OpenSSL Changelog

What's new in OpenSSL 3.2.1

Feb 4, 2024

bug and security fixes

New in OpenSSL 1.1.1w (Sep 28, 2023)

New in OpenSSL 1.1.1v (Aug 2, 2023)

New in OpenSSL 1.1.1q (Jul 7, 2022)

New in OpenSSL 3.0.3 (May 4, 2022)

New in OpenSSL 3.0.1 (Dec 16, 2021)

Fixed invalid handling of X509_verify_cert() internal errors in libssl Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.
This issue is made more serious in combination with a separate bug in OpenSSL 3.0 that will cause X509_verify_cert() to indicate an internal error when processing a certificate chain. This will occur where a certificate does not include the Subject Alternative Name extension but where a Certificate Authority has enforced name constraints. This issue can occur even with valid chains. ([CVE-2021-4044])
Corrected a few file name and file reference bugs in the build, installation and setup scripts, which lead to installation verification failures. Slightly enhanced the installation verification script.
Fixed EVP_PKEY_eq() to make it possible to use it with strictly private keys.
Fixed PVK encoder to properly query for the passphrase.
Multiple fixes in the OSSL_HTTP API functions.
Allow sign extension in OSSL_PARAM_allocate_from_text() for the OSSL_PARAM_INTEGER data type and return error on negative numbers used with the OSSL_PARAM_UNSIGNED_INTEGER data type. Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers.
Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
Multiple threading fixes.
Added NULL digest implementation to keep compatibility with 1.1.1 version.
Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.

New in OpenSSL 3.0.0 (Sep 10, 2021)

TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now deprecated.
The `OPENSSL_s390xcap` environment variable can be used to set bits in the S390X capability vector to zero. This simplifies testing of different code paths on S390X architecture.
Encrypting more than 2^64 TLS records with AES-GCM is disallowed as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from SP 800-38D". The communication will fail at this point.
The EC_GROUP_clear_free() function is deprecated as there is nothing confidential in EC_GROUP data.
The byte order mark (BOM) character is ignored if encountered at the beginning of a PEM-formatted file.
Added CMS support for the Russian GOST algorithms.
Due to move of the implementation of cryptographic operations to the providers, validation of various operation parameters can
be postponed until the actual operation is executed where previously it happened immediately when an operation parameter was set.
For example when setting an unsupported curve with EVP_PKEY_CTX_set_ec_paramgen_curve_nid() this function call will not
fail but later keygen operations with the EVP_PKEY_CTX will fail.
The EVP_get_cipherbyname() function will return NULL for algorithms such as "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were previously only accessible via low level interfaces. Use EVP_CIPHER_fetch() instead to retrieve these algorithms from a provider.
On build targets where the multilib postfix is set in the build configuration the libdir directory was changing based on whether
the lib directory with the multilib postfix exists on the system or not. This unpredictable behavior was removed and eventual multilib postfix is now always added to the default libdir. Use `--libdir=lib` to override the libdir if adding the postfix is undesirable.
The triple DES key wrap functionality now conforms to RFC 3217 but is no longer interoperable with OpenSSL 1.1.1.
The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications.
Add a configurable flag to output date formats as ISO 8601. Does not change the default date format.
Version of MSVC earlier than 1300 could get link warnings, which could be suppressed if the undocumented DI_CAN_LIVE_WITH_LNK4049 was set. Support for this flag has been removed.
Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG, DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG. Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
The signatures of the functions to get and set options on SSL and SSL_CTX objects changed from "unsigned long" to "uint64_t" type. Some source code changes may be required.
The public definitions of conf_method_st and conf_st have been deprecated. They will be made opaque in a future release.
Client-initiated renegotiation is disabled by default. To allow it, use the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION flag, or the "ClientRenegotiation" config parameter as appropriate.
Add "abspath" and "includedir" pragma's to config files, to prevent, or modify relative pathname inclusion.
OpenSSL includes a cryptographic module that is intended to be FIPS 140-2 validated. Please consult the README-FIPS and
README-PROVIDERS files, as well as the migration guide.
For the key types DH and DHX the allowed settable parameters are now different.
The openssl commands that read keys, certificates, and CRLs now automatically detect the PEM or DER format of the input files.
Added enhanced PKCS#12 APIs which accept a library context.
The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
Added support for Kernel TLS (KTLS).
Support for RFC 5746 secure renegotiation is now required by default for SSL or TLS connections to succeed.
The signature of the `copy` functional parameter of the EVP_PKEY_meth_set_copy() function has changed so its `src` argument is now `const EVP_PKEY_CTX *` instead of `EVP_PKEY_CTX *`. Similarly the signature of the `pub_decode` functional parameter of the EVP_PKEY_asn1_set_public() function has changed so its `pub` argument is now `const X509_PUBKEY *` instead of `X509_PUBKEY *`.
The error return values from some control calls (ctrl) have changed.
A public key check is now performed during EVP_PKEY_derive_set_peer().
Many functions in the EVP_ namespace that are getters of values from implementations or contexts were renamed to include get or get0 in their names. Old names are provided as macro aliases for compatibility and
are not deprecated.
The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated.
The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work formore key types.
The output from the command line applications may have minor changes.
The output from numerous "printing" may have minor changes.
Windows thread synchronization uses read/write primitives (SRWLock) when supported by the OS, otherwise CriticalSection continues to be used.
Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to work on read only BIO source/sinks that do not support these functions. This allows piping or redirection of a file BIO using stdin to be buffered into memory. This is used internally in OSSL_DECODER_from_bio().
OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1 this function would return one of the values OSSL_STORE_INFO_NAME, OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications using this function should be amended to handle the changed return value.
Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain.
The implementation of older EVP ciphers related to CAST, IDEA, SEED, RC2, RC4, RC5, DESX and DES have been moved to the legacy provider.
The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 have been moved to the legacy provider.
The deprecated function EVP_PKEY_get0() now returns NULL being called for a provided key.
The deprecated functions EVP_PKEY_get0_RSA(),EVP_PKEY_get0_DSA(), EVP_PKEY_get0_EC_KEY(), EVP_PKEY_get0_DH(),
EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as well as the similarly named "get1" functions behave differently in OpenSSL 3.0.
A number of functions handling low-level keys or engines were deprecated including EVP_PKEY_set1_engine(), EVP_PKEY_get0_engine(), EVP_PKEY_assign(), EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
EVP_PKEY_get0_siphash().
PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. This includes these PBEalgorithms which use this KDF:
NID_pbeWithMD2AndDES_CBC
NID_pbeWithMD5AndDES_CBC
NID_pbeWithSHA1AndRC2_CBC
NID_pbeWithMD2AndRC2_CBC
NID_pbeWithMD5AndRC2_CBC
NID_pbeWithSHA1AndDES_CBC
Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and BIO_debug_callback() functions.
Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm() functions.
The RAND_METHOD APIs have been deprecated.
The SRP APIs have been deprecated.
Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time.
pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration count of PKCS12_DEFAULT_ITER.
The openssl speed command does not use low-level API calls anymore.
Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors.
Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
Implemented support for fully "pluggable" TLSv1.3 groups. This means that providers may supply their own group implementations (using either the "key exchange" or the "key encapsulation" methods) which will automatically be detected and used by libssl.
The undocumented function X509_certificate_type() has been deprecated;
Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
Removed RSA padding mode for SSLv23 (which was only used for SSLv2). This includes the functions RSA_padding_check_SSLv23() and RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated`rsautl` command.
Deprecated the obsolete X9.31 RSA key generation related functions.
While a callback function set via `SSL_CTX_set_cert_verify_callback()`is not allowed to return a value > 1, this is no more taken as failure.
Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
BN_X931_generate_prime_ex().
The default key generation method for the regular 2-prime RSA keys was changed to the FIPS 186-4 B.3.6 method.
Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
Deprecated `OCSP_parse_url()`.
Validation of SM2 keys has been separated from the validation of regular EC keys.
Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`switches: a validation failure triggers an early exit, returning a failure exit status to the parent process.
Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()to ignore unknown ciphers.
The `-cipher-commands` and `-digest-commands` options of the command line utility `list` have been deprecated.
Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
Added convenience functions for generating asymmetric key pairs: The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)> and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
All of the low level EC_KEY functions have been deprecated.
Deprecated all the libcrypto and libssl error string loading functions.
The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated.
The `-crypt` option to the `passwd` command line tool has been removed.
The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands were removed.
Add support for AES Key Wrap inverse ciphers to the EVP layer.
Deprecated EVP_PKEY_set1_tls_encodedpoint() and EVP_PKEY_get1_tls_encodedpoint().
The security callback, which can be customised by application code, supports the security operation SSL_SECOP_TMP_DH. One location of the "other" parameter was incorrectly passing a DH object. It now passed an EVP_PKEY in all cases.
Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface. Their functionality remains unchanged.
Added new option for 'openssl list', '-providers', which will display the list of loaded providers, their names, version and status. It optionally displays their gettable parameters.
Removed EVP_PKEY_set_alias_type().
Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred.
Changed all "STACK" functions to be macros instead of inline functions. Macroparameters are still checked for type safety at compile time via helper inline functions.
Remove the RAND_DRBG API
Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addressesas well as actual hostnames.
The 'MinProtocol' and 'MaxProtocol' configuration commands now silentlyignore TLS protocol version bounds when configuring DTLS-based contexts, andconversely, silently ignore DTLS protocol version bounds when configuringTLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g. `TLSv1_server_method()`) also silently ignore version bounds. Previouslyattempts to apply bounds to these protocol versions would result in anerror. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options.
Deprecated the `ENGINE` API. Engines should be replaced with providersgoing forward.
Reworked the recorded ERR codes to make better space for system errors. To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if thegiven code is a system error (true) or an OpenSSL error (false).
Reworked the test perl framework to better allow parallel testing.
Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
'Configure' has been changed to figure out the configuration target if none is given on the command line. Consequently, the 'config' script is now only a mere wrapper. All documentation is changed to only mention 'Configure'.
Added a library context `OSSL_LIB_CTX` that applications as well as other libraries can use to form a separate context within which libcrypto operations are performed.
Added various `_ex` functions to the OpenSSL API that support using a non-default `OSSL_LIB_CTX`.
Handshake now fails if Extended Master Secret extension is dropped on renegotiation.
Dropped interactive mode from the `openssl` program.
Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
Deprecated `EC_METHOD_get_field_type()`.
Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(), EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method() EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
Add CAdES-BES signature verification support, mostly derived from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS).
Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult().
Deprecated EC_POINTs_mul().
Removed FIPS_mode() and FIPS_mode_set().
The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced.
Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and EC_POINT_get_Jprojective_coordinates_GFp().
Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAMarrays to be more easily constructed via a series of utility functions. Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters usingthe various push functions and finally convert to a passable OSSL_PARAM array using OSSL_PARAM_BLD_to_param().
The security strength of SHA1 and MD5 based signatures in TLS has beenreduced.
Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to contain a provider side internal key.
ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
Project text documents not yet having a proper file name extension (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to`*.md` as far as reasonable, else `*.txt`, for better use with file managers.
The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)have been converted to Markdown with the goal to produce documents which not only look pretty when viewed online in the browser, but remain well readable inside a plain text editor.
To achieve this goal, a 'minimalistic' Markdown style has been applied which avoids formatting elements that interfere too much with the reading flow in the text file. For example, it avoids [ATX headings][] and uses [setext headings][] instead
(which works for `<h1>` and `<h2>` headings only). avoids [inline links][] and uses [reference links][] instead.
avoids [fenced code blocks][] and uses [indented code blocks][] instead.
[ATX headings]: https://github.github.com/gfm/#atx-headings
[setext headings]: https://github.github.com/gfm/#setext-headings
[inline links]: https://github.github.com/gfm/#inline-link
[reference links]: https://github.github.com/gfm/#reference-link
[fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
[indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
The test suite is changed to preserve results of each test recipe. A new directory test-runs/ with subdirectories named like the
test recipes are created in the build tree for this purpose.
Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`. See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`. It supports arbitrary request and response content types, GET redirection, TLS, connections via HTTP(S) proxies, connections and exchange via user-defined BIOs (allowing implicit connections), persistent connections, and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details. The legacy OCSP-focused (and only partly documented) API is retained for backward compatibility, while most of it is deprecated.
Added `util/check-format.pl`, a tool for checking adherence to the OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>. The checks performed are incomplete and yield some false positives. Still the tool should be useful for detecting most typical glitches.
`BIO_do_connect()` and `BIO_do_handshake()` have been extended: If domain name resolution yields multiple IP addresses all of them are tried after `connect()` failures.
All of the low level RSA functions have been deprecated.
X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
The command line utilities dhparam, dsa, gendsa and dsaparam have been modified to use PKEY APIs. These commands are now in maintenance mode and no new features will be added to them.
The command line utility rsautl has been deprecated.
The command line utilities genrsa and rsa have been modified to use PKEY APIs. They now write PKCS#8 keys by default. These commands are now in maintenance mode and no new features will be added to them.
All of the low level DH functions have been deprecated.
All of the low level DSA functions have been deprecated.
Reworked the treatment of EC EVP_PKEYs with the SM2 curve to automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
Deprecated low level ECDH and ECDSA functions.
Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
Enhanced the documentation of EVP_PKEY_get_size(), EVP_PKEY_get_bits() and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed a new formulation to include all the things it can be used for,
as well as words of caution.
The SSL_CTX_set_tlsext_ticket_key_cb(3) function has been deprecated.
All of the low level HMAC functions have been deprecated.
Over two thousand fixes were made to the documentation, including: Common options (such as -rand/-writerand, TLS version control, etc) were refactored and point to newly-enhanced descriptions in openssl.pod. Added style conformance for all options (with help from Richard Levitte), documented all reported missing options, added a CI build to check
that all options are documented and that no unimplemented options are documented. Documented some internals, such as all use of environment variables. Addressed all internal broken L<> references.
All of the low level CMAC functions have been deprecated.
The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest functions have been deprecated.
Corrected the documentation of the return values from the `EVP_DigestSign*` set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative valueswas removed.
Code that followed the documentation and thereby check with something like `EVP_DigestSignInit(...) <= 0` will continue to work undisturbed.
All of the low level cipher functions have been deprecated.
Removed include/openssl/opensslconf.h.in and replaced it with include/openssl/configuration.h.in, which differs in not including
<openssl/macros.h>. A short header include/openssl/opensslconf.h was added to include both.
This allows internal hacks where one might need to modify the setof configured macros, for example this if deprecated symbols are still supposed to be available internally:
include <openssl/configuration.h>
undef OPENSSL_NO_DEPRECATED
define OPENSSL_SUPPRESS_DEPRECATED
include <openssl/macros.h>
This should not be used by applications that use the exported symbols, as that will lead to linking errors.
Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway.Also applications directly using the low-level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.([CVE-2019-1551])
Most memory-debug features have been deprecated, and the functionality replaced with no-ops.
Added documentation for the STACK API.
Introduced a new method type and API, OSSL_ENCODER, to represent generic encoders. These do the same sort of job that PEM writers and d2i functions do, but with support for methods supplied by providers, and the possibility for providers to support other formats as well.
Introduced a new method type and API, OSSL_DECODER, to represent generic decoders. These do the same sort of job that PEM readers and i2d functions do, but with support for methods supplied by providers, and the possibility for providers to support other
formats as well.
Added a .pragma directive to the syntax of configuration files, to allow varying behavior in a supported and predictable manner.
Currently added pragma:
.pragma dollarid:on
This allows dollar signs to be a keyword character unless it's followed by a opening brace or parenthesis. This is useful for
platforms where dollar signs are commonly used in names, such as volume names and system directory names on VMS.
Added functionality to create an EVP_PKEY from user data.
Change the interpretation of the '--api' configuration option to mean that this is a desired API compatibility level with no
further meaning. The previous interpretation, that this would also mean to remove all deprecated symbols up to and including
the given version, no requires that 'no-deprecated' is also used in the configuration.
When building applications, the desired API compatibility level can be set with the OPENSSL_API_COMPAT macro like before. For
API compatibility version below 3.0, the old style numerical value is valid as before, such as - DOPENSSL_API_COMPAT=0x10100000L. For version 3.0 and on, the value is expected to be the decimal value calculated from the major and minor version like this:
MAJOR * 10000 + MINOR * 100
Examples:
DOPENSSL_API_COMPAT=30000 For 3.0
DOPENSSL_API_COMPAT=30200 For 3.2
To hide declarations that are deprecated up to and including the given API compatibility level, -DOPENSSL_NO_DEPRECATED must be given when building the application as well.
Added the X509_LOOKUP_METHOD called X509_LOOKUP_store, to allow access to certificate and CRL stores via URIs and OSSL_STORE loaders.
This adds the following functions:
X509_LOOKUP_store()
X509_STORE_load_file()
X509_STORE_load_path()
X509_STORE_load_store()
SSL_add_store_cert_subjects_to_stack()
SSL_CTX_set_default_verify_store()
SSL_CTX_load_verify_file()
SSL_CTX_load_verify_dir()
SSL_CTX_load_verify_store()
Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time.
Added functionality to create an EVP_PKEY context based on data for methods from providers. This takes an algorithm name and a property query string and simply stores them, with the intent that any operation that uses this context will use those strings
to fetch the needed methods implicitly, thereby making the port of application written for pre-3.0 OpenSSL easier.
The undocumented function NCONF_WIN32() has been deprecated; for conversion details see the HISTORY section of doc/man5/config.pod
Introduced the new functions EVP_DigestSignInit_ex() and EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
EVP_DigestVerifyUpdate() have been converted to functions. See the man pages for further details.
Over two thousand fixes were made to the documentation, including: adding missing command flags, better style conformance, documentation of internals, etc.
s390x assembly pack: add hardware-support for P-256, P-384, P-521, X25519, X448, Ed25519 and Ed448.
Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value.
Deprecated the public definition of `ERR_STATE` as well as the function `ERR_get_state()`. This is done in preparation of making `ERR_STATE` an opaque type.
Added ERR functionality to give callers access to the stored function names that have replaced the older function code based functions. New functions are ERR_peek_error_func(), ERR_peek_last_error_func(), ERR_peek_error_data(), ERR_peek_last_error_data(), ERR_get_error_all(), ERR_peek_error_all() and ERR_peek_last_error_all().
Deprecate ERR functions ERR_get_error_line(), ERR_get_error_line_data(), ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and ERR_func_error_string().
Extended testing to be verbose for failing tests only. The make variables VERBOSE_FAILURE or VF can be used to enable this:
$ make VF=1 test # Unix
$ mms /macro=(VF=1) test ! OpenVMS
$ nmake VF=1 test # Windows
Added the `-copy_extensions` option to the `x509` command for use with `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument, all extensions in the request are copied to the certificate or vice versa.
Added the `-copy_extensions` option to the `req` command for use with `-x509`. When given with the `copy` or `copyall` argument, all extensions in the certification request are copied to the certificate.
The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates they generate are by default RFC 5280 compliant in the following sense: There is a subjectKeyIdentifier extension with a hash value of the public key and for not self-signed certs there is an authorityKeyIdentifier extension with a keyIdentifier field or issuer information identifying the signing key.
This is done unless some configuration overrides the new default behavior, such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`.
Added several checks to `X509_verify_cert()` according to requirements in RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set (which may be done by using the CLI option `-x509_strict`): The basicConstraints of CA certificates must be marked critical.
CA certificates must explicitly include the keyUsage extension. If a pathlenConstraint is given the key usage keyCertSign must be allowed. The issuer name of any certificate must not be empty. The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. If a subjectAlternativeName extension is given it must not be empty. The signatureAlgorithm field and the cert signature must be consistent. Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. The subjectKeyIdentifier must be given for all X.509v3 CA certs.
Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480.
For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a encoded key or calling `EC_GROUP_new_from_ecpkparameters()`/ `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. ([CVE-2019-1547])
Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag.
Early start up entropy quality from the DEVRANDOM seed source has been improved for older Linux systems. The RAND subsystem will wait for /dev/random to be producing output before seeding from /dev/urandom. The seeded state is stored for future library initialisations using a system global shared memory segment. The shared memory identifier can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to the desired value. The default identifier is 114.
Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1 when primes for RSA keys are computed. Since we previously always generated primes == 2 (mod 3) for RSA keys, the 2-prime and 3-prime RSA modules were easy to distinguish, since `N = p*q = 1 (mod 3)`, but `N = p*q*r = 2 (mod 3)`. Therefore fingerprinting 2-prime vs. 3-prime RSA keys was possible by computing N mod 3. This avoids possible fingerprinting of newly generated RSA modules.
Correct the extended master secret constant on EBCDIC systems. Without this fix TLS connections between an EBCDIC system and a non-EBCDIC system that negotiate EMS will fail. Unfortunately this also means that TLS connections between EBCDIC systems with this fix, and EBCDIC systems without this fix will fail if they negotiate EMS.
Changed the library initialisation so that the config file is now loaded by default. This was already the case for libssl. It now occurs for both libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to `OPENSSL_init_crypto()` to suppress automatic loading of a config file.
Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`, where the former acts as a replacement for `ERR_put_error()`, and the latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`. `ERR_raise_data()` adds more flexibility by taking a format string and an arbitrary number of arguments following it, to be processed with `BIO_snprintf()`.
Introduced a new function, `OSSL_PROVIDER_available()`, which can be used to check if a named provider is loaded and available. When called, it will also activate all fallback providers if such are still present.
Enforce a minimum DH modulus size of 512 bits.
Changed DH parameters to generate the order q subgroup instead of 2q. Previously generated DH parameters are still accepted by DH_check but DH_generate_key works around that by clearing bit 0 of the private key for those. This avoids leaking bit 0 of the private key.
Significantly reduce secure memory usage by the randomness pools.
`{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been deprecated.
A new type, EVP_KEYEXCH, has been introduced to represent key exchange algorithms. An implementation of a key exchange algorithm can be obtained by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to the older EVP_PKEY_derive_init() function. See the man pages for the new functions for further details.
The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
Removed the function names from error messages and deprecated the xxx_F_xxx define's.
Removed NextStep support and the macro OPENSSL_UNISTD
Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
Also removed "export var as function" capability; we do not export variables, only functions.
RC5_32_set_key has been changed to return an int type, with 0 indicating an error and 1 indicating success. In previous versions of OpenSSL this was a void type. If a key was set longer than the maximum possible this would crash.
Support SM2 signing and verification schemes with X509 certificate.
Use SHA256 as the default digest for TS query in the `ts` app.
Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
Default cipher lists/suites are now available via a function, the defines are deprecated.
Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries for Windows Store apps easier. Also, the "no-uplink" option has been added.
Join the directories crypto/x509 and crypto/x509v3
Added command 'openssl kdf' that uses the EVP_KDF API.
Added command 'openssl mac' that uses the EVP_MAC API.
Added OPENSSL_info() to get diverse built-in OpenSSL data, such as default directories. Also added the command 'openssl info'
for scripting purposes.
The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been deprecated.
Add prediction resistance to the DRBG reseeding process.
Limit the number of blocks in a data unit for AES-XTS to 2^20 as mandated by IEEE Std 1619-2018.
Added newline escaping functionality to a filename when using openssl dgst. This output format is to replicate the output format found in the `*sum` checksum programs. This aims to preserve backward compatibility.
Removed the heartbeat message in DTLS feature, as it has very little usage and doesn't seem to fulfill a valuable purpose.
The configuration option is now deprecated.
Changed the output of 'openssl {digestname} < file' to display the digest name in its output.
Added a new generic trace API which provides support for enabling instrumentation through trace output.
Added build tests for C++. These are generated files that only do one thing, to include one public OpenSSL head file each. This tests that the public header files can be usefully included in a C++ application.
This test isn't enabled by default. It can be enabled with the option 'enable-buildtest-c++'.
Added KB KDF (EVP_KDF_KB) to EVP_KDF.
Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
Added KMAC to EVP_MAC.
Added property based algorithm implementation selection framework to the core.
Added SCA hardening for modular field inversion in EC_GROUP through a new dedicated field_inv() pointer in EC_METHOD. This also addresses a leakage affecting conversions from projective to affine coordinates.
Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF implementations. This includes an EVP_PKEY to EVP_KDF bridge for those algorithms that were already supported through the EVP_PKEY API (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2 and scrypt are now wrappers that call EVP_KDF.
Build devcrypto engine as a dynamic engine.
Add keyed BLAKE2 to EVP_MAC.
Fix a bug in the computation of the endpoint-pair shared secret used by DTLS over SCTP. This breaks interoperability with older versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling interoperability with such broken implementations. However, enabling this switch breaks interoperability with correct implementations.
Fix a use after free bug in d2i_X509_PUBKEY when overwriting a re-used X509_PUBKEY object if the second PUBKEY is malformed.
Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
Changed the license to the Apache License v2.0.
Switch to a new version scheme using three numbers MAJOR.MINOR.PATCH.
Major releases (indicated by incrementing the MAJOR release number) may introduce incompatible API/ABI changes.
Minor releases (indicated by incrementing the MINOR release number) may introduce new features but retain API/ABI compatibility.
Patch releases (indicated by incrementing the PATCH number) are intended for bug fixes and other improvements of existing
features only (like improving performance or adding documentation) and retain API/ABI compatibility.
Add support for RFC5297 SIV mode (siv128), including AES-SIV.
Remove the 'dist' target and add a tarball building script. The 'dist' target has fallen out of use, and it shouldn't be
necessary to configure just to create a source distribution.
Recreate the OS390-Unix config target. It no longer relies on a special script like it did for OpenSSL pre-1.1.0.
Instead of having the source directories listed in Configure, add a 'build.info' keyword SUBDIRS to indicate what sub-directories to
look into.
Add GMAC to EVP_MAC.
Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC implementations. This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued use of MACs through raw private keys in functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
Deprecate ECDH_KDF_X9_62().
Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names are retained for backwards compatibility.
AES-XTS mode now enforces that its two keys are different to mitigate the attacked described in "Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway. Details of this attack can be obtained from:
<http://web.cs.ucdavis.edu/%7Erogaway/papers/offsets.pdf>
Rename the object files, i.e. give them other names than in previous versions. Their names now include the name of the final product, as well as its type mnemonic (bin, lib, shlib).
Added new option for 'openssl list', '-objects', which will display the list of built in objects, i.e. OIDs with names.
Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`, allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to be set explicitly.
Added support for Linux Kernel TLS data-path. The Linux Kernel data-path improves application performance by removing data copies and providing applications with zero-copy system calls such as sendfile and splice.
The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced.
`PKCS12_parse` now maintains the order of the parsed certificates when outputting them via `*ca` (rather than reversing it).
Deprecated pthread fork support methods.
Added support for FFDHE key exchange in TLS 1.3.
Added a new concept for OpenSSL plugability: providers. This functionality is designed to replace the ENGINE API and ENGINE
implementations, and to be much more dynamic, allowing provider authors to introduce new algorithms among other things, as long as there's an API that supports the algorithm type.
With this concept comes a new core API for interaction between libcrypto and provider implementations. Public libcrypto functions that want to use providers do so through this core API.
The main documentation for this core API is found in doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
refer to other manuals describing the API specific for supported algorithm types (also called operations).

New in OpenSSL 1.1.1L (Aug 25, 2021)

Fixed an SM2 Decryption Buffer Overflow:
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter.
A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small.
A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. ([CVE-2021-3711])
Fixed various read buffer overruns processing ASN.1 strings:
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte.
Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure.
However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function.
Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur.
The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). ([CVE-2021-3712])

OpenSSL Changelog

What's new in OpenSSL 3.2.1

New in OpenSSL 1.1.1w (Sep 28, 2023)

New in OpenSSL 1.1.1v (Aug 2, 2023)

New in OpenSSL 1.1.1q (Jul 7, 2022)

New in OpenSSL 3.0.3 (May 4, 2022)

New in OpenSSL 3.0.1 (Dec 16, 2021)

New in OpenSSL 3.0.0 (Sep 10, 2021)

New in OpenSSL 1.1.1L (Aug 25, 2021)

New in OpenSSL 1.1.1k (Mar 26, 2021)

New in OpenSSL 1.1.1j (Feb 18, 2021)

New in OpenSSL 1.1.1j (Feb 18, 2021)

New in OpenSSL 1.1.1g (Apr 21, 2020)