For OpenSSL 3.0 a Migration guide has been added, so the CHANGES entries listed here are only a brief description. The migration guide contains more detailed information related to new features, breaking changes, and mappings for the large list of deprecated functions.
Changes between 1.1.1 and 3.0 [xx XXX xxxx]
TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now deprecated.
Matt Caswell
The OPENSSL_s390xcap environment variable can be used to set bits in the S390X capability vector to zero. This simplifies testing of different code paths on S390X architecture.
Patrick Steuer
Encrypting more than 2^64 TLS records with AES-GCM is disallowed as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from SP 800-38D". The communication will fail at this point.
Paul Dale
The EC_GROUP_clear_free() function is deprecated as there is nothing confidential in EC_GROUP data.
Nicola Tuveri
The byte order mark (BOM) character is ignored if encountered at the beginning of a PEM-formatted file.
Dmitry Belyavskiy
Added CMS support for the Russian GOST algorithms.
Dmitry Belyavskiy
Due to move of the implementation of cryptographic operations to the providers, validation of various operation parameters can be postponed until the actual operation is executed where previously it happened immediately when an operation parameter was set.
For example when setting an unsupported curve with EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not fail but later keygen operations with the EVP_PKEY_CTX will fail.
OpenSSL team members and many third party contributors
The EVP_get_cipherbyname() function will return NULL for algorithms such as "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only accessible via low level interfaces. Use EVP_CIPHER_fetch() instead to retrieve these algorithms from a provider.
Shane Lontis
On build targets where the multilib postfix is set in the build configuration the libdir directory was changing based on whether the lib directory with the multilib postfix exists on the system or not. This unpredictable behavior was removed and eventual multilib postfix is now always added to the default libdir. Use --libdir=lib to override the libdir if adding the postfix is undesirable.
Jan Lána
The triple DES key wrap functionality now conforms to RFC 3217 but is no longer interoperable with OpenSSL 1.1.1.
Paul Dale
The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications.
Paul Dale
Add a configurable flag to output date formats as ISO 8601. Does not change the default date format.
William Edmisten
Version of MSVC earlier than 1300 could get link warnings, which could be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. Support for this flag has been removed.
Rich Salz
Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
Rich Salz
The signatures of the functions to get and set options on SSL and SSL_CTX objects changed from "unsigned long" to "uint64_t" type. Some source code changes may be required.
Rich Salz
The public definitions of conf_method_st and conf_st have been deprecated. They will be made opaque in a future release.
Rich Salz and Tomáš Mráz
Client-initiated renegotiation is disabled by default. To allow it, use the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION flag, or the "ClientRenegotiation" config parameter as appropriate.
Rich Salz
Add "abspath" and "includedir" pragma's to config files, to prevent, or modify relative pathname inclusion.
Rich Salz
OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 validated. Please consult the README-FIPS and README-PROVIDERS files, as well as the migration guide.
OpenSSL team members and many third party contributors
For the key types DH and DHX the allowed settable parameters are now different.
Shane Lontis
The openssl commands that read keys, certificates, and CRLs now automatically detect the PEM or DER format of the input files.
David von Oheimb, Richard Levitte, and Tomáš Mráz
Added enhanced PKCS#12 APIs which accept a library context.
Jon Spillett
The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
Matt Caswell
Added support for Kernel TLS (KTLS).
Boris Pismenny, John Baldwin and Andrew Gallatin
Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.
Benjamin Kaduk
The signature of the copy functional parameter of the EVP_PKEY_meth_set_copy() function has changed so its src argument is now const EVP_PKEY_CTX * instead of EVP_PKEY_CTX *. Similarly the signature of the pub_decode functional parameter of the EVP_PKEY_asn1_set_public() function has changed so its pub argument is now const X509_PUBKEY * instead of X509_PUBKEY *.
David von Oheimb
The error return values from some control calls (ctrl) have changed.
Paul Dale
A public key check is now performed during EVP_PKEY_derive_set_peer().
Shane Lontis
Many functions in the EVP_ namespace that are getters of values from implementations or contexts were renamed to include get or get0 in their names. Old names are provided as macro aliases for compatibility and are not deprecated.
Tomáš Mráz
The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated.
Tomáš Mráz
The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for more key types.
The output from the command line applications may have minor changes.
Paul Dale
The output from numerous "printing" may have minor changes.
David von Oheimb
Windows thread synchronization uses read/write primitives (SRWLock) when supported by the OS, otherwise CriticalSection continues to be used.
Vincent Drake
Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to work on read only BIO source/sinks that do not support these functions. This allows piping or redirection of a file BIO using stdin to be buffered into memory. This is used internally in OSSL_DECODER_from_bio().
Shane Lontis
OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1 this function would return one of the values OSSL_STORE_INFO_NAME, OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications using this function should be amended to handle the changed return value.
Richard Levitte
Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain.
David von Oheimb
The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, RC5, DESX and DES have been moved to the legacy provider.
Matt Caswell
The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 have been moved to the legacy provider.
Matt Caswell
The deprecated function EVP_PKEY_get0() now returns NULL being called for a provided key.
Dmitry Belyavskiy
The deprecated functions EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as well as the similarly named "get1" functions behave differently in OpenSSL 3.0.
Matt Caswell
A number of functions handling low-level keys or engines were deprecated including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(), EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash().
Matt Caswell
PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. This includes these PBE algorithms which use this KDF:
NID_pbeWithMD2AndDES_CBC
NID_pbeWithMD5AndDES_CBC
NID_pbeWithSHA1AndRC2_CBC
NID_pbeWithMD2AndRC2_CBC
NID_pbeWithMD5AndRC2_CBC
NID_pbeWithSHA1AndDES_CBC
Jon Spillett
Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and BIO_debug_callback() functions.
Tomáš Mráz
Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
Tomáš Mráz
The RAND_METHOD APIs have been deprecated.
Paul Dale
The SRP APIs have been deprecated.
Matt Caswell
Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time.
Paul Dale
pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration count of PKCS12_DEFAULT_ITER.
Tomáš Mráz and Sahana Prasad
The openssl speed command does not use low-level API calls anymore.
Tomáš Mráz
Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors.
Ilya Albrekht, Sergey Kirillov, Andrey Matyukov (Intel Corp)
Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
Matt Caswell
Implemented support for fully "pluggable" TLSv1.3 groups. This means that providers may supply their own group implementations (using either the "key exchange" or the "key encapsulation" methods) which will automatically be detected and used by libssl.
Matt Caswell, Nicola Tuveri
The undocumented function X509_certificate_type() has been deprecated;
Rich Salz
Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
Tomáš Mráz
Removed RSA padding mode for SSLv23 (which was only used for SSLv2). This includes the functions RSA_padding_check_SSLv23() and RSA_padding_add_SSLv23() and the -ssl option in the deprecated rsautl command.
Rich Salz
Deprecated the obsolete X9.31 RSA key generation related functions.
While a callback function set via SSL_CTX_set_cert_verify_callback() is not allowed to return a value > 1, this is no more taken as failure.
Viktor Dukhovni and David von Oheimb
Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex().
Tomáš Mráz
The default key generation method for the regular 2-prime RSA keys was changed to the FIPS 186-4 B.3.6 method.
Shane Lontis
Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
Kurt Roeckx
Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
Rich Salz
Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_() and replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_().
Rich Salz, Richard Levitte, and David von Oheimb
Deprecated X509_http_nbio() and X509_CRL_http_nbio().
David von Oheimb
Deprecated OCSP_parse_url().
David von Oheimb
Validation of SM2 keys has been separated from the validation of regular EC keys.
Nicola Tuveri
Behavior of the pkey app is changed, when using the -check or -pubcheck switches: a validation failure triggers an early exit, returning a failure exit status to the parent process.
Nicola Tuveri
Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers.
Otto Hollmann
The -cipher-commands and -digest-commands options of the command line utility list have been deprecated. Instead use the -cipher-algorithms and -digest-algorithms options.
Dmitry Belyavskiy
Added convenience functions for generating asymmetric key pairs: The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)> and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
David von Oheimb
All of the low level EC_KEY functions have been deprecated.
Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz
Deprecated all the libcrypto and libssl error string loading functions.
Richard Levitte
The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated.
Matt Caswell
The -crypt option to the passwd command line tool has been removed.
Paul Dale
The -C option to the x509, dhparam, dsaparam, and ecparam commands were removed.
Rich Salz
Add support for AES Key Wrap inverse ciphers to the EVP layer.
Shane Lontis
Deprecated EVP_PKEY_set1_tls_encodedpoint() and EVP_PKEY_get1_tls_encodedpoint().
Matt Caswell
The security callback, which can be customised by application code, supports the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
Matt Caswell
Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface. Their functionality remains unchanged.
Jordan Montgomery
Added new option for 'openssl list', '-providers', which will display the list of loaded providers, their names, version and status. It optionally displays their gettable parameters.
Paul Dale
Removed EVP_PKEY_set_alias_type().
Richard Levitte
Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() and introduced EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
Jeremy Walch
Changed all "STACK" functions to be macros instead of inline functions. Macro parameters are still checked for type safety at compile time via helper inline functions.
Matt Caswell
Remove the RAND_DRBG API
Paul Dale and Matthias St. Pierre
Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses as well as actual hostnames.
David Woodhouse
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring TLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and "max_protocol" command-line switches, in case some application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g. TLSv1_server_method()) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options.
Viktor Dukhovni
Deprecated the ENGINE API. Engines should be replaced with providers going forward.
Paul Dale
Reworked the recorded ERR codes to make better space for system errors. To distinguish them, the macro ERR_SYSTEM_ERROR() indicates if the given code is a system error (true) or an OpenSSL error (false).
Richard Levitte
Reworked the test perl framework to better allow parallel testing.
Nicola Tuveri and David von Oheimb
Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
Shane Lontis
'Configure' has been changed to figure out the configuration target if none is given on the command line. Consequently, the 'config' script is now only a mere wrapper. All documentation is changed to only mention 'Configure'.
Rich Salz and Richard Levitte
Added a library context OSSL_LIB_CTX that applications as well as other libraries can use to form a separate context within which libcrypto operations are performed.
Richard Levitte
Added various _ex functions to the OpenSSL API that support using a non-default OSSL_LIB_CTX.
OpenSSL team
Handshake now fails if Extended Master Secret extension is dropped on renegotiation.
Tomáš Mráz
Dropped interactive mode from the openssl program.
Richard Levitte
Deprecated EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().
David von Oheimb and Shane Lontis
Deprecated EC_METHOD_get_field_type().
Billy Bob Brumley
Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(), EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method() EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
Billy Bob Brumley
Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
Billy Bob Brumley
Add CAdES-BES signature verification support, mostly derived from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
Filipe Raimundo da Silva
Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
Antonio Iacono
Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS).
Jakub Zelenka
Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
Billy Bob Brumley
Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult().
Billy Bob Brumley
Deprecated EC_POINTs_mul().
Billy Bob Brumley
Removed FIPS_mode() and FIPS_mode_set().
Shane Lontis
The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
Dmitry Belyavskiy
Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp().
Billy Bob Brumley
Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM arrays to be more easily constructed via a series of utility functions. Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using the various push functions and finally convert to a passable OSSL_PARAM array using OSSL_PARAM_BLD_to_param().
Paul Dale
The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
Kurt Roeckx
Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to contain a provider side internal key.
Richard Levitte
ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
Richard Levitte
Project text documents not yet having a proper file name extension (HACKING, LICENSE, NOTES*, README*, VERSION) have been renamed to *.md as far as reasonable, else *.txt, for better use with file managers.
David von Oheimb
The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT) have been converted to Markdown with the goal to produce documents which not only look pretty when viewed online in the browser, but remain well readable inside a plain text editor.
To achieve this goal, a 'minimalistic' Markdown style has been applied which avoids formatting elements that interfere too much with the reading flow in the text file. For example, it
avoids ATX headings and uses setext headings instead (which works for <h1> and <h2> headings only).
avoids inline links and uses reference links instead.
avoids fenced code blocks and uses indented code blocks instead.
Matthias St. Pierre
The test suite is changed to preserve results of each test recipe. A new directory test-runs/ with subdirectories named like the test recipes are created in the build tree for this purpose.
Richard Levitte
Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*. See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
David von Oheimb, Martin Peylo
Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/. It supports arbitrary request and response content types, GET redirection, TLS, connections via HTTP(S) proxies, connections and exchange via user-defined BIOs (allowing implicit connections), persistent connections, and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details. The legacy OCSP-focused (and only partly documented) API is retained for backward compatibility, while most of it is deprecated.
David von Oheimb
Added util/check-format.pl, a tool for checking adherence to the OpenSSL coding style
https://www.openssl.org/policies/codingstyle.html. The checks performed are incomplete and yield some false positives. Still the tool should be useful for detecting most typical glitches.
David von Oheimb
BIO_do_connect() and BIO_do_handshake() have been extended: If domain name resolution yields multiple IP addresses all of them are tried after connect() failures.
David von Oheimb
All of the low level RSA functions have been deprecated.
Paul Dale
X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
Kurt Roeckx
The command line utilities dhparam, dsa, gendsa and dsaparam have been modified to use PKEY APIs. These commands are now in maintenance mode and no new features will be added to them.
Paul Dale
The command line utility rsautl has been deprecated.
Paul Dale
The command line utilities genrsa and rsa have been modified to use PKEY APIs. They now write PKCS#8 keys by default. These commands are now in maintenance mode and no new features will be added to them.
Paul Dale
All of the low level DH functions have been deprecated.
Paul Dale and Matt Caswell
All of the low level DSA functions have been deprecated.
Paul Dale
Reworked the treatment of EC EVP_PKEYs with the SM2 curve to automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
Richard Levitte
Deprecated low level ECDH and ECDSA functions.
Paul Dale
Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
Richard Levitte
Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits() and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed a new formulation to include all the things it can be used for, as well as words of caution.
Richard Levitte
The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
Paul Dale
All of the low level HMAC functions have been deprecated.
Paul Dale and David von Oheimb
Over two thousand fixes were made to the documentation, including:
Common options (such as -rand/-writerand, TLS version control, etc) were refactored and point to newly-enhanced descriptions in openssl.pod.
Added style conformance for all options (with help from Richard Levitte), documented all reported missing options, added a CI build to check that all options are documented and that no unimplemented options are documented.
Documented some internals, such as all use of environment variables.
Addressed all internal broken L<> references.
Rich Salz
All of the low level CMAC functions have been deprecated.
Paul Dale
The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest functions have been deprecated.
Paul Dale and David von Oheimb
Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values was removed.
Code that followed the documentation and thereby check with something like EVP_DigestSignInit(...) <= 0 will continue to work undisturbed.
Richard Levitte
All of the low level cipher functions have been deprecated.
Matt Caswell and Paul Dale
Removed include/openssl/opensslconf.h.in and replaced it with include/openssl/configuration.h.in, which differs in not including <openssl/macros.h>. A short header include/openssl/opensslconf.h was added to include both.
This allows internal hacks where one might need to modify the set of configured macros, for example this if deprecated symbols are still supposed to be available internally:
#include <openssl/configuration.h>
#undef OPENSSL_NO_DEPRECATED
#define OPENSSL_SUPPRESS_DEPRECATED
#include <openssl/macros.h>
This should not be used by applications that use the exported symbols, as that will lead to linking errors.
Richard Levitte
Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low-level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. (CVE-2019-1551)
Andy Polyakov
Most memory-debug features have been deprecated, and the functionality replaced with no-ops.
Rich Salz
Added documentation for the STACK API.
Rich Salz
Introduced a new method type and API, OSSL_ENCODER, to represent generic encoders. These do the same sort of job that PEM writers and d2i functions do, but with support for methods supplied by providers, and the possibility for providers to support other formats as well.
Richard Levitte
Introduced a new method type and API, OSSL_DECODER, to represent generic decoders. These do the same sort of job that PEM readers and i2d functions do, but with support for methods supplied by providers, and the possibility for providers to support other formats as well.
Richard Levitte
Added a .pragma directive to the syntax of configuration files, to allow varying behavior in a supported and predictable manner. Currently added pragma:
.pragma dollarid:on
This allows dollar signs to be a keyword character unless it's followed by a opening brace or parenthesis. This is useful for platforms where dollar signs are commonly used in names, such as volume names and system directory names on VMS.
Richard Levitte
Added functionality to create an EVP_PKEY from user data.
Richard Levitte
Change the interpretation of the '--api' configuration option to mean that this is a desired API compatibility level with no further meaning. The previous interpretation, that this would also mean to remove all deprecated symbols up to and including the given version, no requires that 'no-deprecated' is also used in the configuration.
When building applications, the desired API compatibility level can be set with the OPENSSL_API_COMPAT macro like before. For API compatibility version below 3.0, the old style numerical value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L. For version 3.0 and on, the value is expected to be the decimal value calculated from the major and minor version like this:
MAJOR * 10000 + MINOR * 100
Examples:
-DOPENSSL_API_COMPAT=30000 For 3.0
-DOPENSSL_API_COMPAT=30200 For 3.2
To hide declarations that are deprecated up to and including the given API compatibility level, -DOPENSSL_NO_DEPRECATED must be given when building the application as well.
Richard Levitte
Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow access to certificate and CRL stores via URIs and OSSL_STORE loaders.
This adds the following functions:
X509_LOOKUP_store()
X509_STORE_load_file()
X509_STORE_load_path()
X509_STORE_load_store()
SSL_add_store_cert_subjects_to_stack()
SSL_CTX_set_default_verify_store()
SSL_CTX_load_verify_file()
SSL_CTX_load_verify_dir()
SSL_CTX_load_verify_store()
Richard Levitte
Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time.
Richard Levitte
Added functionality to create an EVP_PKEY context based on data for methods from providers. This takes an algorithm name and a property query string and simply stores them, with the intent that any operation that uses this context will use those strings to fetch the needed methods implicitly, thereby making the port of application written for pre-3.0 OpenSSL easier.
Richard Levitte
The undocumented function NCONF_WIN32() has been deprecated; for conversion details see the HISTORY section of doc/man5/config.pod
Rich Salz
Introduced the new functions EVP_DigestSignInit_ex() and EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and EVP_DigestVerifyUpdate() have been converted to functions. See the man pages for further details.
Matt Caswell
Over two thousand fixes were made to the documentation, including: adding missing command flags, better style conformance, documentation of internals, etc.
Rich Salz, Richard Levitte
s390x assembly pack: add hardware-support for P-256, P-384, P-521, X25519, X448, Ed25519 and Ed448.
Patrick Steuer
Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value.
Jon Spillett
Deprecated the public definition of ERR_STATE as well as the function ERR_get_state(). This is done in preparation of making ERR_STATE an opaque type.
Richard Levitte
Added ERR functionality to give callers access to the stored function names that have replaced the older function code based functions.
New functions are ERR_peek_error_func(), ERR_peek_last_error_func(), ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() and ERR_peek_last_error_all().
Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(), ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and ERR_func_error_string().
Richard Levitte
Extended testing to be verbose for failing tests only. The make variables VERBOSE_FAILURE or VF can be used to enable this:
$ make VF=1 test # Unix
$ mms /macro=(VF=1) test ! OpenVMS
$ nmake VF=1 test # Windows
Richard Levitte
Added the -copy_extensions option to the x509 command for use with -req and -x509toreq. When given with the copy or copyall argument, all extensions in the request are copied to the certificate or vice versa.
David von Oheimb, Kirill Stefanenkov kirill_stefanenkov@rambler.ru
Added the -copy_extensions option to the req command for use with -x509. When given with the copy or copyall argument, all extensions in the certification request are copied to the certificate.
David von Oheimb
The x509, req, and ca commands now make sure that X.509v3 certificates they generate are by default RFC 5280 compliant in the following sense: There is a subjectKeyIdentifier extension with a hash value of the public key and for not self-signed certs there is an authorityKeyIdentifier extension with a keyIdentifier field or issuer information identifying the signing key. This is done unless some configuration overrides the new default behavior, such as subjectKeyIdentifier = none and authorityKeyIdentifier = none.
David von Oheimb
Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case X509_V_FLAG_X509_STRICT is set (which may be done by using the CLI option -x509_strict):
The basicConstraints of CA certificates must be marked critical.
CA certificates must explicitly include the keyUsage extension.
If a pathlenConstraint is given the key usage keyCertSign must be allowed.
The issuer name of any certificate must not be empty.
The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty.
If a subjectAlternativeName extension is given it must not be empty.
The signatureAlgorithm field and the cert signature must be consistent.
Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical.
The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed.
The subjectKeyIdentifier must be given for all X.509v3 CA certs.
David von Oheimb
Certificate verification using X509_verify_cert() meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480.
Tomáš Mráz
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a encoded key or calling EC_GROUP_new_from_ecpkparameters()/ EC_GROUP_new_from_ecparameters(). This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later encoded, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation.
Nicola Tuveri
Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547)
Billy Bob Brumley
Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag.
Bernd Edlinger
Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. The seeded state is stored for future library initialisations using a system global shared memory segment. The shared memory identifier can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to the desired value. The default identifier is 114.
Paul Dale
Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, the 2-prime and 3-prime RSA modules were easy to distinguish, since N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. This avoids possible fingerprinting of newly generated RSA modules.
Bernd Edlinger
Correct the extended master secret constant on EBCDIC systems. Without this fix TLS connections between an EBCDIC system and a non-EBCDIC system that negotiate EMS will fail. Unfortunately this also means that TLS connections between EBCDIC systems with this fix, and EBCDIC systems without this fix will fail if they negotiate EMS.
Matt Caswell
Changed the library initialisation so that the config file is now loaded by default. This was already the case for libssl. It now occurs for both libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to OPENSSL_init_crypto() to suppress automatic loading of a config file.
Matt Caswell
Introduced new error raising macros, ERR_raise() and ERR_raise_data(), where the former acts as a replacement for ERR_put_error(), and the latter replaces the combination ERR_put_error() + ERR_add_error_data(). ERR_raise_data() adds more flexibility by taking a format string and an arbitrary number of arguments following it, to be processed with BIO_snprintf().
Richard Levitte
Introduced a new function, OSSL_PROVIDER_available(), which can be used to check if a named provider is loaded and available. When called, it will also activate all fallback providers if such are still present.
Richard Levitte
Enforce a minimum DH modulus size of 512 bits.
Bernd Edlinger
Changed DH parameters to generate the order q subgroup instead of 2q. Previously generated DH parameters are still accepted by DH_check but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key.
Bernd Edlinger
Significantly reduce secure memory usage by the randomness pools.
Paul Dale
{CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been deprecated.
Rich Salz
A new type, EVP_KEYEXCH, has been introduced to represent key exchange algorithms. An implementation of a key exchange algorithm can be obtained by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to the older EVP_PKEY_derive_init() function. See the man pages for the new functions for further details.
Matt Caswell
The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
Matt Caswell
Removed the function names from error messages and deprecated the xxx_F_xxx define's.
Richard Levitte
Removed NextStep support and the macro OPENSSL_UNISTD
Rich Salz
Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. Also removed "export var as function" capability; we do not export variables, only functions.
Rich Salz
RC5_32_set_key has been changed to return an int type, with 0 indicating an error and 1 indicating success. In previous versions of OpenSSL this was a void type. If a key was set longer than the maximum possible this would crash.
Matt Caswell
Support SM2 signing and verification schemes with X509 certificate.
Paul Yang
Use SHA256 as the default digest for TS query in the ts app.
Tomáš Mráz
Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
Shane Lontis
Default cipher lists/suites are now available via a function, the #defines are deprecated.
Todd Short
Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries for Windows Store apps easier. Also, the "no-uplink" option has been added.
Kenji Mouri
Join the directories crypto/x509 and crypto/x509v3
Richard Levitte
Added command 'openssl kdf' that uses the EVP_KDF API.
Shane Lontis
Added command 'openssl mac' that uses the EVP_MAC API.
Shane Lontis
Added OPENSSL_info() to get diverse built-in OpenSSL data, such as default directories. Also added the command 'openssl info' for scripting purposes.
Richard Levitte
The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been deprecated.
Matt Caswell
Add prediction resistance to the DRBG reseeding process.
Paul Dale
Limit the number of blocks in a data unit for AES-XTS to 2^20 as mandated by IEEE Std 1619-2018.
Paul Dale
Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the *sum checksum programs. This aims to preserve backward compatibility.
Matt Eaton, Richard Levitte, and Paul Dale
Removed the heartbeat message in DTLS feature, as it has very little usage and doesn't seem to fulfill a valuable purpose. The configuration option is now deprecated.
Richard Levitte
Changed the output of 'openssl {digestname} < file' to display the digest name in its output.
Richard Levitte
Added a new generic trace API which provides support for enabling instrumentation through trace output.
Richard Levitte & Matthias St. Pierre
Added build tests for C++. These are generated files that only do one thing, to include one public OpenSSL head file each. This tests that the public header files can be usefully included in a C++ application.
This test isn't enabled by default. It can be enabled with the option 'enable-buildtest-c++'.
Richard Levitte
Added KB KDF (EVP_KDF_KB) to EVP_KDF.
Robbie Harwood
Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
Simo Sorce
Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
Shane Lontis
Added KMAC to EVP_MAC.
Shane Lontis
Added property based algorithm implementation selection framework to the core.
Paul Dale
Added SCA hardening for modular field inversion in EC_GROUP through a new dedicated field_inv() pointer in EC_METHOD. This also addresses a leakage affecting conversions from projective to affine coordinates.
Billy Bob Brumley, Nicola Tuveri
Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF implementations. This includes an EVP_PKEY to EVP_KDF bridge for those algorithms that were already supported through the EVP_PKEY API (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 and scrypt are now wrappers that call EVP_KDF.
David Makepeace
Build devcrypto engine as a dynamic engine.
Eneas U de Queiroz
Add keyed BLAKE2 to EVP_MAC.
Antoine Salon
Fix a bug in the computation of the endpoint-pair shared secret used by DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling interoperability with such broken implementations. However, enabling this switch breaks interoperability with correct implementations.
Fix a use after free bug in d2i_X509_PUBKEY when overwriting a re-used X509_PUBKEY object if the second PUBKEY is malformed.
Bernd Edlinger
Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
Richard Levitte
Changed the license to the Apache License v2.0.
Richard Levitte
Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
Major releases (indicated by incrementing the MAJOR release number) may introduce incompatible API/ABI changes.
Minor releases (indicated by incrementing the MINOR release number) may introduce new features but retain API/ABI compatibility.
Patch releases (indicated by incrementing the PATCH number) are intended for bug fixes and other improvements of existing features only (like improving performance or adding documentation) and retain API/ABI compatibility.
Richard Levitte
Add support for RFC5297 SIV mode (siv128), including AES-SIV.
Todd Short
Remove the 'dist' target and add a tarball building script. The 'dist' target has fallen out of use, and it shouldn't be necessary to configure just to create a source distribution.
Richard Levitte
Recreate the OS390-Unix config target. It no longer relies on a special script like it did for OpenSSL pre-1.1.0.
Richard Levitte
Instead of having the source directories listed in Configure, add a 'build.info' keyword SUBDIRS to indicate what sub-directories to look into.
Richard Levitte
Add GMAC to EVP_MAC.
Paul Dale
Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
Richard Levitte
Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued use of MACs through raw private keys in functionality such as EVP_DigestSign* and EVP_DigestVerify*.
Richard Levitte
Deprecate ECDH_KDF_X9_62().
Antoine Salon
Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names are retained for backwards compatibility.
Antoine Salon
AES-XTS mode now enforces that its two keys are different to mitigate the attacked described in "Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. Details of this attack can be obtained from:
http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf Paul Dale
Rename the object files, i.e. give them other names than in previous versions. Their names now include the name of the final product, as well as its type mnemonic (bin, lib, shlib).
Richard Levitte
Added new option for 'openssl list', '-objects', which will display the list of built in objects, i.e. OIDs with names.
Richard Levitte
Added the options -crl_lastupdate and -crl_nextupdate to openssl ca, allowing the lastUpdate and nextUpdate fields in the generated CRL to be set explicitly.
Chris Novakovic
Added support for Linux Kernel TLS data-path. The Linux Kernel data-path improves application performance by removing data copies and providing applications with zero-copy system calls such as sendfile and splice.
Boris Pismenny
The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
Martin Elshuber
PKCS12_parse now maintains the order of the parsed certificates when outputting them via *ca (rather than reversing it).
David von Oheimb
Deprecated pthread fork support methods.
Randall S. Becker
Added support for FFDHE key exchange in TLS 1.3.
Raja Ashok
Added a new concept for OpenSSL plugability: providers. This functionality is designed to replace the ENGINE API and ENGINE implementations, and to be much more dynamic, allowing provider authors to introduce new algorithms among other things, as long as there's an API that supports the algorithm type.
With this concept comes a new core API for interaction between libcrypto and provider implementations. Public libcrypto functions that want to use providers do so through this core API.
The main documentation for this core API is found in doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn refer to other manuals describing the API specific for supported algorithm types (also called operations).
