diff --git a/CHANGES.md b/CHANGES.md index a4c2185ab0..049c0e7288 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -119,16 +119,19 @@ OpenSSL Releases and `openssl s_server` commands. This makes it possible to specify one or more public keys expected from the remote peer that are then used to authenticate the connection. + *Viktor Dukhovni* * Added `-hmac-env` and `-hmac-stdin` options to `openssl dgst` command. + *Igor Ustinov* * Added LMS support for signature verification to `openssl pkeyutl` command. To enable this, LMS `SubjectPublicKeyInfo` encoder and decoders were added, and the LMS keymanager and signature code were updated. + *Shane Lontis* @@ -150,6 +153,8 @@ OpenSSL Releases Signature Algorithms: mldsa65:mldsa87:mldsa44:ecdsa_secp256r1_sha256:ecdsa_secp384r1_sha384:ecdsa_secp521r1_sha512:ed25519:ed448:ecdsa_brainpoolP256r1tls13_sha256:ecdsa_brainpoolP384r1tls13_sha384:ecdsa_brainpoolP512r1tls13_sha512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:rsa_pkcs1_sha256:rsa_pkcs1_sha384:rsa_pkcs1_sha512:ecdsa_sha224:rsa_pkcs1_sha224:dsa_sha224:dsa_sha256:dsa_sha384:dsa_sha512 + + *Viktor Dukhovni* * Implemented client-side predicted keyshare floating. When a tuple loses @@ -159,9 +164,20 @@ OpenSSL Releases because it is removed by configuration (e.g. `DEFAULT:-`), if the tuple remains non-empty, the keyshare is inherited by the first (i.e. most preferred) remaining element of the tuple. + *Viktor Dukhovni* + * Implemented `OSSL_STORE` support for `EVP_SKEY` objects, that includes + addition of new `-skeyuri` and `-storepass` options to `openssl enc` + command, addition of a new `-skeys` option to `openssl storeutl` command, + addition of `OSSL_STORE_INFO_SKEY` `OSS_STORE` object type and the relevant + `OSSL_STORE_INFO_get0_SKEY()`, `OSSL_STORE_INFO_get1_SKEY()`, + and `OSSL_STORE_INFO_new_SKEY()` APIs. + + + *Dmitry Belyavskiy* + * Added support for [RFC 8998], signature algorithm `sm2sig_sm3`, key exchange group `curveSM2`, and [tls-hybrid-sm2-mlkem] post-quantum group `curveSM2MLKEM768`. @@ -174,32 +190,39 @@ OpenSSL Releases value can be specified with the use of either the **-pkeyopt** (`openssl-pkeyutl(1)`) or **-sigopt** (`openssl-dgst(1)`) option with a value of "distid:". + *Viktor Dukhovni* * Added support for TLS 1.3 SM cipher suites `TLS_SM4_GCM_SM3` and `TLS_SM4_CCM_SM3` from [RFC 8998]. + *Milan Brož* * Added cSHAKE function support as per [SP 800-185]. + *Shane Lontis* * Added "ML-DSA-MU" digest algorithm support. + *Shane Lontis* * Added SNMP KDF (`EVP_KDF_SNMPKDF`) to `EVP_KDF`. + *Barry Fussell and Helen Zhang* - * Added SRTP KDF (`EVP_KDF_SRTPKDF`) to `EVP_KDF` + * Added SRTP KDF (`EVP_KDF_SRTPKDF`) to `EVP_KDF`. + *Barry Fussell and Helen Zhang* * Implemented [RFC 7919], adding support for negotiated FFDHE key exchange in TLS 1.2. + *Joachim Vandersmissen* (with additional support from *Viktor Dukhovni*) @@ -208,47 +231,97 @@ OpenSSL Releases Raise `X509_V_ERR_EMPTY_AUTHORITY_KEY_IDENTIFIER` when AKID has no attributes. Raise `X509_V_ERR_AKID_ISSUER_SERIAL_NOT_PAIRED` when `authorityCertIssuer` and `authorityCertSerialNumber` fields are not paired. + *Daniel Kubec* * Implemented [RFC 9849], adding support for Encrypted Client Hello (ECH). See `doc/design/ech-api.md` for details. + + + + + + + + + *Stephen Farrell* (with much support from *Matt Caswell* and *Tomáš Mráz*) - * Added the `OSSL_ESS_check_signing_certs_ex()` call. + * Implemented display of CPU capabilities in `openssl version -c` output + on POWER and SPARC platforms, added `OPENSSL_ppccap(3)` manual page. + + + + + *Bernd Edlinger, Nia Alarie, and George Wilson* + + * Added `OSSL_ESS_check_signing_certs_ex()` function. This API call is an extension to `OSSL_ESS_check_signing_certs()` that adds the ability to specify a library context and property query when fetching algorithms to validate a given certificate. + *Neil Horman* - * Added `OPENSSL_sk_set_cmp_thunks()` API to allow for proper typecasting + * Added `OPENSSL_sk_set_cmp_thunks()` function to allow for proper typecasting during comparison of elements in a `STACK_OF` structure. + *Neil Horman* + * Added `OSSL_PARAM_clear_free` function that allows cleansing `PARAM`s that + contain sensitive information, and switched to its use where it is suitable. + + + *Simo Source* + + * Added `ASN1_BIT_STRING_get_length()` function, that returns the number + of octets and the number of unused bits in an `ASN1_BIT_STRING` object. + + + *Bob Beck* + * Added `ASN1_BIT_STRING_set1()` function to set a bit string to a value, including the length in bytes and the number of unused bits. Internally, `ASN1_BIT_STRING_set_bit()` has also been modified to keep the number of unused bits correct when changing an `ASN1_BIT_STRING`. + *Bob Beck* + * Added `PACKET_msg_start()` function, that allows obtaining start + of a `PACKET` buffer. + + + *Matt Caswell* + * Added `SSL_add1_dnsname()`, `SSL_set1_dnsname()`, `SSL_add1_ipaddr()`, and `SSL_set1_ipaddr()` functions as a replacement for `SSL_add1_host()` and `SSL_set1_host()` that are deprecated now. The new replacement API functions was added to support checking multiple names against a certificate with `X509_VERIFY_PARAM`. See `X509_VERIFY_PARAM_set_flags(3)` for full details. + *Bob Beck* + * Added `SSL_listen_ex()` function, that, together with added ability to create + "blank" SSL objects using `OSSL_QUIC_method()`, allows implementing polling + of inbound connections in QUIC in a fashion similar to DTLS. + + + *Neil Horman* + * Added `SSL_CTX_get0_alpn_protos()` and `SSL_get0_alpn_protos()` functions. + *Daniel Kubec* - * Added `SSL_CTX_is_server()`. + * Added `SSL_CTX_is_server()` function, that is similar to `SSL_is_server()`, + but takes `SSL_CTX` object as an argument. + *Igor Ustinov* @@ -257,6 +330,7 @@ OpenSSL Releases it later to continue a computation from a specific checkpoint. Only SHA-2 and the SHA-3 family (Keccak, SHAKE, SHA-3) of functions currently support this functionality. + *Simo Sorce* @@ -264,12 +338,33 @@ OpenSSL Releases `send()`, `sendto()`, and `sendmsg()`. The main intention is to allow setting the `MSG_NOSIGNAL` flag to avoid a crash on receiving the `SIGPIPE` signal. + + + *Igor Ustinov* + + * Added `X509v3_delete_extension()` function, that extends + `X509v3_delete_ext()` by deallocating the extension stack if it becomes + empty, as a convenience wrapper useful for optional X.509 extensions. + + + *Viktor Dukhovni* + + * Added ability to specify ML-KEM and ML-DSA encoding formats on a per-key + basis, by setting `output-formats` `EVP_PKEY` encoding parameter + appropriately via `OSSL_ENCODER_CTX_set_params(3)`. + + + *Viktor Dukhovni* + + * Added documentation for `BIO` flags and related functions. + *Igor Ustinov* * FIPS self tests can now be deferred and run as needed when installing the FIPS module with the `-defer_tests` option of the `openssl fipsinstall` command. + *Simo Sorce* @@ -287,6 +382,7 @@ OpenSSL Releases previous OpenSSL version or the default provider, and then re-encrypt them with the newer OpenSSL (using the FIPS provider), thus upgrading to longer password, salt length and AES-256 CBC. + *Dimitri John Ledkov* @@ -295,18 +391,21 @@ OpenSSL Releases OpenSSL can now be configured to use the static or dynamic `vcruntime.dll` linkage. The multithreaded or single threaded static VC runtime is selected based on the `enable-threads` option. + *Neil Horman* * Added configure options to disable KDF algorithms for `hmac-drbg-kdf`, `kbkdf`, `krb5kdf`, `pvkkdf`, `snmpkdf`, `sskdf`, `sshkdf`, `x942kdf`, and `x963kdf`. + *Shane Lontis* * Removed configure options can now only be disabled. You may continue to use `disable-` syntax, which will remain supported. Using `enable-` for a removed feature is no longer permitted. + *Andrew Dinh* @@ -315,6 +414,7 @@ OpenSSL Releases of supported `group`s (128) and `sig_alg`s (128). Any sent beyond these limits are ignored, in order to avoid clients sending excessively long lists in these extensions. + *Matt Caswell* @@ -336,11 +436,13 @@ OpenSSL Releases The settings in the stock OpenSSL 4.0 configuration file arrange for addition of the requisite SKID and AKID extensions. Other configuration files may need to be adjusted if desired. + *Viktor Dukhovni* * Enabled Server verification by default in `s_server` when the `-verify_return_error` option is enabled. + *Ryan Hooper* @@ -348,11 +450,13 @@ OpenSSL Releases in hexadecimal format where the first (most significant) byte is >= 0x80. This had been added artificially to resemble ASN.1 DER encoding internals. Fixing this also makes sure that key output always has the expected length. + *David von Oheimb* * Standardized the width of hexadecimal dumps to 24 bytes for signatures (to stay within the 80 characters limit) and 16 bytes for everything else. + *Beat Bolli* @@ -360,21 +464,25 @@ OpenSSL Releases `curveSM2MLKEM768` to the first tuple in that order after `*X25519MLKEM768`. Also inserted a penultimate tuple with `curveSM2` (just before the `FFDHE` groups). + *Viktor Dukhovni* * Consolidated processing of SM2 and EdDSA signatures with essentially identical code for ECDSA in the `openssl speed` command. The output format has changed slightly to report the EC curve name rather than its bit size. + *Viktor Dukhovni* * CRLs with a malformed Issuing Distribution Point extensions are now rejected. + *Daniel Kubec* * CRLs with malformed `CRL Number` or `Delta CRL Indicator` extensions are now rejected. + *Daniel Kubec* @@ -383,18 +491,21 @@ OpenSSL Releases of `ASN1_TIME` validation results so that any CRL containing invalid time fields is rejected immediately, preventing the error from propagating to verification. + *Daniel Kubec* * CRLs with a `Certificate Issuer` extension in a certificate revocation entry are now rejected, unless the `Indirect` flag is set to `TRUE` in the `Issuing Distribution Point` extension of the CRL. + *Daniel Kubec* * `SSL_get_error()` no longer depends on the state of the error stack, so it is no longer necessary to empty the error queue before the TLS/SSL I/O operations. + *Igor Ustinov* @@ -403,81 +514,133 @@ OpenSSL Releases Access to values from `ASN1_STRING` and related types should be done with the appropriate accessor functions. The various `ASN1_STRING_FLAG` values have been made private. + *Bob Beck* - * `OPENSSL_cleanup()` now runs in a global destructor, or not at all by default. - - `OpenSSL_cleanup()` will no longer by default free global objects when run from - an application. Instead it sets a flag for a global destructor to do this after - the process exits, and after subordinate libraries using OpenSSL have run their - destructors. If destructor support is not available, `OpenSSL_cleanup()` will do - nothing, leaving the global objects to be cleaned up by the Operating System. + * `OPENSSL_cleanup()` now runs in a global destructor, or not at all + by default: `OPENSSL_cleanup()` will no longer by default free global + objects when run from an application. Instead it sets a flag for a global + destructor to do this after the process exits, and after subordinate + libraries using OpenSSL have run their destructors. If destructor support + is not available, `OPENSSL_cleanup()` will do nothing, leaving the global + objects to be cleaned up by the operating system. + *Bob Beck* * `X509_ALGOR_set_md()` function now returns a value indicating success or failure. + *David von Oheimb* - * Added documentation for `X509_cmp_time()`, `X509_cmp_current_time()`, - and `X509_cmp_timeframe()`, and deprecated them. - Added a new function, `X509_check_certificate_times()`, as well as - the `` interface from BoringSSL/LibreSSL. - For details of these functions and non-deprecated replacement - strategies, see `X509_check_certificate_times(3)`. + * Changed `BIO_snprintf()` implementation to use `snprintf()` provided + by system's libc (instead of relying on internal implementation), + making it bug-for-bug compatible with it. + + + *Alexandr Nedvedicky* + + * Added `X509_check_certificate_times()` function, as well as + the `` interface from BoringSSL/LibreSSL, that replace + now deprecated `X509_cmp_time()`, `X509_cmp_current_time()`, + and `X509_cmp_timeframe()`. See `X509_check_certificate_times(3)` + for details. + + + *Bob Beck* - * Const-corrected `time_t` arguments for `X509_cmp_time()`, `X509_time_adj()`, - and `X509_time_adj_ex()`. + * `const`-corrected `time_t` arguments for `X509_cmp_time()`, + `X509_time_adj()`, and `X509_time_adj_ex()`. + *Frederik Wedel-Heinen* - * Made `X509_ATTRIBUTE` accessor functions const-correct. The functions + * Made `X509_ATTRIBUTE` accessor functions `const`-correct. The functions `X509_ATTRIBUTE_get0_object()`, `X509_ATTRIBUTE_get0_type()`, and `X509_ATTRIBUTE_get0_data()` now accept `const X509_ATTRIBUTE *` and - return const pointers. Related PKCS12 functions `PKCS12_get_attr_gen()`, + return `const` pointers. Related PKCS#12 functions `PKCS12_get_attr_gen()`, `PKCS12_get_attr()`, and `PKCS8_get_attr()` have also been updated to return `const ASN1_TYPE *`. + *kovan* - * Constified various function return values, particularly in X509 and related - areas, and when functions were returning non-const objects owned by a const - parameter. + * Made `X509_PUBKEY` accessor functions `const`-correct. + + + *Bob Beck* + + * `const`-corrected various function return values, particularly in `X509` + and related areas, and when functions were returning non-`const` objects + owned by a `const` parameter. + + *Bob Beck* * Many functions accepting `X509 *` arguments, or returning values - from a const `X509 *` have been changed to take/return const + from a `const` `X509 *` have been changed to take/return `const` arguments. The most visible changes are places where pointer values - are returned from a const `X509 *` object. In many places where - these were non const values being returned from a const object, - these pointer values have now been made const. The goal of this + are returned from a `const` `X509 *` object. In many places where + these were non `const` values being returned from a `const` object, + these pointer values have now been made `const`. The goal of this change is to enable future improvements in X.509 certificate handling. For full details see the relevant section in - ossl-migration-guide(7). + `ossl-migration-guide(7)`. + + + + + + + + + + + + + + + + + + + + + + + + + + + + *Bob Beck* - * Constified various function parameters, in particular for X509-related - functions. + * `const`-corrected various function parameters, in particular + for `X509`-related functions. + *David von Oheimb* - * Constified various X509-related functions: `X509_get_pathlen()`, + * `const`-corrected various `X509`-related functions: `X509_get_pathlen()`, `X509_check_ca()`, `X509_check_purpose()`, `X509_get_proxy_pathlen()`, `X509_get_extension_flags()`, `X509_get_key_usage()`, `X509_get_extended_key_usage()`, `X509_get0_subject_key_id()`, `X509_get0_authority_key_id()`, `X509_get0_authority_issuer()`, `X509_get0_authority_serial()`, `X509_get0_distinguishing_id()`. + *Bob Beck* * Removed needless `const` qualifiers from scalar type arguments in the public APIs, mostly for AES and Camellia. + *David von Oheimb* @@ -485,64 +648,76 @@ OpenSSL Releases `ciphersuites` list, and for that list to contain duplicates. Cipher configuration strings for both TLS 1.2 and 1.3 are now case-insensitive. + *Viktor Dukhovni* * Deprecated `ASN1_OBJECT_new()` function. Refer to `ossl-migration-guide(7)` for more info. + *Frederik Wedel-Heinen* * Deprecated `X509_NAME_get_text_by_NID()` and `X509_NAME_get_text_by_OBJ()` functions, and documented them as such. + *Bob Beck* * Removed the `SSL_TXT_FIPS` option. This was a remnant of the old FIPS canister and wasn't used anymore. + *Dr Paul Dale* * Removed `OPENSSL_atexit()` function. + *Bob Beck* - * Critical extension enforcement for `EXFLAG_BCONS_CRITICAL`, - `EXFLAG_AKID_CRITICAL`, `EXFLAG_SKID_CRITICAL`, and `EXFLAG_SAN_CRITICAL` is - incorrect. These checks were intended as CA requirements to prevent - misinterpretation by verifiers that don't support certain extensions - However, since we do support these extensions, there is no requirement for - them to be marked as critical. Enforcing that on `X509_V_FLAG_X509_STRICT` was a mistake. + * Removed critical extension enforcement for `EXFLAG_BCONS_CRITICAL`, + `EXFLAG_AKID_CRITICAL`, `EXFLAG_SKID_CRITICAL`, and `EXFLAG_SAN_CRITICAL`, + as it was incorrect. These checks were intended as CA requirements + to prevent misinterpretation by verifiers that don't support certain + extensions. However, since we do support these extensions, + there is no requirement for them to be marked as critical. Enforcing + that on `X509_V_FLAG_X509_STRICT` was a mistake. + *Daniel Kubec* - * Support of deprecated elliptic curves in TLS according to [RFC 8422] was - disabled at compile-time by default. To enable it, use the - `enable-tls-deprecated-ec` configuration option. - - *Dmitry Belyavskiy* - * Removed support for an SSLv2 Client Hello. When a client wanted to support both SSLv2 and higher versions like SSLv3 or even TLSv1, it needed to send an SSLv2 Client Hello. SSLv2 support itself was removed in OpenSSL 1.1.0, but there was still compatibility code for clients sending an SSLv2 Client Hello. Since we no longer support SSLv2 Client Hello, `SSL_client_hello_isv2()` is now deprecated and always returns 0. + *Kurt Roeckx* * Removed support for SSLv3. SSLv3 has been deprecated since 2015, and OpenSSL had it disabled by default since version 1.1.0 (2016). + *Kurt Roeckx* + * Support of deprecated elliptic curves in TLS according to [RFC 8422] was + disabled at compile-time by default. To enable it, use the + `enable-tls-deprecated-ec` configuration option. + + + *Dmitry Belyavskiy* + * Support of explicit EC curves was disabled by default, an error will occur if an explicit EC curve doesn't match any known one. A new configuration option, `enable-ec_explicit_curves`, is added. + *Dmitry Belyavskiy* * Removed `c_rehash` script tool. Use `openssl rehash` instead. + *Norbert Pócs* @@ -551,24 +726,30 @@ OpenSSL Releases may report spurious allocated and reachable memory at application exit. To avoid such spurious leak detection reports the application may call `OPENSSL_cleanup()` before the process exits. + *Alexandr Nedvedicky* * Removed the `crypto-mdebug-backtrace` configuration option entirely. The option has been a no-op since OpenSSL 1.0.2. + *Neil Horman* * Removed the deprecated function `ASN1_STRING_data()`. + *Bob Beck* * Removed the `ASN1_STRING_FLAG_X509_TIME` define. + *Bob Beck* * Dropped `darwin-i386{,-cc}` and `darwin-ppc{,64}{,-cc}` targets from Configurations. + + *Daniel Kubec and Eugene Syromiatnikov* @@ -578,20 +759,43 @@ OpenSSL Releases by defining a macro `OPENSSL_ENGINE_STUBS`; however, all these functions will return error when called. Provider API should be used to replace engine functionality. + *Milan Brož*, *Neil Horman*, *Norbert Pócs* + * Removed deprecated support for custom `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY`, + and `EVP_PKEY_ASN1` methods (`EVP_CIPHER_meth_*`, `EVP_MD_meth_*`, + `EVP_PKEY_meth_*`, and `EVP_PKEY_asn1_*` function families, respectively). + + + + + + + *Matt Caswell* + + * Removed deprecated fixed SSL/TLS version methods + (`{SSLv3,{D,}TLSv1{,_1,_2}}{,_client,_server}_method()` functions), + the migrating application should use `TLS_method()`, `TLS_client_method()`, + and `TLS_server_method()` functions instead. + + + *Frederik Wedel-Heinen* + * Removed `BIO_f_reliable()` implementation without replacement. It was broken since 3.0 release without any complaints. + *Tomáš Mráz* * Removed deprecated functions `ERR_get_state()`, `ERR_remove_state()` and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always opaque. + *Tomáš Mráz* * Removed the deprecated `msie-hack` option from the `openssl ca` command. + *Bob Beck* diff --git a/NEWS.md b/NEWS.md index 494ca0fe67..674c1a64e0 100644 --- a/NEWS.md +++ b/NEWS.md @@ -57,6 +57,9 @@ changes: * `libcrypto` no longer cleans up globally allocated data via `atexit()`. + * `BIO_snprintf()` now uses `snprintf()` provided by libc instead of internal + implementation. + * `OPENSSL_cleanup()` now runs in a global destructor, or not at all by default. @@ -91,8 +94,14 @@ changes: * Removed `BIO_f_reliable()` implementation without replacement. It was broken since 3.0 release without any complaints. + * Removed deprecated support for custom `EVP_CIPHER`, `EVP_MD`, `EVP_PKEY`, + and `EVP_PKEY_ASN1` methods. + + * Removed deprecated fixed SSL/TLS version method functions. + * Removed deprecated functions `ERR_get_state()`, `ERR_remove_state()` - and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always opaque. + and `ERR_remove_thread_state()`. The `ERR_STATE` object is now always + opaque. * Dropped `darwin-i386{,-cc}` and `darwin-ppc{,64}{,-cc}` targets from Configurations.