git: 83eaf7ae0a7b - main - OpenSSL: Merge OpenSSL 1.1.1p

From: Jung-uk Kim <>
Date: Tue, 21 Jun 2022 18:23:40 UTC
The branch main has been updated by jkim:


commit 83eaf7ae0a7b502de1b08850324b447591bd6916
Merge: 8870cb573f4a 54ae8e38f717
Author:     Jung-uk Kim <>
AuthorDate: 2022-06-21 17:33:01 +0000
Commit:     Jung-uk Kim <>
CommitDate: 2022-06-21 17:34:41 +0000

    OpenSSL: Merge OpenSSL 1.1.1p
    Merge commit '54ae8e38f717f22963c2a87f48af6ecefc6b3e9b'

 crypto/openssl/CHANGES                             |  44 ++++-
 crypto/openssl/NEWS                                |   6 +
 crypto/openssl/README                              |   2 +-
 crypto/openssl/apps/s_server.c                     |  49 ++++-
 crypto/openssl/config                              |   3 +-
 crypto/openssl/crypto/bn/asm/       | 198 +--------------------
 crypto/openssl/crypto/bn/bn_exp.c                  |  44 +++--
 crypto/openssl/crypto/bn/rsaz_exp.c                |  10 +-
 crypto/openssl/crypto/bn/rsaz_exp.h                |  25 ++-
 crypto/openssl/crypto/ec/ec_asn1.c                 |  12 +-
 crypto/openssl/crypto/ec/ec_key.c                  |   5 +-
 crypto/openssl/crypto/x509/x509_cmp.c              |   6 +-
 crypto/openssl/crypto/x509/x_crl.c                 |  14 +-
 crypto/openssl/crypto/x509v3/v3_asid.c             |  33 ++--
 crypto/openssl/crypto/x509v3/v3_sxnet.c            |  20 ++-
 crypto/openssl/doc/man3/BIO_f_base64.pod           |   5 +-
 .../doc/man3/SSL_CTX_set1_verify_cert_store.pod    |  15 +-
 crypto/openssl/include/openssl/opensslv.h          |   4 +-
 crypto/openssl/include/openssl/ssl.h               |  12 +-
 crypto/openssl/ssl/record/ssl3_record.c            |  16 +-
 crypto/openssl/ssl/s3_lib.c                        |  12 ++
 crypto/openssl/ssl/ssl_cert.c                      |   6 +
 crypto/openssl/ssl/ssl_local.h                     |   3 +-
 crypto/openssl/ssl/statem/extensions_clnt.c        |  18 +-
 crypto/openssl/ssl/t1_lib.c                        |  18 +-
 25 files changed, 297 insertions(+), 283 deletions(-)

diff --cc crypto/openssl/CHANGES
index 98961effc058,000000000000..ea35a7e7b396
mode 100644,000000..100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@@ -1,13745 -1,0 +1,13771 @@@
 + _______________
 + This is a high-level summary of the most important changes.
 + For a full list of changes, see the git commit log; for example,
 + and pick the appropriate
 + release branch.
++ Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
++  *) In addition to the c_rehash shell command injection identified in
++     CVE-2022-1292, further bugs where the c_rehash script does not
++     properly sanitise shell metacharacters to prevent command injection have been
++     fixed.
++     When the CVE-2022-1292 was fixed it was not discovered that there
++     are other places in the script where the file names of certificates
++     being hashed were possibly passed to a command executed through the shell.
++     This script is distributed by some operating systems in a manner where
++     it is automatically executed.  On such operating systems, an attacker
++     could execute arbitrary commands with the privileges of the script.
++     Use of the c_rehash script is considered obsolete and should be replaced
++     by the OpenSSL rehash command line tool.
++     (CVE-2022-2068)
++     [Daniel Fiala, Tomáš Mráz]
++  *) When OpenSSL TLS client is connecting without any supported elliptic
++     curves and TLS-1.3 protocol is disabled the connection will no longer fail
++     if a ciphersuite that does not use a key exchange based on elliptic
++     curves can be negotiated.
++     [Tomáš Mráz]
 + Changes between 1.1.1n and 1.1.1o [3 May 2022]
 +  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
-     metacharacters to prevent command injection.  This script is distributed by
-     some operating systems in a manner where it is automatically executed.  On
-     such operating systems, an attacker could execute arbitrary commands with the
-     privileges of the script.
-     Use of the c_rehash script is considered obsolete and should be replaced
-     by the OpenSSL rehash command line tool.
-     (CVE-2022-1292)
-     [Tomáš Mráz]
++     metacharacters to prevent command injection.  This script is distributed
++     by some operating systems in a manner where it is automatically executed.
++     On such operating systems, an attacker could execute arbitrary commands
++     with the privileges of the script.
++     Use of the c_rehash script is considered obsolete and should be replaced
++     by the OpenSSL rehash command line tool.
++     (CVE-2022-1292)
++     [Tomáš Mráz]
 + Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 +  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
 +     for non-prime moduli.
 +     Internally this function is used when parsing certificates that contain
 +     elliptic curve public keys in compressed form or explicit elliptic curve
 +     parameters with a base point encoded in compressed form.
 +     It is possible to trigger the infinite loop by crafting a certificate that
 +     has invalid explicit curve parameters.
 +     Since certificate parsing happens prior to verification of the certificate
 +     signature, any process that parses an externally supplied certificate may
 +     thus be subject to a denial of service attack. The infinite loop can also
 +     be reached when parsing crafted private keys as they can contain explicit
 +     elliptic curve parameters.
 +     Thus vulnerable situations include:
 +      - TLS clients consuming server certificates
 +      - TLS servers consuming client certificates
 +      - Hosting providers taking certificates or private keys from customers
 +      - Certificate authorities parsing certification requests from subscribers
 +      - Anything else which parses ASN.1 elliptic curve parameters
 +     Also any other applications that use the BN_mod_sqrt() where the attacker
 +     can control the parameter values are vulnerable to this DoS issue.
 +     (CVE-2022-0778)
 +     [Tomáš Mráz]
 +  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
 +     to the list of ciphersuites providing Perfect Forward Secrecy as
 +     required by SECLEVEL >= 3.
 +     [Dmitry Belyavskiy, Nicola Tuveri]
 + Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
 +  *) Avoid loading of a dynamic engine twice.
 +     [Bernd Edlinger]
 +  *) Fixed building on Debian with kfreebsd kernels
 +     [Mattias Ellert]
 +  *) Prioritise DANE TLSA issuer certs over peer certs
 +     [Viktor Dukhovni]
 +  *) Fixed random API for MacOS prior to 10.12
 +     These MacOS versions don't support the CommonCrypto APIs
 +     [Lenny Primak]
 + Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
 +  *) Fixed an SM2 Decryption Buffer Overflow.
 +     In order to decrypt SM2 encrypted data an application is expected to call the
 +     API function EVP_PKEY_decrypt(). Typically an application will call this
 +     function twice. The first time, on entry, the "out" parameter can be NULL and,
 +     on exit, the "outlen" parameter is populated with the buffer size required to
 +     hold the decrypted plaintext. The application can then allocate a sufficiently
 +     sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
 +     value for the "out" parameter.
 +     A bug in the implementation of the SM2 decryption code means that the
 +     calculation of the buffer size required to hold the plaintext returned by the
 +     first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
 +     the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
 +     called by the application a second time with a buffer that is too small.
 +     A malicious attacker who is able present SM2 content for decryption to an
 +     application could cause attacker chosen data to overflow the buffer by up to a
 +     maximum of 62 bytes altering the contents of other data held after the
 +     buffer, possibly changing application behaviour or causing the application to
 +     crash. The location of the buffer is application dependent but is typically
 +     heap allocated.
 +     (CVE-2021-3711)
 +     [Matt Caswell]
 +  *) Fixed various read buffer overruns processing ASN.1 strings
 +     ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
 +     structure which contains a buffer holding the string data and a field holding
 +     the buffer length. This contrasts with normal C strings which are repesented as
 +     a buffer for the string data which is terminated with a NUL (0) byte.
 +     Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
 +     own "d2i" functions (and other similar parsing functions) as well as any string
 +     whose value has been set with the ASN1_STRING_set() function will additionally
 +     NUL terminate the byte array in the ASN1_STRING structure.
 +     However, it is possible for applications to directly construct valid ASN1_STRING
 +     structures which do not NUL terminate the byte array by directly setting the
 +     "data" and "length" fields in the ASN1_STRING array. This can also happen by
 +     using the ASN1_STRING_set0() function.
 +     Numerous OpenSSL functions that print ASN.1 data have been found to assume that
 +     the ASN1_STRING byte array will be NUL terminated, even though this is not
 +     guaranteed for strings that have been directly constructed. Where an application
 +     requests an ASN.1 structure to be printed, and where that ASN.1 structure
 +     contains ASN1_STRINGs that have been directly constructed by the application
 +     without NUL terminating the "data" field, then a read buffer overrun can occur.
 +     The same thing can also occur during name constraints processing of certificates
 +     (for example if a certificate has been directly constructed by the application
 +     instead of loading it via the OpenSSL parsing functions, and the certificate
 +     contains non NUL terminated ASN1_STRING structures). It can also occur in the
 +     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
 +     If a malicious actor can cause an application to directly construct an
 +     ASN1_STRING and then process it through one of the affected OpenSSL functions
 +     then this issue could be hit. This might result in a crash (causing a Denial of
 +     Service attack). It could also result in the disclosure of private memory
 +     contents (such as private keys, or sensitive plaintext).
 +     (CVE-2021-3712)
 +     [Matt Caswell]
 + Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
 +  *) Fixed a problem with verifying a certificate chain when using the
 +     X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
 +     of the certificates present in a certificate chain. It is not set by
 +     default.
 +     Starting from OpenSSL version 1.1.1h a check to disallow certificates in
 +     the chain that have explicitly encoded elliptic curve parameters was added
 +     as an additional strict check.
 +     An error in the implementation of this check meant that the result of a
 +     previous check to confirm that certificates in the chain are valid CA
 +     certificates was overwritten. This effectively bypasses the check
 +     that non-CA certificates must not be able to issue other certificates.
 +     If a "purpose" has been configured then there is a subsequent opportunity
 +     for checks that the certificate is a valid CA.  All of the named "purpose"
 +     values implemented in libcrypto perform this check.  Therefore, where
 +     a purpose is set the certificate chain will still be rejected even when the
 +     strict flag has been used. A purpose is set by default in libssl client and
 +     server certificate verification routines, but it can be overridden or
 +     removed by an application.
 +     In order to be affected, an application must explicitly set the
 +     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
 +     for the certificate verification or, in the case of TLS client or server
 +     applications, override the default purpose.
 +     (CVE-2021-3450)
 +     [Tomáš Mráz]
 +  *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
 +     crafted renegotiation ClientHello message from a client. If a TLSv1.2
 +     renegotiation ClientHello omits the signature_algorithms extension (where
 +     it was present in the initial ClientHello), but includes a
 +     signature_algorithms_cert extension then a NULL pointer dereference will
 +     result, leading to a crash and a denial of service attack.
 +     A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
 +     (which is the default configuration). OpenSSL TLS clients are not impacted
 +     by this issue.
 +     (CVE-2021-3449)
 +     [Peter Kästle and Samuel Sapalski]
 + Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
 +  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
 +     create a unique hash value based on the issuer and serial number data
 +     contained within an X509 certificate. However it was failing to correctly
 +     handle any errors that may occur while parsing the issuer field (which might
 +     occur if the issuer field is maliciously constructed). This may subsequently
 +     result in a NULL pointer deref and a crash leading to a potential denial of
 +     service attack.
 +     (CVE-2021-23841)
 +     [Matt Caswell]
 +  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
 +     padding mode to correctly check for rollback attacks. This is considered a
 +     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
 +     CVE-2021-23839.
 +     [Matt Caswell]
 +  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
 +     functions. Previously they could overflow the output length argument in some
 +     cases where the input length is close to the maximum permissable length for
 +     an integer on the platform. In such cases the return value from the function
 +     call would be 1 (indicating success), but the output length value would be
 +     negative. This could cause applications to behave incorrectly or crash.
 +     (CVE-2021-23840)
 +     [Matt Caswell]
 +  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
 +     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
 +     could be exploited in a side channel attack to recover the password. Since
 +     the attack is local host only this is outside of the current OpenSSL
 +     threat model and therefore no CVE is assigned.
 +     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
 +     issue.
 +     [Matt Caswell]
 + Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
 +  *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
 +     This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
 +     If an attacker can control both items being compared  then this could lead
 +     to a possible denial of service attack. OpenSSL itself uses the
 +     GENERAL_NAME_cmp function for two purposes:
 +     1) Comparing CRL distribution point names between an available CRL and a
 +        CRL distribution point embedded in an X509 certificate
 +     2) When verifying that a timestamp response token signer matches the
 +        timestamp authority name (exposed via the API functions
 +        TS_RESP_verify_response and TS_RESP_verify_token)
 +     (CVE-2020-1971)
 +     [Matt Caswell]
 +  *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
 +     [Stuart Carnie]
 +  *) The security callback, which can be customised by application code, supports
 +     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
 +     in the "other" parameter. In most places this is what is passed. All these
 +     places occur server side. However there was one client side call of this
 +     security operation and it passed a DH object instead. This is incorrect
 +     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
 +     of the other locations. Therefore this client side call has been changed to
 +     pass an EVP_PKEY instead.
 +     [Matt Caswell]
 +  *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
 +     when validating a certificate path. This check is restored in 1.1.1i.
 +     [David von Oheimb]
 + Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
 +  *) Certificates with explicit curve parameters are now disallowed in
 +     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
 +     [Tomas Mraz]
 +  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
 +     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
 +     conversely, silently ignore DTLS protocol version bounds when configuring
 +     TLS-based contexts.  The commands can be repeated to set bounds of both
 +     types.  The same applies with the corresponding "min_protocol" and
 +     "max_protocol" command-line switches, in case some application uses both TLS
 +     and DTLS.
 +     SSL_CTX instances that are created for a fixed protocol version (e.g.
 +     TLSv1_server_method()) also silently ignore version bounds.  Previously
 +     attempts to apply bounds to these protocol versions would result in an
 +     error.  Now only the "version-flexible" SSL_CTX instances are subject to
 +     limits in configuration files in command-line options.
 +     [Viktor Dukhovni]
 +  *) Handshake now fails if Extended Master Secret extension is dropped
 +     on renegotiation.
 +     [Tomas Mraz]
 +  *) Accidentally, an expired trusted (root) certificate is not anymore rejected
 +     when validating a certificate path.
 +     [David von Oheimb]
 +  *) The Oracle Developer Studio compiler will start reporting deprecated APIs
 + Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
 +  *) Fixed segmentation fault in SSL_check_chain()
 +     Server or client applications that call the SSL_check_chain() function
 +     during or after a TLS 1.3 handshake may crash due to a NULL pointer
 +     dereference as a result of incorrect handling of the
 +     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
 +     or unrecognised signature algorithm is received from the peer. This could
 +     be exploited by a malicious peer in a Denial of Service attack.
 +     (CVE-2020-1967)
 +     [Benjamin Kaduk]
 +  *) Added AES consttime code for no-asm configurations
 +     an optional constant time support for AES was added
 +     when building openssl for no-asm.
 +     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
 +     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
 +     At this time this feature is by default disabled.
 +     It will be enabled by default in 3.0.
 +     [Bernd Edlinger]
 + Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
 +  *) Revert the change of EOF detection while reading in libssl to avoid
 +     regressions in applications depending on the current way of reporting
 +     the EOF. As the existing method is not fully accurate the change to
 +     reporting the EOF via SSL_ERROR_SSL is kept on the current development
 +     branch and will be present in the 3.0 release.
 +     [Tomas Mraz]
 +  *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
 +     when primes for RSA keys are computed.
 +     Since we previously always generated primes == 2 (mod 3) for RSA keys,
 +     the 2-prime and 3-prime RSA modules were easy to distinguish, since
 +     N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
 +     2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
 +     This avoids possible fingerprinting of newly generated RSA modules.
 +     [Bernd Edlinger]
 + Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
 +  *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
 +     while reading in libssl then we would report an error back to the
 +     application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
 +     an error to the stack (which means we instead return SSL_ERROR_SSL) and
 +     therefore give a hint as to what went wrong.
 +     [Matt Caswell]
 +  *) Check that ed25519 and ed448 are allowed by the security level. Previously
 +     signature algorithms not using an MD were not being checked that they were
 +     allowed by the security level.
 +     [Kurt Roeckx]
 +  *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
 +     was not quite right. The behaviour was not consistent between resumption
 +     and normal handshakes, and also not quite consistent with historical
 +     behaviour. The behaviour in various scenarios has been clarified and
 +     it has been updated to make it match historical behaviour as closely as
 +     possible.
 +     [Matt Caswell]
 +  *) [VMS only] The header files that the VMS compilers include automatically,
 +     __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
 +     the C++ compiler doesn't understand.  This is a shortcoming in the
 +     compiler, but can be worked around with __cplusplus guards.
 +     C++ applications that use OpenSSL libraries must be compiled using the
 +     qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
 +     functions.  Otherwise, only functions with symbols of less than 31
 +     characters can be used, as the linker will not be able to successfully
 +     resolve symbols with longer names.
 +     [Richard Levitte]
 +  *) Corrected the documentation of the return values from the EVP_DigestSign*
 +     set of functions.  The documentation mentioned negative values for some
 +     errors, but this was never the case, so the mention of negative values
 +     was removed.
 +     Code that followed the documentation and thereby check with something
 +     like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
 +     [Richard Levitte]
 +  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
 +     used in exponentiation with 512-bit moduli. No EC algorithms are
 +     affected. Analysis suggests that attacks against 2-prime RSA1024,
 +     3-prime RSA1536, and DSA1024 as a result of this defect would be very
 +     difficult to perform and are not believed likely. Attacks against DH512
 +     are considered just feasible. However, for an attack the target would
 +     have to re-use the DH512 private key, which is not recommended anyway.
 +     Also applications directly using the low level API BN_mod_exp may be
 +     affected if they use BN_FLG_CONSTTIME.
 +     (CVE-2019-1551)
 +     [Andy Polyakov]
 +  *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
 +     The presence of this system service is determined at run-time.
 +     [Richard Levitte]
 +  *) Added newline escaping functionality to a filename when using openssl dgst.
 +     This output format is to replicate the output format found in the '*sum'
 +     checksum programs. This aims to preserve backward compatibility.
 +     [Matt Eaton, Richard Levitte, and Paul Dale]
 +  *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
 +     the first value.
 +     [Jon Spillett]
 + Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
 +  *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
 +     number generator (RNG). This was intended to include protection in the
 +     event of a fork() system call in order to ensure that the parent and child
 +     processes did not share the same RNG state. However this protection was not
 +     being used in the default case.
 +     A partial mitigation for this issue is that the output from a high
 +     precision timer is mixed into the RNG state so the likelihood of a parent
 +     and child process sharing state is significantly reduced.
 +     If an application already calls OPENSSL_init_crypto() explicitly using
 +     OPENSSL_INIT_ATFORK then this problem does not occur at all.
 +     (CVE-2019-1549)
 +     [Matthias St. Pierre]
 +  *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
 +     used even when parsing explicit parameters, when loading a serialized key
 +     or calling `EC_GROUP_new_from_ecpkparameters()`/
 +     `EC_GROUP_new_from_ecparameters()`.
 +     This prevents bypass of security hardening and performance gains,
 +     especially for curves with specialized EC_METHODs.
 +     By default, if a key encoded with explicit parameters is loaded and later
 +     serialized, the output is still encoded with explicit parameters, even if
 +     internally a "named" EC_GROUP is used for computation.
 +     [Nicola Tuveri]
 +  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
 +     this change, EC_GROUP_set_generator would accept order and/or cofactor as
 +     NULL. After this change, only the cofactor parameter can be NULL. It also
 +     does some minimal sanity checks on the passed order.
 +     (CVE-2019-1547)
 +     [Billy Bob Brumley]
 +  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
 +     An attack is simple, if the first CMS_recipientInfo is valid but the
 +     second CMS_recipientInfo is chosen ciphertext. If the second
 +     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
 +     encryption key will be replaced by garbage, and the message cannot be
 +     decoded, but if the RSA decryption fails, the correct encryption key is
 +     used and the recipient will not notice the attack.
 +     As a work around for this potential attack the length of the decrypted
 +     key must be equal to the cipher default key length, in case the
 +     certifiate is not given and all recipientInfo are tried out.
 +     The old behaviour can be re-enabled in the CMS code by setting the
 +     CMS_DEBUG_DECRYPT flag.
 +     (CVE-2019-1563)
 +     [Bernd Edlinger]
 +  *) Early start up entropy quality from the DEVRANDOM seed source has been
 +     improved for older Linux systems.  The RAND subsystem will wait for
 +     /dev/random to be producing output before seeding from /dev/urandom.
 +     The seeded state is stored for future library initialisations using
 +     a system global shared memory segment.  The shared memory identifier
 +     can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
 +     the desired value.  The default identifier is 114.
 +     [Paul Dale]
 +  *) Correct the extended master secret constant on EBCDIC systems. Without this
 +     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
 +     negotiate EMS will fail. Unfortunately this also means that TLS connections
 +     between EBCDIC systems with this fix, and EBCDIC systems without this
 +     fix will fail if they negotiate EMS.
 +     [Matt Caswell]
 +  *) Use Windows installation paths in the mingw builds
 +     Mingw isn't a POSIX environment per se, which means that Windows
 +     paths should be used for installation.
 +     (CVE-2019-1552)
 +     [Richard Levitte]
 +  *) Changed DH_check to accept parameters with order q and 2q subgroups.
 +     With order 2q subgroups the bit 0 of the private key is not secret
 +     but DH_generate_key works around that by clearing bit 0 of the
 +     private key for those. This avoids leaking bit 0 of the private key.
 +     [Bernd Edlinger]
 +  *) Significantly reduce secure memory usage by the randomness pools.
 +     [Paul Dale]
 +  *) Revert the DEVRANDOM_WAIT feature for Linux systems
 +     The DEVRANDOM_WAIT feature added a select() call to wait for the
 +     /dev/random device to become readable before reading from the
 +     /dev/urandom device.
 +     It turned out that this change had negative side effects on
 +     performance which were not acceptable. After some discussion it
 +     was decided to revert this feature and leave it up to the OS
 +     resp. the platform maintainer to ensure a proper initialization
 +     during early boot time.
 +     [Matthias St. Pierre]
 + Changes between 1.1.1b and 1.1.1c [28 May 2019]
 +  *) Add build tests for C++.  These are generated files that only do one
 +     thing, to include one public OpenSSL head file each.  This tests that
 +     the public header files can be usefully included in a C++ application.
 +     This test isn't enabled by default.  It can be enabled with the option
 +     'enable-buildtest-c++'.
 +     [Richard Levitte]
 +  *) Enable SHA3 pre-hashing for ECDSA and DSA.
 +     [Patrick Steuer]
 +  *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
 +     This changes the size when using the genpkey app when no size is given. It
 +     fixes an omission in earlier changes that changed all RSA, DSA and DH
 +     generation apps to use 2048 bits by default.
 +     [Kurt Roeckx]
 +  *) Reorganize the manual pages to consistently have RETURN VALUES,
 +     EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
 +     util/fix-doc-nits accordingly.
 +     [Paul Yang, Joshua Lock]
 +  *) Add the missing accessor EVP_PKEY_get0_engine()
 +     [Matt Caswell]
 +  *) Have apps like 's_client' and 's_server' output the signature scheme
 +     along with other cipher suite parameters when debugging.
 +     [Lorinczy Zsigmond]
 +  *) Make OPENSSL_config() error agnostic again.
 +     [Richard Levitte]
 +  *) Do the error handling in RSA decryption constant time.
 +     [Bernd Edlinger]
 +  *) Prevent over long nonces in ChaCha20-Poly1305.
 +     ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
 +     for every encryption operation. RFC 7539 specifies that the nonce value
 +     (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
 +     and front pads the nonce with 0 bytes if it is less than 12
 +     bytes. However it also incorrectly allows a nonce to be set of up to 16
 +     bytes. In this case only the last 12 bytes are significant and any
 +     additional leading bytes are ignored.
 +     It is a requirement of using this cipher that nonce values are
 +     unique. Messages encrypted using a reused nonce value are susceptible to
 +     serious confidentiality and integrity attacks. If an application changes
 +     the default nonce length to be longer than 12 bytes and then makes a
 +     change to the leading bytes of the nonce expecting the new value to be a
 +     new unique nonce then such an application could inadvertently encrypt
 +     messages with a reused nonce.
 +     Additionally the ignored bytes in a long nonce are not covered by the
 +     integrity guarantee of this cipher. Any application that relies on the
 +     integrity of these ignored leading bytes of a long nonce may be further
 +     affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
 +     is safe because no such use sets such a long nonce value. However user
 +     applications that use this cipher directly and set a non-default nonce
 +     length to be longer than 12 bytes may be vulnerable.
 +     This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
 +     Greef of Ronomon.
 +     (CVE-2019-1543)
 +     [Matt Caswell]
 +  *) Add DEVRANDOM_WAIT feature for Linux systems
 +     On older Linux systems where the getrandom() system call is not available,
 +     OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
 +     Contrary to getrandom(), the /dev/urandom device will not block during
 +     early boot when the kernel CSPRNG has not been seeded yet.
 +     To mitigate this known weakness, use select() to wait for /dev/random to
 +     become readable before reading from /dev/urandom.
 +  *) Ensure that SM2 only uses SM3 as digest algorithm
 +     [Paul Yang]
 + Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
 +  *) Added SCA hardening for modular field inversion in EC_GROUP through
 +     a new dedicated field_inv() pointer in EC_METHOD.
 +     This also addresses a leakage affecting conversions from projective
 +     to affine coordinates.
 +     [Billy Bob Brumley, Nicola Tuveri]
 +  *) Change the info callback signals for the start and end of a post-handshake
 +     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
 +     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
 +     confused by this and assume that a TLSv1.2 renegotiation has started. This
 +     can break KeyUpdate handling. Instead we no longer signal the start and end
 +     of a post handshake message exchange (although the messages themselves are
 +     still signalled). This could break some applications that were expecting
 +     the old signals. However without this KeyUpdate is not usable for many
 +     applications.
 +     [Matt Caswell]
 +  *) Fix a bug in the computation of the endpoint-pair shared secret used
 +     by DTLS over SCTP. This breaks interoperability with older versions
 +     of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
 +     switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
 +     interoperability with such broken implementations. However, enabling
 +     this switch breaks interoperability with correct implementations.
 +  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
 +     re-used X509_PUBKEY object if the second PUBKEY is malformed.
 +     [Bernd Edlinger]
 +  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
 +     [Richard Levitte]
 +  *) Remove the 'dist' target and add a tarball building script.  The
 +     'dist' target has fallen out of use, and it shouldn't be
 +     necessary to configure just to create a source distribution.
 +     [Richard Levitte]
 +  *) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
 +     improves application performance by removing data copies and providing
 +     applications with zero-copy system calls such as sendfile and splice.
 +     [Boris Pismenny]
 + Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
 +  *) Timing vulnerability in DSA signature generation
 +     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
 +     timing side channel attack. An attacker could use variations in the signing
 +     algorithm to recover the private key.
 +     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
 +     (CVE-2018-0734)
 +     [Paul Dale]
 +  *) Timing vulnerability in ECDSA signature generation
 +     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
 +     timing side channel attack. An attacker could use variations in the signing
 +     algorithm to recover the private key.
 +     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
 +     (CVE-2018-0735)
 +     [Paul Dale]
 +  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
 +     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
 +     are retained for backwards compatibility.
 +     [Antoine Salon]
 +  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
 +     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
 +     of two gigabytes and the error handling improved.
 +     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
 +     categorized as a normal bug, not a security issue, because the DRBG reseeds
 +     automatically and is fully functional even without additional randomness
 +     provided by the application.
 + Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
 +  *) Add a new ClientHello callback. Provides a callback interface that gives
 +     the application the ability to adjust the nascent SSL object at the
 +     earliest stage of ClientHello processing, immediately after extensions have
 +     been collected but before they have been processed. In particular, this
 +     callback can adjust the supported TLS versions in response to the contents
 +     of the ClientHello
 +     [Benjamin Kaduk]
 +  *) Add SM2 base algorithm support.
 +     [Jack Lloyd]
 +  *) s390x assembly pack: add (improved) hardware-support for the following
 +     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
 +     aes-cfb/cfb8, aes-ecb.
 +     [Patrick Steuer]
 +  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
 +     parameter is no longer accepted, as it leads to a corrupt table.  NULL
 +     pem_str is reserved for alias entries only.
 +     [Richard Levitte]
 +  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
 +     step for prime curves. The new implementation is based on formulae from
 +     differential addition-and-doubling in homogeneous projective coordinates
 +     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
 +     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
 +     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
 +     to work in projective coordinates.
 +     [Billy Bob Brumley, Nicola Tuveri]
 +  *) Change generating and checking of primes so that the error rate of not
 +     being prime depends on the intended use based on the size of the input.
 +     For larger primes this will result in more rounds of Miller-Rabin.
 +     The maximal error rate for primes with more than 1080 bits is lowered
 +     to 2^-128.
 +     [Kurt Roeckx, Annie Yousar]
 +  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
 +     [Kurt Roeckx]
 +  *) The 'tsget' script is renamed to '', to avoid confusion when
 +     moving between systems, and to avoid confusion when a Windows build is
 +     done with mingw vs with MSVC.  For POSIX installs, there's still a
 +     symlink or copy named 'tsget' to avoid that confusion as well.
 +     [Richard Levitte]
 +  *) Revert blinding in ECDSA sign and instead make problematic addition
 +     length-invariant. Switch even to fixed-length Montgomery multiplication.
 +     [Andy Polyakov]
 +  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
 +     step for binary curves. The new implementation is based on formulae from
 +     differential addition-and-doubling in mixed Lopez-Dahab projective
 +     coordinates, modified to independently blind the operands.
 +     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
 +  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
 +     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
 +     EC_METHODs to implement their own specialized "ladder step", to take
 +     advantage of more favorable coordinate systems or more efficient
 +     differential addition-and-doubling algorithms.
 +     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
 +  *) Modified the random device based seed sources to keep the relevant
 +     file descriptors open rather than reopening them on each access.
 +     This allows such sources to operate in a chroot() jail without
 +     the associated device nodes being available. This behaviour can be
 +     controlled using RAND_keep_random_devices_open().
 +     [Paul Dale]
 +  *) Numerous side-channel attack mitigations have been applied. This may have
 +     performance impacts for some algorithms for the benefit of improved
 +     security. Specific changes are noted in this change log by their respective
 +     authors.
 +     [Matt Caswell]
 +  *) AIX shared library support overhaul. Switch to AIX "natural" way of
 +     handling shared libraries, which means collecting shared objects of
 +     different versions and bitnesses in one common archive. This allows to
 +     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
 +     doesn't affect the way 3rd party applications are linked, only how
 +     multi-version installation is managed.
 +     [Andy Polyakov]
 +  *) Make ec_group_do_inverse_ord() more robust and available to other
 +     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
 +     mitigations are applied to the fallback BN_mod_inverse().
 +     When using this function rather than BN_mod_inverse() directly, new
 +     EC cryptosystem implementations are then safer-by-default.
 +     [Billy Bob Brumley]
 +  *) Add coordinate blinding for EC_POINT and implement projective
 +     coordinate blinding for generic prime curves as a countermeasure to
 +     chosen point SCA attacks.
 +     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
 +  *) Add blinding to ECDSA and DSA signatures to protect against side channel
 +     attacks discovered by Keegan Ryan (NCC Group).
 +     [Matt Caswell]
 +  *) Enforce checking in the pkeyutl command line app to ensure that the input
 +     length does not exceed the maximum supported digest length when performing
 +     a sign, verify or verifyrecover operation.
 +     [Matt Caswell]
 +  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
 +     I/O in combination with something like select() or poll() will hang. This
 +     can be turned off again using SSL_CTX_clear_mode().
 +     Many applications do not properly handle non-application data records, and
 +     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
 +     around the problems in those applications, but can also break some.
 +     It's recommended to read the manpages about SSL_read(), SSL_write(),
 +     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
 +     SSL_CTX_set_read_ahead() again.
 +     [Kurt Roeckx]
 +  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
 +     now allow empty (zero character) pass phrases.
 +     [Richard Levitte]
 +  *) Apply blinding to binary field modular inversion and remove patent
 +     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
 +     [Billy Bob Brumley]
 +  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
 +     binary and prime elliptic curves.
 +     [Billy Bob Brumley]
 +  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
 +     constant time fixed point multiplication.
 +     [Billy Bob Brumley]
 +  *) Revise elliptic curve scalar multiplication with timing attack
 +     defenses: ec_wNAF_mul redirects to a constant time implementation
 +     when computing fixed point and variable point multiplication (which
 +     in OpenSSL are mostly used with secret scalars in keygen, sign,
 +     ECDH derive operations).
 +     [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
 +      Sohaib ul Hassan]
 +  *) Updated CONTRIBUTING
 +     [Rich Salz]
 +  *) Updated DRBG / RAND to request nonce and additional low entropy
 +     randomness from the system.
 +     [Matthias St. Pierre]
 +  *) Updated 'openssl rehash' to use OpenSSL consistent default.
 +     [Richard Levitte]
 +  *) Moved the load of the ssl_conf module to libcrypto, which helps
 +     loading engines that libssl uses before libssl is initialised.
 +     [Matt Caswell]
 +  *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
 +     [Matt Caswell]
 +  *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
 +     [Ingo Schwarze, Rich Salz]
 +  *) Added output of accepting IP address and port for 'openssl s_server'
 +     [Richard Levitte]
 +  *) Added a new API for TLSv1.3 ciphersuites:
 +        SSL_CTX_set_ciphersuites()
 +        SSL_set_ciphersuites()
 +     [Matt Caswell]
 +  *) Memory allocation failures consistently add an error to the error
 +     stack.
 +     [Rich Salz]
 +  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
 +     in libcrypto when run as setuid/setgid.
 +     [Bernd Edlinger]
 +  *) Load any config file by default when libssl is used.
 +     [Matt Caswell]
 +  *) Added new public header file <openssl/rand_drbg.h> and documentation
 +     for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
 +     [Matthias St. Pierre]
 +  *) QNX support removed (cannot find contributors to get their approval
 +     for the license change).
 +     [Rich Salz]
 +  *) TLSv1.3 replay protection for early data has been implemented. See the
 +     SSL_read_early_data() man page for further details.
 +     [Matt Caswell]
 +  *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
 +     configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
 +     below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
 +     In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
 +     would otherwise inadvertently disable all TLSv1.3 ciphersuites the
 +     configuration has been separated out. See the ciphers man page or the
 +     SSL_CTX_set_ciphersuites() man page for more information.
 +     [Matt Caswell]
 +  *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
 +     in responder mode now supports the new "-multi" option, which
 +     spawns the specified number of child processes to handle OCSP
 +     requests.  The "-timeout" option now also limits the OCSP
 +     responder's patience to wait to receive the full client request
 +     on a newly accepted connection. Child processes are respawned
 +     as needed, and the CA index file is automatically reloaded
 +     when changed.  This makes it possible to run the "ocsp" responder
 +     as a long-running service, making the OpenSSL CA somewhat more
 +     feature-complete.  In this mode, most diagnostic messages logged
 +     after entering the event loop are logged via syslog(3) rather than
 +     written to stderr.
 +     [Viktor Dukhovni]
 +  *) Added support for X448 and Ed448. Heavily based on original work by
 +     Mike Hamburg.
 +     [Matt Caswell]
 +  *) Extend OSSL_STORE with capabilities to search and to narrow the set of
 +     objects loaded.  This adds the functions OSSL_STORE_expect() and
 +     OSSL_STORE_find() as well as needed tools to construct searches and
 +     get the search data out of them.
 +     [Richard Levitte]
 +  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
 +     version of OpenSSL should review their configuration settings to ensure
 +     that they are still appropriate for TLSv1.3. For further information see:
 +     [Matt Caswell]
 +  *) Grand redesign of the OpenSSL random generator
 +     The default RAND method now utilizes an AES-CTR DRBG according to
 +     NIST standard SP 800-90Ar1. The new random generator is essentially
 +     a port of the default random generator from the OpenSSL FIPS 2.0
 +     object module. It is a hybrid deterministic random bit generator
 +     using an AES-CTR bit stream and which seeds and reseeds itself
 +     automatically using trusted system entropy sources.
 +     Some of its new features are:
 +      o Support for multiple DRBG instances with seed chaining.
 +      o The default RAND method makes use of a DRBG.
 +      o There is a public and private DRBG instance.
 +      o The DRBG instances are fork-safe.
 +      o Keep all global DRBG instances on the secure heap if it is enabled.
 +      o The public and private DRBG instance are per thread for lock free
 +        operation
 +     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
 +  *) Changed Configure so it only says what it does and doesn't dump
 +     so much data.  Instead, ./ should be used as a script
 +     to display all sorts of configuration data.
 +     [Richard Levitte]
*** 12857 LINES SKIPPED ***