
*Filipe Raimundo da Silva*
* Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
*Antonio Iacono*
* Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine(). These
functions are not widely used and now OpenSSL automatically perform this
conversion when needed.
*Billy Bob Brumley*
* Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
EC_KEY_precompute_mult(). These functions are not widely used and
applications should instead switch to named curves which OpenSSL has
hardcoded lookup tables for.
*Billy Bob Brumley*
* Deprecated EC_POINTs_mul(). This function is not widely used and applications
should instead use the L<EC_POINT_mul(3)> function.
*Billy Bob Brumley*
* Removed FIPS_mode() and FIPS_mode_set(). These functions are legacy API's
that are not applicable to the new provider model. Applications should
instead use EVP_default_properties_is_fips_enabled() and
*Shane Lontis*
* The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
is set, an unexpected EOF is ignored, it pretends a close notify was received
instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
*Dmitry Belyavskiy*
* Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely
used and applications should instead use the
L<EC_POINT_set_affine_coordinates(3)> and
L<EC_POINT_get_affine_coordinates(3)> functions.
*Billy Bob Brumley*
* Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM
arrays to be more easily constructed via a series of utility functions.
Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using
the various push functions and finally convert to a passable OSSL_PARAM
array using OSSL_PARAM_BLD_to_param().
*Paul Dale*
* The security strength of SHA1 and MD5 based signatures in TLS has been
reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
working at the default security level of 1 and instead requires security
level 0. The security level can be changed either using the cipher string
with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`.
*Kurt Roeckx*
* EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
internal keys, if they correspond to one of those built in types.
*Richard Levitte*
* Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to
contain a provider side internal key.
*Richard Levitte*
* ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
They are old functions that we don't use, and that you could disable with
the macro NO_ASN1_OLD. This goes all the way back to OpenSSL 0.9.7.
*Richard Levitte*
* Project text documents not yet having a proper file name extension
(`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to
`*.md` as far as reasonable, else `*.txt`, for better use with file managers.
*David von Oheimb*
* The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
have been converted to Markdown with the goal to produce documents
which not only look pretty when viewed online in the browser, but
remain well readable inside a plain text editor.
To achieve this goal, a 'minimalistic' Markdown style has been applied
which avoids formatting elements that interfere too much with the
reading flow in the text file. For example, it
* avoids [ATX headings][] and uses [setext headings][] instead
(which works for `<h1>` and `<h2>` headings only).
* avoids [inline links][] and uses [reference links][] instead.
* avoids [fenced code blocks][] and uses [indented code blocks][] instead.
[ATX headings]:
[setext headings]:
[inline links]:
[reference links]:
[fenced code blocks]:
[indented code blocks]:
*Matthias St. Pierre*
* The test suite is changed to preserve results of each test recipe.
A new directory test-runs/ with subdirectories named like the
test recipes are created in the build tree for this purpose.
*Richard Levitte*
* Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
*David von Oheimb, Martin Peylo*
* Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`.
The legacy OCSP-focused and only partly documented API is retained for
backward compatibility. See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.
*David von Oheimb*
* Added `util/`, a tool for checking adherence to the
OpenSSL coding style <>.
The checks performed are incomplete and yield some false positives.
Still the tool should be useful for detecting most typical glitches.
*David von Oheimb*
* `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
If domain name resolution yields multiple IP addresses all of them are tried
after `connect()` failures.
*David von Oheimb*
* All of the low level RSA functions have been deprecated including:
RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
RSA_get_version, RSA_get0_engine, RSA_generate_key_ex,
RSA_generate_multi_prime_key, RSA_X931_derive_ex, RSA_X931_generate_key_ex,
RSA_check_key, RSA_check_key_ex, RSA_public_encrypt, RSA_private_encrypt,
RSA_public_decrypt, RSA_private_decrypt, RSA_set_default_method,
RSA_get_default_method, RSA_null_method, RSA_get_method, RSA_set_method,
RSA_PKCS1_OpenSSL, RSA_print_fp, RSA_print, RSA_sign, RSA_verify,
RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING, RSA_blinding_on,
RSA_blinding_off, RSA_setup_blinding, RSA_padding_add_PKCS1_type_1,
RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2,
RSA_padding_check_PKCS1_type_2, PKCS1_MGF1, RSA_padding_add_PKCS1_OAEP,
RSA_padding_check_PKCS1_OAEP, RSA_padding_add_PKCS1_OAEP_mgf1,
RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23,
RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none,
RSA_padding_add_X931, RSA_padding_check_X931, RSA_X931_hash_id,
RSA_verify_PKCS1_PSS, RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS_mgf1,
RSA_padding_add_PKCS1_PSS_mgf1, RSA_set_ex_data, RSA_get_ex_data,
RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_get_pub_enc,
RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec,
RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec,
RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp,
RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init,
RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish,
RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify,
RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
RSA_meth_get_multi_prime_keygen and RSA_meth_set_multi_prime_keygen.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_PKEY_encrypt_init(3)>,
L<EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt_init(3)> and
*Paul Dale*
* X509 certificates signed using SHA1 are no longer allowed at security
level 1 and above.
In TLS/SSL the default security level is 1. It can be set either
using the cipher string with `@SECLEVEL`, or calling
`SSL_CTX_set_security_level()`. If the leaf certificate is signed with SHA-1,
a call to `SSL_CTX_use_certificate()` will fail if the security level is not
lowered first.
Outside TLS/SSL, the default security level is -1 (effectively 0). It can
be set using `X509_VERIFY_PARAM_set_auth_level()` or using the `-auth_level`
options of the commands.
*Kurt Roeckx*
* The command line utilities dhparam, dsa, gendsa and dsaparam have been
modified to use PKEY APIs. These commands are now in maintenance mode
and no new features will be added to them.
*Paul Dale*
* The command line utility rsautl has been deprecated.
Instead use the pkeyutl program.
*Paul Dale*
* The command line utilities genrsa and rsa have been modified to use PKEY
APIs. They now write PKCS#8 keys by default. These commands are now in
maintenance mode and no new features will be added to them.
*Paul Dale*
* All of the low level DH functions have been deprecated including:
DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method,
DH_new_method, DH_new, DH_free, DH_up_ref, DH_bits, DH_set0_pqg, DH_size,
DH_security_bits, DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data,
DH_generate_parameters_ex, DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex,
DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key,
DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid,
DH_KDF_X9_42, DH_get0_engine, DH_meth_new, DH_meth_free, DH_meth_dup,
DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags,
DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key,
DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key,
DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init,
DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish,
DH_meth_get_generate_params and DH_meth_set_generate_params.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_PKEY_derive_init(3)>
and L<EVP_PKEY_derive(3)>.
Additionally functions that read and write DH objects such as d2i_DHparams,
i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams and other similar
functions have also been deprecated. Applications should instead use the
OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.
Finaly functions that assign or obtain DH objects from an EVP_PKEY such as
`EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and
`EVP_PKEY_set1_DH()` are also deprecated.
Applications should instead either read or write an
Or load an EVP_PKEY directly from DH data using `EVP_PKEY_fromdata()`.
*Paul Dale and Matt Caswell*
* All of the low level DSA functions have been deprecated including:
DSA_new, DSA_free, DSA_up_ref, DSA_bits, DSA_get0_pqg, DSA_set0_pqg,
DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g,
DSA_get0_pub_key, DSA_get0_priv_key, DSA_clear_flags, DSA_test_flags,
DSA_set_flags, DSA_do_sign, DSA_do_verify, DSA_OpenSSL,
DSA_set_default_method, DSA_get_default_method, DSA_set_method,
DSA_get_method, DSA_new_method, DSA_size, DSA_security_bits,
DSA_sign_setup, DSA_sign, DSA_verify, DSA_get_ex_new_index,
DSA_set_ex_data, DSA_get_ex_data, DSA_generate_parameters_ex,
DSA_generate_key, DSA_meth_new, DSA_get0_engine, DSA_meth_free,
DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags,
DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data,
DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup,
DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify,
DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp,
DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init,
DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen,
DSA_meth_set_paramgen, DSA_meth_get_keygen and DSA_meth_set_keygen.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_DigestSignInit_ex(3)>,
L<EVP_DigestSignUpdate(3)> and L<EVP_DigestSignFinal(3)>.
*Paul Dale*
* Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
This means that applications don't have to look at the curve NID and
`EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
However, they still can, that `EVP_PKEY_set_alias_type()` call acts as
a no-op when the EVP_PKEY is already of the given type.
Parameter and key generation is also reworked to make it possible
to generate EVP_PKEY_SM2 parameters and keys without having to go
through EVP_PKEY_EC generation and then change the EVP_PKEY type.
However, code that does the latter will still work as before.
*Richard Levitte*
* Deprecated low level ECDH and ECDSA functions. These include:
ECDH_compute_key, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify,
ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify and
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use the EVP_PKEY_derive(3),
EVP_DigestSign(3) and EVP_DigestVerify(3) functions.
*Paul Dale*
* Deprecated the EC_KEY_METHOD functions. These include:
EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and
Instead applications and extension writers should use the OSSL_PROVIDER APIs.
*Paul Dale*
* Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
and EVP_PKEY_decrypt() instead.
Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()
and EVP_PKEY_encrypt() instead.
*Richard Levitte*
* Enhanced the documentation of EVP_PKEY_size(), EVP_PKEY_bits()
and EVP_PKEY_security_bits(). Especially EVP_PKEY_size() needed
a new formulation to include all the things it can be used for,
as well as words of caution.
*Richard Levitte*
* The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
Instead used the new SSL_CTX_set_tlsext_ticket_key_evp_cb(3) function.
*Paul Dale*
* All of the low level HMAC functions have been deprecated including:
HMAC, HMAC_size, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free,
HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags
and HMAC_CTX_get_md.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
* Over two thousand fixes were made to the documentation, including:
- Common options (such as -rand/-writerand, TLS version control, etc)
were refactored and point to newly-enhanced descriptions in openssl.pod.
- Added style conformance for all options (with help from Richard Levitte),
documented all reported missing options, added a CI build to check
that all options are documented and that no unimplemented options
are documented.
- Documented some internals, such as all use of environment variables.
- Addressed all internal broken L<> references.
*Rich Salz*
* All of the low level CMAC functions have been deprecated including:
CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free, CMAC_CTX_get0_cipher_ctx,
CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final and CMAC_resume.
Use of these low level functions has been informally discouraged for a long
time. Instead applications should use L<EVP_MAC_CTX_new(3)>,
L<EVP_MAC_CTX_free(3)>, L<EVP_MAC_init(3)>, L<EVP_MAC_update(3)>
and L<EVP_MAC_final(3)>.
*Paul Dale*
* All of the low level MD2, MD4, MD5, MDC2, RIPEMD160, SHA1, SHA224, SHA256,
SHA384, SHA512 and Whirlpool digest functions have been deprecated.
These include:
MD2, MD2_options, MD2_Init, MD2_Update, MD2_Final, MD4, MD4_Init,
MD4_Update, MD4_Final, MD4_Transform, MD5, MD5_Init, MD5_Update,
MD5_Final, MD5_Transform, MDC2, MDC2_Init, MDC2_Update, MDC2_Final,
RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final,
RIPEMD160_Transform, SHA1_Init, SHA1_Update, SHA1_Final, SHA1_Transform,
SHA224_Init, SHA224_Update, SHA224_Final, SHA224_Transform, SHA256_Init,
SHA256_Update, SHA256_Final, SHA256_Transform, SHA384, SHA384_Init,
SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
SHA512_Final, SHA512_Transform, WHIRLPOOL, WHIRLPOOL_Init,
Use of these low level functions has been informally discouraged
for a long time. Applications should use the EVP_DigestInit_ex(3),
EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3) functions instead.
*Paul Dale*
* Corrected the documentation of the return values from the `EVP_DigestSign*`
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.
Code that followed the documentation and thereby check with something
like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
*Richard Levitte*
* All of the low level cipher functions have been deprecated including:
AES_options, AES_set_encrypt_key, AES_set_decrypt_key, AES_encrypt,
AES_decrypt, AES_ecb_encrypt, AES_cbc_encrypt, AES_cfb128_encrypt,
AES_cfb1_encrypt, AES_cfb8_encrypt, AES_ofb128_encrypt,
AES_wrap_key, AES_unwrap_key, BF_set_key, BF_encrypt, BF_decrypt,
BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt,
BF_options, Camellia_set_key, Camellia_encrypt, Camellia_decrypt,
Camellia_ecb_encrypt, Camellia_cbc_encrypt, Camellia_cfb128_encrypt,
Camellia_cfb1_encrypt, Camellia_cfb8_encrypt, Camellia_ofb128_encrypt,
Camellia_ctr128_encrypt, CAST_set_key, CAST_encrypt, CAST_decrypt,
CAST_ecb_encrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt,
CAST_ofb64_encrypt, DES_options, DES_encrypt1, DES_encrypt2,
DES_encrypt3, DES_decrypt3, DES_cbc_encrypt, DES_ncbc_encrypt,
DES_pcbc_encrypt, DES_xcbc_encrypt, DES_cfb_encrypt, DES_cfb64_encrypt,
DES_ecb_encrypt, DES_ofb_encrypt, DES_ofb64_encrypt, DES_random_key,
DES_set_odd_parity, DES_check_key_parity, DES_is_weak_key, DES_set_key,
DES_key_sched, DES_set_key_checked, DES_set_key_unchecked,
DES_string_to_key, DES_string_to_2keys, DES_fixup_key_parity,
DES_ecb2_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt,
DES_ede2_ofb64_encrypt, DES_ecb3_encrypt, DES_ede3_cbc_encrypt,
DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt, DES_ede3_ofb64_encrypt,
DES_cbc_cksum, DES_quad_cksum, IDEA_encrypt, IDEA_options,
IDEA_ecb_encrypt, IDEA_set_encrypt_key, IDEA_set_decrypt_key,
IDEA_cbc_encrypt, IDEA_cfb64_encrypt, IDEA_ofb64_encrypt, RC2_set_key,
RC2_encrypt, RC2_decrypt, RC2_ecb_encrypt, RC2_cbc_encrypt,
RC2_cfb64_encrypt, RC2_ofb64_encrypt, RC4, RC4_options, RC4_set_key,
RC5_32_set_key, RC5_32_encrypt, RC5_32_decrypt, RC5_32_ecb_encrypt,
RC5_32_cbc_encrypt, RC5_32_cfb64_encrypt, RC5_32_ofb64_encrypt,
SEED_set_key, SEED_encrypt, SEED_decrypt, SEED_ecb_encrypt,
SEED_cbc_encrypt, SEED_cfb128_encrypt and SEED_ofb128_encrypt.
Use of these low level functions has been informally discouraged for
a long time. Applications should use the high level EVP APIs, e.g.
EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the
equivalently named decrypt functions instead.
*Matt Caswell and Paul Dale*
* Removed include/openssl/ and replaced it with
include/openssl/, which differs in not including
<openssl/macros.h>. A short header include/openssl/opensslconf.h
was added to include both.
This allows internal hacks where one might need to modify the set
of configured macros, for example this if deprecated symbols are
still supposed to be available internally:
#include <openssl/configuration.h>
#include <openssl/macros.h>
This should not be used by applications that use the exported
symbols, as that will lead to linking errors.
*Richard Levitte*
* Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
*Andy Polyakov*
* Most memory-debug features have been deprecated, and the functionality
replaced with no-ops.
*Rich Salz*
* Added documentation for the STACK API.
*Rich Salz*
* Introduced a new method type and API, OSSL_ENCODER, to
represent generic encoders. An implementation is expected to
be able to encode an object associated with a given name (such
as an algorithm name for an asymmetric key) into forms given by
implementation properties.
Encoders are primarily used from inside libcrypto, through
calls to functions like EVP_PKEY_print_private(),
PEM_write_bio_PrivateKey() and similar.
Encoders are specified in such a way that they can be made to
directly handle the provider side portion of an object, if this
provider side part comes from the same provider as the encoder
itself, but can also be made to handle objects in parametrized
form (as an OSSL_PARAM array of data). This allows a provider to
offer generic encoders as a service for any other provider.
*Richard Levitte*
* Added a .pragma directive to the syntax of configuration files, to
allow varying behavior in a supported and predictable manner.
Currently added pragma:
.pragma dollarid:on
This allows dollar signs to be a keyword character unless it's
followed by a opening brace or parenthesis. This is useful for
platforms where dollar signs are commonly used in names, such as
volume names and system directory names on VMS.
*Richard Levitte*
* Added functionality to create an EVP_PKEY from user data. This
is effectively the same as creating a RSA, DH or DSA object and
then assigning them to an EVP_PKEY, but directly using algorithm
agnostic EVP functions. A benefit is that this should be future
proof for public key algorithms to come.
*Richard Levitte*
* Change the interpretation of the '--api' configuration option to
mean that this is a desired API compatibility level with no
further meaning. The previous interpretation, that this would
also mean to remove all deprecated symbols up to and including
the given version, no requires that 'no-deprecated' is also used
in the configuration.
When building applications, the desired API compatibility level
can be set with the OPENSSL_API_COMPAT macro like before. For
API compatibility version below 3.0, the old style numerical
value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
For version 3.0 and on, the value is expected to be the decimal
value calculated from the major and minor version like this:
MAJOR * 10000 + MINOR * 100