[openssl] master update

Matt Caswell matt at openssl.org
Wed Mar 10 16:03:49 UTC 2021


The branch master has been updated
       via  18fdebf1743bc89bf82a205468c56c274e7baf3b (commit)
       via  0966aee5ed1e543a3f598713d28194c5c1fd40da (commit)
       via  f74f416b915afaa94d2bb7b2a942491450fe5b7b (commit)
       via  c7d4d032a19029e6664662a1fded7e2b0675e5a4 (commit)
      from  896dcda18bf9347deb507f1d3c1f7e17638dd745 (commit)


- Log -----------------------------------------------------------------
commit 18fdebf1743bc89bf82a205468c56c274e7baf3b
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 8 17:15:55 2021 +0000

    Mention the change of licence in NEWS.md
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14465)

commit 0966aee5ed1e543a3f598713d28194c5c1fd40da
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 8 16:23:14 2021 +0000

    Expand the CHANGES entry for SHA1 and libssl
    
    As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
    security level 1 we also document that TLS 1.2 connection will fail
    if the ClientHello does not have a signature algorithms extension.
    
    Fixes #14447
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14465)

commit f74f416b915afaa94d2bb7b2a942491450fe5b7b
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 8 16:18:26 2021 +0000

    Add a CHANGES for OSSL_STORE_INFO_get_type()
    
    The function OSSL_STORE_INFO_get_type() may now return a new object
    type. Applications may have to be amended accordingly.
    
    Fixes #14446
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14465)

commit c7d4d032a19029e6664662a1fded7e2b0675e5a4
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 8 16:06:17 2021 +0000

    Add a missing CHANGES.md entry for the legacy provider
    
    Numerous ciphers and digests have been moved to the legacy provider.
    There should be a CHANGES.md entry pointing this out.
    
    Fixes #14441
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14465)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md                   | 43 +++++++++++++++++++++++++++++++++++++++++--
 NEWS.md                      |  5 +++++
 doc/man3/OSSL_STORE_INFO.pod |  2 ++
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index def93b8ff5..0eaeba02af 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -22,6 +22,40 @@ OpenSSL 3.0
 -----------
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+
+ * OSSL_STORE_INFO_get_type() may now return an additional value. In 1.1.1
+   this function would return one of the values OSSL_STORE_INFO_NAME,
+   OSSL_STORE_INFO_PKEY, OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_CERT or
+   OSSL_STORE_INFO_CRL. Decoded public keys would previously have been reported
+   as type OSSL_STORE_INFO_PKEY in 1.1.1. In 3.0 decoded public keys are now
+   reported as having the new type OSSL_STORE_INFO_PUBKEY. Applications
+   using this function should be amended to handle the changed return value.
+
+   *Richard Levitte*
+
+ * The implementation of the EVP ciphers CAST5-ECB, CAST5-CBC, CAST5-OFB,
+   CAST5-CFB, BF-ECB, BF-CBC, BF-OFB, BF-CFB, IDEA-ECB, IDEC-CBC, IDEA-OFB,
+   IDEA-CFB, SEED-ECB, SEED-CBC, SEED-OFB, SEED-CFB, RC2-ECB, RC2-CBC,
+   RC2-40-CBC, RC2-64-CBC, RC2-OFB, RC2-CFB, RC4, RC4-40, RC4-HMAC-MD5, RC5-ECB,
+   RC5-CBC, RC5-OFB, RC5-CFB, DESX-CBC, DES-ECB, DES-CBC, DES-OFB, DES-CFB,
+   DES-CFB1 and DES-CFB8 have been moved to the legacy provider. Applications
+   using the EVP APIs to access these ciphers should instead use more modern
+   ciphers. If that is not possible then these applications should ensure that
+   the legacy provider has been loaded. This can be achieved either
+   programmatically or via configuration. See the provider(7) man page for
+   further details.
+
+   *Matt Caswell*
+
+ * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
+   RIPEMD-160 have been moved to the legacy provider. Applications using the
+   EVP APIs to access these digests should instead use more modern digests. If
+   that is not possible then these applications should ensure that the legacy
+   provider has been loaded. This can be achieved either programmatically or via
+   configuration. See the provider(7) man page for further details.
+
+   *Matt Caswell*
+
  * The deprecated function EVP_PKEY_get0() now returns NULL being called for a
    provided key.
 
@@ -534,7 +568,12 @@ OpenSSL 3.0
    reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
    working at the default security level of 1 and instead requires security
    level 0. The security level can be changed either using the cipher string
-   with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`.
+   with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`. This also means
+   that where the signature algorithms extension is missing from a ClientHello
+   then the handshake will fail in TLS 1.2 at security level 1. This is because,
+   although this extension is optional, failing to provide one means that
+   OpenSSL will fallback to a default set of signature algorithms. This default
+   set requires the availability of SHA1.
 
    *Kurt Roeckx*
 
@@ -1444,7 +1483,7 @@ OpenSSL 3.0
 
    *Richard Levitte*
 
- * Change the license to the Apache License v2.0.
+ * Changed the license to the Apache License v2.0.
 
    *Richard Levitte*
 
diff --git a/NEWS.md b/NEWS.md
index 342e6569f3..a9e796dd7b 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -20,6 +20,11 @@ OpenSSL 3.0
 
 ### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
 
+  * Changed the license to the Apache License v2.0.
+  * Moved all variations of the EVP ciphers CAST5, BF, IDEA, SEED, RC2,
+    RC4, RC5, and DES to the legacy provider.
+  * Moved the EVP digests MD2, MD4, MDC2, WHIRLPOOL and RIPEMD-160 to the legacy
+    provider.
   * Deprecated the `OCSP_REQ_CTX` type and functions.
   * Deprecated the `EC_KEY` and `EC_KEY_METHOD` types and functions.
   * Deprecated the `RSA` and `RSA_METHOD` types and functions.
diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod
index 070b325a2d..47882b002d 100644
--- a/doc/man3/OSSL_STORE_INFO.pod
+++ b/doc/man3/OSSL_STORE_INFO.pod
@@ -217,6 +217,8 @@ L<ossl_store(7)>, L<OSSL_STORE_open(3)>, L<OSSL_STORE_register_loader(3)>
 
 The OSSL_STORE API was added in OpenSSL 1.1.1.
 
+The OSSL_STORE_INFO_PUBKEY object type was added in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.


More information about the openssl-commits mailing list