| 1.1.1.1 |
| 17-Jul-2025 |
christos | Import openssl-3.5.1 (previous was 3.0.16).
Changes:
Changes between 3.5.0 and 3.5.1 [xx XXX xxxx]
Fix x509 application adds trusted use instead of rejected use.
Issue summary: Use of -addreject option with the openssl x509
application adds a trusted use instead of a rejected use for a
certificate.
Impact summary: If a user intends to make a trusted certificate
rejected for a particular use it will be instead marked as trusted
for that use.
(CVE-2025-4575)
Tomas Mraz
Aligned the behaviour of TLS and DTLS in the event of a no_renegotiation
alert being received. Older versions of OpenSSL failed with DTLS
if a no_renegotiation alert was received. All versions of OpenSSL
do this for TLS. From 3.2 a bug was exposed that meant that DTLS
ignored no_rengotiation. We have now restored the original behaviour
and brought DTLS back into line with TLS.
Matt Caswell
Changes between 3.4 and 3.5.0 [8 Apr 2025]
Added server side support for QUIC
Hugo Landau, Matt Caswell, Tomáš Mráz, Neil Horman, Sasha
Nedvedicky, Andrew Dinh
Tolerate PKCS#8 version 2 with optional public keys. The public
key data is currently ignored.
Viktor Dukhovni
Signature schemes without an explicit signing digest in CMS are
now supported. Examples of such schemes are ED25519 or ML-DSA.
Michael Schroeder
The TLS Signature algorithms defaults now include all three ML-DSA
variants as first algorithms.
Viktor Dukhovni
Added a no-tls-deprecated-ec configuration option.
The no-tls-deprecated-ec option disables support for TLS elliptic
curve groups deprecated in RFC8422 at compile time. This does not
affect use of the associated curves outside TLS. By default support
for these groups is compiled in, but, as before, they are not
included in the default run-time list of supported groups.
With the enable-tls-deprecated-ec option these TLS groups remain
enabled at compile time even if the default configuration is changed,
provided the underlying EC curves remain implemented.
Viktor Dukhovni
Added new API to enable 0-RTT for 3rd party QUIC stacks.
Cheng Zhang
Added support for a new callback registration
SSL_CTX_set_new_pending_conn_cb, which allows for application
notification of new connection SSL object creation, which occurs
independently of calls to SSL_accept_connection(). Note: QUIC
objects passed through SSL callbacks should not have their state
mutated via calls back into the SSL api until such time as they
have been received via a call to SSL_accept_connection().
Neil Horman
Add SLH-DSA as specified in FIPS 205.
Shane Lontis and Dr Paul Dale
ML-KEM as specified in FIPS 203.
Based on the original implementation in BoringSSL, ported from C++
to C, refactored, and integrated into the OpenSSL default and FIPS
providers. Including also the X25519MLKEM768, SecP256r1MLKEM768,
SecP384r1MLKEM1024 TLS hybrid key post-quantum/classical key
agreement schemes.
Michael Baentsch, Viktor Dukhovni, Shane Lontis and Paul Dale
Add ML-DSA as specified in FIPS 204.
The base code was derived from BoringSSL C++ code.
Shane Lontis, Viktor Dukhovni and Paul Dale
Added new API calls to enable 3rd party QUIC stacks to use the
OpenSSL TLS implementation.
Matt Caswell
The default DRBG implementations have been changed to prefer to
fetch algorithm implementations from the default provider (the
provider the DRBG implementation is built in) regardless of the
default properties set in the configuration file. The code will
still fallback to find an implementation, as done previously, if
needed.
Simo Sorce
Initial support for opaque symmetric keys objects (EVP_SKEY). These
replace the ad-hoc byte arrays that are pervasive throughout the
library.
Dmitry Belyavskiy and Simo Sorce
The default TLS group list setting is now set to: ?*X25519MLKEM768
/ ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072
This means two key shares (X25519MLKEM768 and X25519) will be sent
by default by the TLS client. GOST groups and FFDHE groups larger
than 3072 bits are no longer enabled by default.
The group names in the group list setting are now also case
insensitive.
Viktor Dukhovni
For TLSv1.3: Add capability for a client to send multiple key
shares. Extend the scope of SSL_OP_CIPHER_SERVER_PREFERENCE to
cover server-side key exchange group selection.
Extend the server-side key exchange group selection algorithm and
related group list syntax to support multiple group priorities,
e.g. to prioritize (hybrid-)KEMs.
David Kelsey, Martin Schmatz
A new random generation API has been introduced which modifies all
of the L<RAND_bytes(3)> family of calls so they are routed through
a specific named provider instead of being resolved via the normal
DRBG chaining. In a future OpenSSL release, this will obsolete
RAND_METHOD.
Dr Paul Dale
New inline functions were added to support loads and stores of
unsigned 16-bit, 32-bit and 64-bit integers in either little-endian
or big-endian form, regardless of the host byte-order. See the
OPENSSL_load_u16_le(3) manpage for details.
Viktor Dukhovni
All the BIO_meth_get_*() functions allowing reuse of the internal
OpenSSL BIO method implementations were deprecated. The reuse is
unsafe due to dependency on the code of the internal methods not
changing.
Tomáš Mráz
Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list().
SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which
sets the available groups to the default selection. The '-' prefix
allows the calling application to remove a group from the selection.
Frederik Wedel-Heinen
Updated the default encryption cipher for the req, cms, and smime
applications from des-ede3-cbc to aes-256-cbc.
AES-256 provides a stronger 256-bit key encryption than legacy
3DES.
Aditya
Enhanced PKCS#7 inner contents verification. In the PKCS7_verify()
function, the BIO *indata parameter refers to the signed data if
the content is detached from p7. Otherwise, indata should be NULL,
and then the signed data must be in p7.
The previous OpenSSL implementation only supported MIME inner
content [RFC 5652, section 5.2].
The added functionality now enables support for PKCS#7 inner content
[RFC 2315, section 7].
Ma�gorzata Olszówka
The -rawin option of the pkeyutl command is now implied (and thus
no longer required) when using -digest or when signing or verifying
with an Ed25519 or Ed448 key. The -digest and -rawin option may
only be given with -sign or verify.
David von Oheimb
X509_PURPOSE_add() has been modified to take sname instead of id
as the primary purpose identifier. For its convenient use,
X509_PURPOSE_get_unused_id() has been added.
This work was sponsored by Siemens AG.
David von Oheimb
Added support for central key generation in CMP.
This work was sponsored by Siemens AG.
Rajeev Ranjan
Optionally allow the FIPS provider to use the JITTER entropy source.
Note that using this option will require the resulting FIPS provider
to undergo entropy source validation ESV by the CMVP, without this
the FIPS provider will not be FIPS compliant. Enable this using
the configuration option enable-fips-jitter.
Paul Dale
Extended OPENSSL_ia32cap support to accommodate additional CPUID
feature/capability bits in leaf 0x7 (Extended Feature Flags) as
well as leaf 0x24 (Converged Vector ISA).
Dan Zimmerman, Alina Elizarova
Cipher pipelining support for provided ciphers with new API functions
EVP_CIPHER_can_pipeline(), EVP_CipherPipelineEncryptInit(),
EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate(), and
EVP_CipherPipelineFinal(). Cipher pipelining support allows
application to submit multiple chunks of data in one cipher update
call, thereby allowing the provided implementation to take advantage
of parallel computing. There are currently no built-in ciphers that
support pipelining. This new API replaces the legacy pipeline API
SSL_CTX_set_max_pipelines used with Engines.
Ramkumar
Add CMS_NO_SIGNING_TIME flag to CMS_sign(), CMS_add1_signer()
Previously there was no way to create a CMS SignedData signature
without a signing time attribute, because CMS_SignerInfo_sign added
it unconditionally. However, there is a use case (PAdES signatures
ETSI EN 319 142-1 ) where this attribute is not allowed, so a new
flag was added to the CMS API that causes this attribute to be
omitted at signing time.
The new -no_signing_time option of the cms command enables this
flag.
Juhász Péter
Parallel dual-prime 1024/1536/2048-bit modular exponentiation for
AVX_IFMA capable processors (Intel Sierra Forest and its successor).
This optimization brings performance enhancement, ranging from 1.8
to 2.2 times, for the sign/decryption operations of rsaz-2k/3k/4k
(openssl speed rsa) on the Intel Sierra Forest.
Zhiguo Zhou, Wangyang Guo (Intel Corp)
VAES/AVX-512 support for AES-XTS.
For capable processors (>= Intel Icelake), this provides a vectorized
implementation of AES-XTS with a throughput improvement between
1.3x to 2x, depending on the block size.
Pablo De Lara Guarch, Dan Pittman
Fixed EVP_DecodeUpdate() to not write padding zeros to the decoded
output.
According to the documentation, for every 4 valid base64 bytes
processed (ignoring whitespace, carriage returns and line feeds),
EVP_DecodeUpdate() produces 3 bytes of binary output data (except
at the end of data terminated with one or two padding characters).
However, the function behaved like an EVP_DecodeBlock(). It produced
exactly 3 output bytes for every 4 input bytes. Such behaviour
could cause writes to a non-allocated output buffer if a user
allocates its size based on the documentation and knowing the
padding size.
The fix makes EVP_DecodeUpdate() produce exactly as many output
bytes as in the initial non-encoded message.
Valerii Krygin
Added support for aAissuingDistributionPoint, allowedAttributeAssignments,
timeSpecification, attributeDescriptor, roleSpecCertIdentifier,
authorityAttributeIdentifier and attributeMappings X.509v3 extensions.
Jonathan M. Wilbur
Added a new CLI option -provparam and API functions for setting of
provider configuration parameters.
Viktor Dukhovni
Added a new trace category for PROVIDER calls and added new tracing
calls in provider and algorithm fetching API functions.
Neil Horman
Fixed benchmarking for AEAD ciphers in the openssl speed utility.
Mohammed Alhabib
Added a build configuration option enable-sslkeylog for enabling
support for SSLKEYLOGFILE environment variable to log TLS connection
secrets.
Neil Horman
Added EVP_get_default_properties() function to retrieve the current
default property query string.
Dmitry Belyavskiy
OpenSSL 3.4
Changes between 3.4.1 and 3.4.2 [xx XXX xxxx]
When displaying distinguished names in the openssl application
escape control characters by default.
Tomáš Mráz
Changes between 3.4.0 and 3.4.1 [11 Feb 2025]
Fixed RFC7250 handshakes with unauthenticated servers don't abort
as expected.
Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
server may fail to notice that the server was not authenticated,
because handshakes don't abort as expected when the SSL_VERIFY_PEER
verification mode is set.
([CVE-2024-12797])
Viktor Dukhovni
Fixed timing side-channel in ECDSA signature computation.
There is a timing signal of around 300 nanoseconds when the top
word of the inverted ECDSA nonce value is zero. This can happen
with significant probability only for some of the supported elliptic
curves. In particular the NIST P-521 curve is affected. To be able
to measure this leak, the attacker process must either be located
in the same physical computer or must have a very fast network
connection with low latency.
(CVE-2024-13176)
Tomáš Mráz
Reverted the behavior change of CMS_get1_certs() and CMS_get1_crls()
that happened in the 3.4.0 release. These functions now return NULL
again if there are no certs or crls in the CMS object.
Tomáš Mráz
Changes between 3.3 and 3.4.0 [22 Oct 2024]
For the FIPS provider only, replaced the primary DRBG with a
continuous health check module. This also removes the now forbidden
DRBG chaining.
Paul Dale
Improved base64 BIO correctness and error reporting.
Viktor Dukhovni
Added support for directly fetched composite signature algorithms
such as RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
EVP_PKEY_verify and EVP_PKEY_verify_recover groups.
Richard Levitte
XOF Digest API improvements
EVP_MD_CTX_get_size() and EVP_MD_CTX_size are macros that were
aliased to EVP_MD_get_size which returns a constant value. XOF
Digests such as SHAKE have an output size that is not fixed, so
calling EVP_MD_get_size() is not sufficent. The existing macros
now point to the new function EVP_MD_CTX_get_size_ex() which will
retrieve the "size" for a XOF digest, otherwise it falls back to
calling EVP_MD_get_size(). Note that the SHAKE implementation did
not have a context getter previously, so the "size" will only be
able to be retrieved with new providers.
Also added a EVP_xof() helper.
Shane Lontis
Added FIPS indicators to the FIPS provider.
FIPS 140-3 requires indicators to be used if the FIPS provider
allows non-approved algorithms. An algorithm is approved if it
passes all required checks such as minimum key size. By default an
error will occur if any check fails. For backwards compatibility
individual algorithms may override the checks by using either an
option in the FIPS configuration OR in code using an algorithm
context setter. Overriding the check means that the algorithm is
not FIPS compliant. OSSL_INDICATOR_set_callback() can be called to
register a callback to log unapproved algorithms. At the end of
any algorithm operation the approved status can be queried using
an algorithm context getter. FIPS provider configuration options
are set using 'openssl fipsinstall'.
Note that new FIPS 140-3 restrictions have been enforced such as
RSA Encryption using PKCS1 padding is no longer approved. Documentation
related to the changes can be found on the [fips_module(7)] manual
page.
[fips_module(7)]: https://docs.openssl.org/master/man7/fips_module/#FIPS
indicators
Shane Lontis, Paul Dale, Po-Hsing Wu and Dimitri John Ledkov
Added support for hardware acceleration for HMAC on S390x architecture.
Ingo Franzki
Added debuginfo Makefile target for unix platforms to produce a
separate DWARF info file from the corresponding shared libs.
Neil Horman
Added support for encapsulation and decapsulation operations in
the pkeyutl command.
Dmitry Belyavskiy
Added implementation of RFC 9579 (PBMAC1) in PKCS#12.
Dmitry Belyavskiy
Add a new random seed source RNG JITTER using a statically linked
jitterentropy library.
Dimitri John Ledkov
Added a feature to retrieve configured TLS signature algorithms,
e.g., via the openssl list command.
Michael Baentsch
Deprecated TS_VERIFY_CTX_set_* functions and added replacement
TS_VERIFY_CTX_set0_* functions with improved semantics.
Tobias Erbsland
Redesigned Windows use of OPENSSLDIR/ENGINESDIR/MODULESDIR such
that what were formerly build time locations can now be defined at
run time with registry keys. See NOTES-WINDOWS.md.
Neil Horman
Added options -not_before and -not_after for explicit setting start
and end dates of certificates created with the req and x509 commands.
Added the same options also to ca command as alias for -startdate
and -enddate options.
Stephan Wurm
The X25519 and X448 key exchange implementation in the FIPS provider
is unapproved and has fips=no property.
Tomáš Mráz
SHAKE-128 and SHAKE-256 implementations have no default digest
length anymore. That means these algorithms cannot be used with
EVP_DigestFinal/_ex() unless the xoflen param is set before.
This change was necessary because the preexisting default lengths
were half the size necessary for full collision resistance supported
by these algorithms.
Tomáš Mráz
Setting config_diagnostics=1 in the config file will cause errors
to be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is
an error in the ssl module configuration.
Tomáš Mráz
An empty renegotiate extension will be used in TLS client hellos
instead of the empty renegotiation SCSV, for all connections with
a minimum TLS version > 1.0.
Tim Perry
Added support for integrity-only cipher suites TLS_SHA256_SHA256
and TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150.
This work was sponsored by Siemens AG.
Rajeev Ranjan
Added support for retrieving certificate request templates and CRLs
in CMP, with the respective CLI options -template, -crlcert, -oldcrl,
-crlout, -crlform>, and -rsp_crl.
This work was sponsored by Siemens AG.
Rajeev Ranjan
Added support for issuedOnBehalfOf, auditIdentity, basicAttConstraints,
userNotice, acceptablePrivilegePolicies, acceptableCertPolicies,
subjectDirectoryAttributes, associatedInformation,
delegatedNameConstraints, holderNameConstraints and targetingInformation
X.509v3 extensions.
Jonathan M. Wilbur
Added Attribute Certificate (RFC 5755) support. Attribute Certificates
can be created, parsed, modified and printed via the public API.
There is no command-line tool support at this time.
Damian Hobson-Garcia
Added support to build Position Independent Executables (PIE).
Configuration option enable-pie configures the cflag '-fPIE' and
ldflag '-pie' to support Address Space Layout Randomization (ASLR)
in the openssl executable, removes reliance on external toolchain
configurations.
Craig Lorentzen
SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions()
have been deprecated in favour of their respective ..._ex()
replacement functions which are Y2038-safe.
Alexander Kanavin
ECC groups may now customize their initialization to save CPU by
using precomputed values. This is used by the P-256 implementation.
Watson Ladd
OpenSSL 3.3
Changes between 3.3.2 and 3.3.3 [xx XXX xxxx]
Fixed possible OOB memory access with invalid low-level GF(2^m)
elliptic curve parameters.
Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes. Applications working with "exotic" explicit
binary (GF(2^m)) curve parameters, that make it possible to represent
invalid field polynomials with a zero constant term, via the above
or similar APIs, may terminate abruptly as a result of reading or
writing outside of array bounds. Remote code execution cannot easily
be ruled out.
(CVE-2024-9143)
Viktor Dukhovni
Changes between 3.3.1 and 3.3.2 [3 Sep 2024]
Fixed possible denial of service in X.509 name checks.
Applications performing certificate name checks (e.g., TLS clients
checking server certificates) may attempt to read an invalid memory
address when comparing the expected name with an otherName subject
alternative name of an X.509 certificate. This may result in an
exception that terminates the application program.
(CVE-2024-6119)
Viktor Dukhovni
Fixed possible buffer overread in SSL_select_next_proto().
Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.
(CVE-2024-5535)
Matt Caswell
Changes between 3.3.0 and 3.3.1 [4 Jun 2024]
Fixed potential use after free after SSL_free_buffers() is called.
The SSL_free_buffers function is used to free the internal OpenSSL
buffer used when processing an incoming record from the network.
The call is only expected to succeed if the buffer is not currently
in use. However, two scenarios have been identified where the buffer
is freed even when still in use.
The first scenario occurs where a record header has been received
from the network and processed by OpenSSL, but the full record body
has not yet arrived. In this case calling SSL_free_buffers will
succeed even though a record has only been partially processed and
the buffer is still in use.
The second scenario occurs where a full record containing application
data has been received and processed by OpenSSL but the application
has only read part of this data. Again a call to SSL_free_buffers
will succeed even though the buffer is still in use.
(CVE-2024-4741)
Matt Caswell
Fixed an issue where checking excessively long DSA keys or parameters
may be very slow.
Applications that use the functions EVP_PKEY_param_check() or
EVP_PKEY_public_check() to check a DSA public key or DSA parameters
may experience long delays. Where the key or parameters that are
being checked have been obtained from an untrusted source this may
lead to a Denial of Service.
To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS
will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE
error reason.
(CVE-2024-4603)
Tomáš Mráz
Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.
Thanks to Florian Sieck from Universität zu Lübeck and George
Pantelakis and Hubert Kario from Red Hat for reporting the issues.
Tomáš Mráz and Paul Dale
Changes between 3.2 and 3.3.0 [9 Apr 2024]
The -verify option to the openssl crl and openssl req will make
the program exit with 1 on failure.
Vladimír Kotal
The BIO_get_new_index() function can only be called 127 times before
it reaches its upper bound of BIO_TYPE_MASK. It will now correctly
return an error of -1 once it is exhausted. Users may need to
reserve using this function for cases where BIO_find_type() is
required. Either BIO_TYPE_NONE or BIO_get_new_index() can be used
to supply a type to BIO_meth_new().
Shane Lontis
Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
using time_t which is Y2038 safe on 32 bit systems when 64 bit time
is enabled (e.g via setting glibc macro _TIME_BITS=64).
Ijtaba Hussain
The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(),
and related functions have been augmented to check for a minimum
length of the input string, in accordance with ITU-T X.690 section
11.7 and 11.8.
Job Snijders
Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
config options and the respective calls to SSL[_CTX]_set1_sigalgs()
and SSL[_CTX]_set1_client_sigalgs() that start with ? character
are ignored and the configuration will still be used.
Similarly unknown entries that start with ? character in a TLS
Groups config option or set with SSL[_CTX]_set1_groups_list() are
ignored and the configuration will still be used.
In both cases if the resulting list is empty, an error is returned.
Tomáš Mráz
The EVP_PKEY_fromdata function has been augmented to allow for the
derivation of CRT (Chinese Remainder Theorem) parameters when
requested. See the OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the
EVP_PKEY-RSA documentation.
Neil Horman
The activate and soft_load configuration settings for providers in
openssl.cnf have been updated to require a value of [1|yes|true|on]
(in lower or UPPER case) to enable the setting. Conversely a value
of [0|no|false|off] will disable the setting. All other values, or
the omission of a value for these settings will result in an error.
Neil Horman
Added -set_issuer and -set_subject options to openssl x509 to
override the Issuer and Subject when creating a certificate. The
-subj option now is an alias for -set_subject.
Job Snijders, George Michaelson
OPENSSL_sk_push() and sk__push() functions now return 0 instead of
-1 if called with a NULL stack argument.
Tomáš Mráz
In openssl speed, changed the default hash function used with hmac
from md5 to sha256.
James Muir
Added several new features of CMPv3 defined in RFC 9480 and RFC
9483:
certProfile request message header and respective -profile CLI
option support for delayed delivery of all types of response messages
This work was sponsored by Siemens AG.
David von Oheimb
The build of exporters (such as .pc files for pkg-config) cleaned
up to be less hard coded in the build file templates, and to allow
easier addition of more exporters. With that, an exporter for CMake
is also added.
Richard Levitte
The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
output length.
Ahelenia Ziemia�ska
New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a
TLS1.3 server to prefer session resumption using PSK-only key
exchange over PSK with DHE, if both are available.
Markus Minichmayr, Tapkey GmbH
New API SSL_write_ex2, which can be used to send an end-of-stream
(FIN) condition in an optimised way when using QUIC.
Hugo Landau
New atexit configuration switch, which controls whether the
OPENSSL_cleanup is registered when libcrypto is unloaded. This is
turned off on NonStop configurations because of loader differences
on that platform compared to Linux.
Randall S. Becker
Support for qlog for tracing QUIC connections has been added.
The qlog output from OpenSSL currently uses a pre-standard draft
version of qlog. The output from OpenSSL will change in incompatible
ways in future releases, and is not subject to any format stability
or compatibility guarantees at this time. This functionality can
be disabled with the build-time option no-unstable-qlog. See the
openssl-qlog(7) manpage for details.
Hugo Landau
Added APIs to allow configuring the negotiated idle timeout for
QUIC connections, and to allow determining the number of additional
streams that can currently be created for a QUIC connection.
Hugo Landau
Added APIs to allow disabling implicit QUIC event processing for
QUIC SSL objects, allowing applications to control when event
handling occurs. Refer to the SSL_get_value_uint(3) manpage for
details.
Hugo Landau
Limited support for polling of QUIC connection and stream objects
in a non-blocking manner. Refer to the SSL_poll(3) manpage for
details.
Hugo Landau
Added APIs to allow querying the size and utilisation of a QUIC
stream's write buffer. Refer to the SSL_get_value_uint(3) manpage
for details.
Hugo Landau
New limit on HTTP response headers is introduced to HTTP client.
The default limit is set to 256 header lines. If limit is exceeded
the response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES.
Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3)
to change the default. Setting the value to 0 disables the limit.
Alexandr Nedvedicky
Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
Tom Cosgrove
Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications. Refer
to the documentation for details.
David Benjamin
Added assembly implementation for md5 on loongarch64
Min Zhou
Optimized AES-CTR for ARM Neoverse V1 and V2
Fisher Yu
Enable AES and SHA3 optimisations on Apple Silicon M3-based MacOS
systems similar to M1/M2.
Tom Cosgrove
Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze
multiple times with different output sizes.
Shane Lontis, Holger Dengler
Various optimizations for cryptographic routines using RISC-V vector
crypto extensions
Christoph Müllner, Charalampos Mitrodimas, Ard Biesheuvel, Phoebe
Chen, Jerry Shih
Accept longer context for TLS 1.2 exporters
While RFC 5705 implies that the maximum length of a context for
exporters is 65535 bytes as the length is embedded in uint16, the
previous implementation enforced a much smaller limit, which is
less than 1024 bytes. This restriction has been removed.
Daiki Ueno
OpenSSL 3.2
Changes between 3.2.1 and 3.2.2 [xx XXX xxxx]
Fixed an issue where some non-default TLS server configurations
can cause unbounded memory growth when processing TLSv1.3 sessions.
An attacker may exploit certain server configurations to trigger
unbounded memory growth that would lead to a Denial of Service
This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET
option is being used (but not if early_data is also configured and
the default anti-replay protection is in use). In this case, under
certain conditions, the session cache can get into an incorrect
state and it will fail to flush properly as it fills. The session
cache will continue to grow in an unbounded manner. A malicious
client could deliberately create the scenario for this failure to
force a Denial of Service. It may also happen by accident in normal
operation.
(CVE-2024-2511)
Matt Caswell
Fixed bug where SSL_export_keying_material() could not be used with
QUIC connections. (#23560)
Hugo Landau
Changes between 3.2.0 and 3.2.1 [30 Jan 2024]
A file in PKCS12 format can contain certificates and keys and may
come from an untrusted source. The PKCS12 specification allows
certain fields to be NULL, but OpenSSL did not correctly check for
this case. A fix has been applied to prevent a NULL pointer
dereference that results in OpenSSL crashing. If an application
processes PKCS12 files from an untrusted source using the OpenSSL
APIs then that application will be vulnerable to this issue prior
to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes() and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However
since this function is related to writing data we do not consider
it security significant.
(CVE-2024-0727)
Matt Caswell
When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is
composite. For valid RSA keys, n is a product of two or more large
primes and this computation completes quickly. However, if n is an
overly large prime, then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an
RSA key obtained from an untrusted source could be vulnerable to
a Denial of Service attack.
The function EVP_PKEY_public_check() is not called from other
OpenSSL functions however it is called from the OpenSSL pkey command
line application. For that reason that application is also vulnerable
if used with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS
will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE
error reason.
(CVE-2023-6237)
Tomáš Mráz
Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo
to have the contained AlgorithmIdentifier.algorithm set to
id-ecPublicKey rather than SM2.
Richard Levitte
The POLY1305 MAC (message authentication code) implementation in
OpenSSL for PowerPC CPUs saves the contents of vector registers in
different order than they are restored. Thus the contents of some
of these vector registers is corrupted when returning to the caller.
The vulnerable code is used only on newer PowerPC processors
supporting the PowerISA 2.07 instructions.
The consequences of this kind of internal application state corruption
can be various - from no consequences, if the calling application
does not depend on the contents of non-volatile XMM registers at
all, to the worst consequences, where the attacker could get complete
control of the application process. However unless the compiler
uses the vector registers for storing pointers, the most likely
consequence, if any, would be an incorrect result of some application
dependent calculations or a crash leading to a denial of service.
(CVE-2023-6129)
Rohan McLure
Disable building QUIC server utility when OpenSSL is configured
with no-apps.
Vitalii Koshura
Changes between 3.1 and 3.2.0 [23 Nov 2023]
Fix excessive time spent in DH check / generation with large Q
parameter value.
Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or
EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH
parameters may experience long delays. Where the key or parameters
that are being checked have been obtained from an untrusted source
this may lead to a Denial of Service.
(CVE-2023-5678)
Richard Levitte
The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.
�estmír Kalina and Tomáš Mráz
Enable extra Arm64 optimization on Windows for GHASH, RAND and AES.
Evgeny Karpov
Added a function to delete objects from store by URI - OSSL_STORE_delete()
and the corresponding provider-storemgmt API function
OSSL_FUNC_store_delete().
Dmitry Belyavskiy
Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to
pass a passphrase callback when opening a store.
Simo Sorce
Changed the default salt length used by PBES2 KDF's (PBKDF2 and
scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard
uses a 64 bit salt length for PBE, and recommends a minimum of 64
bits for PBES2. For FIPS compliance PBKDF2 requires a salt length
of 128 bits. This affects OpenSSL command line applications such
as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey()
that are reliant on the default value. The additional commandline
option 'saltlen' has been added to the OpenSSL command line
applications for "pkcs8" and "enc" to allow the salt length to be
set to a non default value.
Shane Lontis
Changed the default value of the ess_cert_id_alg configuration
option which is used to calculate the TSA's public key certificate
identifier. The default algorithm is updated to be sha256 instead
of sha1.
Ma�gorzata Olszówka
Added optimization for SM2 algorithm on aarch64. It uses a huge
precomputed table for point multiplication of the base point, which
increases the size of libcrypto from 4.4 MB to 4.9 MB. A new
configure option no-sm2-precomp has been added to disable the
precomputed table.
Xu Yizhou
Added client side support for QUIC
Hugo Landau, Matt Caswell, Paul Dale, Tomáš Mráz, Richard Levitte
Added multiple tutorials on the OpenSSL library and in particular
on writing various clients (using TLS and QUIC protocols) with
libssl.
Matt Caswell
Added secp384r1 implementation using Solinas' reduction to improve
speed of the NIST P-384 elliptic curve. To enable the implementation
the build option enable-ec_nistp_64_gcc_128 must be used.
Rohan McLure
Improved RFC7468 compliance of the asn1parse command.
Matthias St. Pierre
Added SHA256/192 algorithm support.
Fergus Dall
Improved contention on global write locks by using more read locks
where appropriate.
Matt Caswell
Improved performance of OSSL_PARAM lookups in performance critical
provider functions.
Paul Dale
Added the SSL_get0_group_name() function to provide access to the
name of the group used for the TLS key exchange.
Alex Bozarth
Provide a new configure option no-http that can be used to disable
the HTTP support. Provide new configure options no-apps and no-docs
to disable building the openssl command line application and the
documentation.
Vladimír Kotal
Provide a new configure option no-ecx that can be used to disable
the X25519, X448, and EdDSA support.
Yi Li
When multiple OSSL_KDF_PARAM_INFO parameters are passed to the
EVP_KDF_CTX_set_params() function they are now concatenated not
just for the HKDF algorithm but also for SSKDF and X9.63 KDF
algorithms.
Paul Dale
Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions
that get the provider context as a parameter.
Ingo Franzki
TLS round-trip time calculation was added by a Brigham Young
University Capstone team partnering with Sandia National Laboratories.
A new function in ssl_lib titled SSL_get_handshake_rtt will calculate
and retrieve this value.
Jairus Christensen
Added the "-quic" option to s_client to enable connectivity to QUIC
servers. QUIC requires the use of ALPN, so this must be specified
via the "-alpn" option. Use of the "advanced" s_client command
command via the "-adv" option is recommended.
Matt Caswell
Added an "advanced" command mode to s_client. Use this with the
"-adv" option. The old "basic" command mode recognises certain
letters that must always appear at the start of a line and cannot
be escaped. The advanced command mode enables commands to be entered
anywhere and there is an escaping mechanism. After starting s_client
with "-adv" type "{help}" to show a list of available commands.
Matt Caswell
Add Raw Public Key (RFC7250) support. Authentication is supported
by matching keys against either local policy (TLSA records synthesised
from the expected keys) or DANE (TLSA records obtained by the
application from DNS). TLSA records will also match the same key
in the server certificate, should RPK use not happen to be negotiated.
Todd Short
Added support for modular exponentiation and CRT offloading for
the S390x architecture.
Juergen Christ
Added further assembler code for the RISC-V architecture.
Christoph Müllner
Added EC_GROUP_to_params() which creates an OSSL_PARAM array from
a given EC_GROUP.
Oliver Mihatsch
Improved support for non-default library contexts and property
queries when parsing PKCS#12 files.
Shane Lontis
Implemented support for all five instances of EdDSA from RFC8032:
Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. The streaming
is not yet supported for the HashEdDSA variants (Ed25519ph and
Ed448ph).
James Muir
Added SM4 optimization for ARM processors using ASIMD and AES HW
instructions.
Xu Yizhou
Implemented SM4-XTS support.
Xu Yizhou
Added platform-agnostic OSSL_sleep() function.
Richard Levitte
Implemented deterministic ECDSA signatures (RFC6979) support.
Shane Lontis
Implemented AES-GCM-SIV (RFC8452) support.
Todd Short
Added support for pluggable (provider-based) TLS signature algorithms.
This enables TLS 1.3 authentication operations with algorithms
embedded in providers not included by default in OpenSSL. In
combination with the already available pluggable KEM and X.509
support, this enables for example suitable providers to deliver
post-quantum or quantum-safe cryptography to OpenSSL users.
Michael Baentsch
Added support for pluggable (provider-based) CMS signature algorithms.
This enables CMS sign and verify operations with algorithms embedded
in providers not included by default in OpenSSL.
Michael Baentsch
Added support for Hybrid Public Key Encryption (HPKE) as defined
in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH),
Message Layer Security (MLS) and other IETF specifications. HPKE
can also be used by other applications that require encrypting "to"
an ECDH public key. External APIs are defined in include/openssl/hpke.h
and documented in doc/man3/OSSL_HPKE_CTX_new.pod
Stephen Farrell
Implemented HPKE DHKEM support in providers used by HPKE (RFC9180)
API.
Shane Lontis
Add support for certificate compression (RFC8879), including library
support for Brotli and Zstandard compression.
Todd Short
Add the ability to add custom attributes to PKCS12 files. Add a
new API PKCS12_create_ex2, identical to the existing PKCS12_create_ex
but allows for a user specified callback and optional argument.
Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr
to be added to the existing STACK_OF attrs.
Graham Woodward
Major refactor of the libssl record layer.
Matt Caswell
Add a mac salt length option for the pkcs12 command.
Xinping Chen
Add more SRTP protection profiles from RFC8723 and RFC8269.
Kijin Kim
Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload.
Daiki Ueno, John Baldwin and Dmitry Podgorny
Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD
where supported and enabled.
Todd Short
Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC
5489) to the list of ciphersuites providing Perfect Forward Secrecy
as required by SECLEVEL >= 3.
Dmitry Belyavskiy, Nicola Tuveri
Add new SSL APIs to aid in efficiently implementing TLS/SSL
fingerprinting. The SSL_CTRL_GET_IANA_GROUPS control code, exposed
as the SSL_get0_iana_groups() function-like macro, retrieves the
list of supported groups sent by the peer. The function
SSL_client_hello_get_extension_order() populates a caller-supplied
array with the list of extension types present in the ClientHello,
in order of appearance.
Phus Lu
Fixed PEM_write_bio_PKCS8PrivateKey() and
PEM_write_bio_PKCS8PrivateKey_nid() to make it possible to use
empty passphrase strings.
Darshan Sen
The PKCS12_parse() function now supports MAC-less PKCS12 files.
Daniel Fiala
Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls
to be able to change functions used for allocating the memory of
asynchronous call stack.
Arran Cudbard-Bell
Added support for signed BIGNUMs in the OSSL_PARAM APIs.
Richard Levitte
A failure exit code is returned when using the openssl x509 command
to check certificate attributes and the checks fail.
Rami Khaldi
The default SSL/TLS security level has been changed from 1 to 2.
RSA, DSA and DH keys of 1024 bits and above and less than 2048 bits
and ECC keys of 160 bits and above and less than 224 bits were
previously accepted by default but are now no longer allowed. By
default TLS compression was already disabled in previous OpenSSL
versions. At security level 2 it cannot be enabled.
Matt Caswell
The SSL_CTX_set_cipher_list family functions now accept ciphers
using their IANA standard names.
Erik Lax
The PVK key derivation function has been moved from b2i_PVK_bio_ex()
into the legacy crypto provider as an EVP_KDF. Applications requiring
this KDF will need to load the legacy crypto provider.
Paul Dale
CCM8 cipher suites in TLS have been downgraded to security level
zero because they use a short authentication tag which lowers their
strength.
Paul Dale
Subject or issuer names in X.509 objects are now displayed as UTF-8
strings by default. Also spaces surrounding = in DN output are
removed.
Dmitry Belyavskiy
Add X.509 certificate codeSigning purpose and related checks on
key usage and extended key usage of the leaf certificate according
to the CA/Browser Forum.
Lutz Jänicke* The x509, ca, and req commands now produce X.509 v3
certificates. The -x509v1 option of req prefers generation of X.509
v1 certificates. X509_sign() and X509_sign_ctx() make sure that
the certificate has X.509 version 3 if the certificate information
includes X.509 extensions.
David von Oheimb
Fix and extend certificate handling and the commands x509, verify
etc. such as adding a trace facility for debugging certificate
chain building.
David von Oheimb
Various fixes and extensions to the CMP+CRMF implementation and
the cmp app in particular supporting various types of genm/genp
exchanges such as getting CA certificates and root CA cert updates
defined in CMP Updates [RFC 9480], as well as the -srvcertout and
-serial CLI options.
This work was sponsored by Siemens AG.
David von Oheimb
Fixes and extensions to the HTTP client and to the HTTP server in
apps/ like correcting the TLS and proxy support and adding tracing
for debugging.
David von Oheimb
Extended the CMS API for handling CMS_SignedData and CMS_EnvelopedData.
David von Oheimb
CMS_add0_cert() and CMS_add1_cert() no longer throw an error if a
certificate to be added is already present. CMS_sign_ex() and
CMS_sign() now ignore any duplicate certificates in their certs
argument and no longer throw an error for them.
David von Oheimb
Fixed and extended util/check-format.pl for checking adherence to
the coding style
https://www.openssl.org/policies/technical/coding-style.html. The
checks are meanwhile more complete and yield fewer false positives.
David von Oheimb
Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide
memory-based BIOs with datagram semantics and support for BIO_sendmmsg()
and BIO_recvmmsg() calls. They can be used as the transport BIOs
for QUIC.
Hugo Landau, Matt Caswell and Tomáš Mráz
Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow
sending and receiving multiple messages in a single call. An
implementation is provided for BIO_dgram. For further details, see
BIO_sendmmsg(3).
Hugo Landau
Support for loading root certificates from the Windows certificate
store has been added. The support is in the form of a store which
recognises the URI string of org.openssl.winstore://. This URI
scheme currently takes no arguments. This store is built by default
and can be disabled using the new compile-time option no-winstore.
This store is not currently used by default and must be loaded
explicitly using the above store URI. It is expected to be loaded
by default in the future.
Hugo Landau
Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some
linux kernel versions that support KTLS have a known bug in CCM
processing. That has been fixed in stable releases starting from
5.4.164, 5.10.84, 5.15.7, and all releases since 5.16. KTLS with
CCM ciphersuites should be only used on these releases.
Tianjia Zhang
Added -ktls option to s_server and s_client commands to enable the
KTLS support.
Tianjia Zhang
Zerocopy KTLS sendfile() support on Linux.
Maxim Mikityanskiy
The OBJ_ calls are now thread safe using a global lock.
Paul Dale
New parameter -digest for openssl cms command allowing signing
pre-computed digests and new CMS API functions supporting that
functionality.
Viktor Söderqvist
OPENSSL_malloc() and other allocation functions now raise errors
on allocation failures. The callers do not need to explicitly raise
errors unless they want to for tracing purposes.
David von Oheimb
Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
decryption as a protection against Bleichenbacher-like attacks.
The RSA decryption API will now return a randomly generated
deterministic message instead of an error in case it detects an
error when checking padding during PKCS#1 v1.5 decryption. This is
a general protection against issues like CVE-2020-25659 and
CVE-2020-25657. This protection can be disabled by calling
EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0") on
the RSA decryption context.
Hubert Kario
Added support for Brainpool curves in TLS-1.3.
Bernd Edlinger and Matt Caswell
Added OpenBSD specific build targets.
David Carlier
Support for Argon2d, Argon2i, Argon2id KDFs has been added along
with a basic thread pool implementation for select platforms.
�estmír Kalina
OpenSSL 3.1
Changes between 3.1.3 and 3.1.4 [24 Oct 2023]
Fix incorrect key and IV resizing issues when calling
EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2()
with OSSL_PARAM parameters that alter the key or IV length
(CVE-2023-5363).
Paul Dale
Changes between 3.1.2 and 3.1.3 [19 Sep 2023]
Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
The POLY1305 MAC (message authentication code) implementation in
OpenSSL does not save the contents of non-volatile XMM registers
on Windows 64 platform when calculating the MAC of data larger than
64 bytes. Before returning to the caller all the XMM registers are
set to zero rather than restoring their previous content. The
vulnerable code is used only on newer x86_64 processors supporting
the AVX512-IFMA instructions.
The consequences of this kind of internal application state corruption
can be various - from no consequences, if the calling application
does not depend on the contents of non-volatile XMM registers at
all, to the worst consequences, where the attacker could get complete
control of the application process. However given the contents of
the registers are just zeroized so the attacker cannot put arbitrary
values inside, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a
crash leading to a denial of service.
(CVE-2023-4807)
Bernd Edlinger
Changes between 3.1.1 and 3.1.2 [1 Aug 2023]
Fix excessive time spent checking DH q parameter value.
The function DH_check() performs various checks on DH parameters.
After fixing CVE-2023-3446 it was discovered that a large q parameter
value can also trigger an overly long computation during some of
these checks. A correct q value, if present, cannot be larger than
the modulus p parameter, thus it is unnecessary to perform these
checks if q is larger than p.
If DH_check() is called with such q parameter value,
DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
intensive checks are skipped.
(CVE-2023-3817)
Tomáš Mráz
Fix DH_check() excessive time with over sized modulus.
The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the key
or parameters that have been supplied. Some of those checks use
the supplied modulus value even if it has already been found to be
too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
(CVE-2023-3446)
Matt Caswell
Do not ignore empty associated data entries with AES-SIV.
The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data
the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate())
with NULL pointer as the output buffer and 0 as the input buffer
length. The AES-SIV implementation in OpenSSL just returns success
for such call instead of performing the associated data authentication
operation. The empty data thus will not be authenticated.
(CVE-2023-2975)
Thanks to Juerg Wullschleger (Google) for discovering the issue.
The fix changes the authentication tag value and the ciphertext
for applications that use empty associated data entries with AES-SIV.
To decrypt data encrypted with previous versions of OpenSSL the
application has to skip calls to EVP_DecryptUpdate() for empty
associated data entries.
Tomáš Mráz
When building with the enable-fips option and using the resulting
FIPS provider, TLS 1.2 will, by default, mandate the use of an
extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC
DRBGs will not operate with truncated digests (FIPS 140-3 IG G.R).
Paul Dale
Changes between 3.1.0 and 3.1.1 [30 May 2023]
Mitigate for the time it takes for OBJ_obj2txt to translate gigantic
OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form. For gigantic sub-identifiers, this would take
a very long time, the time complexity being O(n^2) where n is the
size of that sub-identifier. (CVE-2023-2650)
To mitigitate this, OBJ_obj2txt() will only translate an OBJECT
IDENTIFIER to canonical numeric text form if the size of that OBJECT
IDENTIFIER is 586 bytes or less, and fail otherwise.
The basis for this restriction is RFC 2578 (STD 58), section 3.5.
OBJECT IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS
may have at most 128 sub-identifiers, and that the maximum value
that each sub- identifier may have is 2^32-1 (4294967295 decimal).
For each byte of every sub-identifier, only the 7 lower bits are
part of the value, so the maximum amount of bytes that an OBJECT
IDENTIFIER with these restrictions may occupy is 32 * 128 / 7,
which is approximately 586 bytes.
Richard Levitte
Multiple algorithm implementation fixes for ARM BE platforms.
Liu-ErMeng
Added a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.
Paul Dale
Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms
which happens if the buffer size is 4 mod 5 in 16 byte AES blocks.
This can trigger a crash of an application using AES-XTS decryption
if the memory just after the buffer being decrypted is not mapped.
Thanks to Anton Romanov (Amazon) for discovering the issue.
(CVE-2023-1255)
Nevine Ebeid
Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
The previous fix for this timing side channel turned out to cause
a severe 2-3x performance regression in the typical use case compared
to 3.0.7. The new fix uses existing constant time code paths, and
restores the previous performance level while fully eliminating
all existing timing side channels. The fix was developed by Bernd
Edlinger with testing support by Hubert Kario.
Bernd Edlinger
Add FIPS provider configuration option to disallow the use of
truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG
D.R.). The option '-no_drbg_truncated_digests' can optionally be
supplied to 'openssl fipsinstall'.
Paul Dale
Corrected documentation of X509_VERIFY_PARAM_add0_policy() to
mention that it does not enable policy checking. Thanks to David
Benjamin for discovering this issue. (CVE-2023-0466)
Tomáš Mráz
Fixed an issue where invalid certificate policies in leaf certificates
are silently ignored by OpenSSL and other certificate policy checks
are skipped for that certificate. A malicious CA could use this to
deliberately assert invalid certificate policies in order to
circumvent policy checking on the certificate altogether.
(CVE-2023-0465)
Matt Caswell
Limited the number of nodes created in a policy tree to mitigate
against CVE-2023-0464. The default limit is set to 1000 nodes,
which should be sufficient for most installations. If required,
the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX
build time define to a desired maximum number of nodes or zero to
allow unlimited growth. (CVE-2023-0464)
Paul Dale
Changes between 3.0 and 3.1.0 [14 Mar 2023]
Add FIPS provider configuration option to enforce the Extended
Master Secret (EMS) check during the TLS1_PRF KDF. The option
'-ems_check' can optionally be supplied to 'openssl fipsinstall'.
Shane Lontis
The FIPS provider includes a few non-approved algorithms for backward
compatibility purposes and the "fips=yes" property query must be
used for all algorithm fetches to ensure FIPS compliance.
The algorithms that are included but not approved are Triple DES
ECB, Triple DES CBC and EdDSA.
Paul Dale
Added support for KMAC in KBKDF.
Shane Lontis
RNDR and RNDRRS support in provider functions to provide random
number generation for Arm CPUs (aarch64).
Orr Toledano
s_client and s_server commands now explicitly say when the TLS
version does not include the renegotiation mechanism. This avoids
confusion between that scenario versus when the TLS version includes
secure renegotiation but the peer lacks support for it.
Felipe Gasper
AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
Tomasz Kantecki, Andrey Matyukov
The various OBJ_* functions have been made thread safe.
Paul Dale
Parallel dual-prime 1536/2048-bit modular exponentiation for
AVX512_IFMA capable processors.
Sergey Kirillov, Andrey Matyukov (Intel Corp)
The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats,
OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio,
OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are
now marked deprecated from OpenSSL 3.1 onwards and can be disabled
by defining OPENSSL_NO_DEPRECATED_3_1.
The macro DEFINE_LHASH_OF is now deprecated in favour of the macro
DEFINE_LHASH_OF_EX, which omits the corresponding type-specific
function definitions for these functions regardless of whether
OPENSSL_NO_DEPRECATED_3_1 is defined.
Users of DEFINE_LHASH_OF may start receiving deprecation warnings
for these functions regardless of whether they are using them. It
is recommended that users transition to the new macro, DEFINE_LHASH_OF_EX.
Hugo Landau
When generating safe-prime DH parameters set the recommended private
key length equivalent to minimum key lengths as in RFC 7919.
Tomáš Mráz
Change the default salt length for PKCS#1 RSASSA-PSS signatures to
the maximum size that is smaller or equal to the digest length to
comply with FIPS 186-4 section 5. This is implemented by a new
option OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax")
for the rsa_pss_saltlen parameter, which is now the default.
Signature verification is not affected by this change and continues
to work as before.
Clemens Lang
|
