
 OpenSSL CHANGES
 _______________

 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

 Changes between 1.1.1ze and 1.1.1zg [7 Apr 2026]

 *) Fixed potential use-after-free in DANE client code.

    Severity: Low

    Issue summary: An uncommon configuration of clients performing DANE
    TLSA-based server authentication, when paired with uncommon server DANE
    TLSA records, may result in a use-after-free and/or double-free on the
    client side.

    Impact summary: A use after free can have a range of potential consequences
    such as the corruption of valid data, crashes, or execution of arbitrary
    code.

    Reported by: Igor Morgenstern (Aisle Research).

    (CVE-2026-28387)
    [Viktor Dukhovni]

 *) Fixed NULL pointer dereference when processing a delta CRL.

    Severity: Low

    Issue summary: When a delta CRL that contains a Delta CRL Indicator
    extension is processed, a NULL pointer dereference might happen if the
    required CRL Number extension is missing.

    Impact summary: A NULL pointer dereference can trigger a crash which leads
    to a Denial of Service for an application.

    Reported by: Igor Morgenstern (Aisle Research).

    (CVE-2026-28388)
    [Igor Morgenstern]

 *) Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.

    Severity: Low

    Issue summary: During processing of a crafted CMS EnvelopedData message
    with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

    Impact summary: Applications that process attacker-controlled CMS data may
    crash before authentication or cryptographic operations occur resulting in
    Denial of Service.

    Reported by: Nathan Sportsman (Praetorian), Daniel Rhea,
    Jaeho Nam (Seoul National University), Muhammad Daffa,
    Zhanpeng Liu (Tencent Xuanwu Lab), Guannan Wang (Tencent Xuanwu Lab),
    Guancheng Li (Tencent Xuanwu Lab), and Joshua Rogers.

    (CVE-2026-28389)
    [Neil Horman]

 *) Fixed possible NULL dereference when processing CMS
    KeyTransportRecipientInfo.

    Severity: Low

    Issue summary: During processing of a crafted CMS EnvelopedData message
    with KeyTransportRecipientInfo a NULL pointer dereference can happen.

    Impact summary: Applications that process attacker-controlled CMS data may
    crash before authentication or cryptographic operations occur resulting in
    Denial of Service.

    Reported by: Muhammad Daffa, Zhanpeng Liu (Tencent Xuanwu Lab),
    Guannan Wang (Tencent Xuanwu Lab), Guancheng Li (Tencent Xuanwu Lab),
    Joshua Rogers, and Chanho Kim.

    (CVE-2026-28390)
    [Neil Horman]


 Changes between 1.1.1zd and 1.1.1ze [27 Jan 2026]

 *) Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes.

    Severity: Low

    Issue summary: Writing large, newline-free data into a BIO chain using the
    line-buffering filter where the next BIO performs short writes can trigger
    a heap-based out-of-bounds write.

    Impact summary: This out-of-bounds write can cause memory corruption
    which typically results in a crash, leading to Denial of Service for
    an application.

    Reported by: Petr Simecek (Aisle Research) and Stanislav Fort (Aisle
    Research)

    (CVE-2025-68160)
    [Stanislav Fort]
    [Neil Horman]

 *) Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB
    function calls.

    Severity: Low

    Issue summary: When using the low-level OCB API directly with AES-NI or
    other hardware-accelerated code paths, inputs whose length is not a multiple
    of 16 bytes can leave the final partial block unencrypted and
    unauthenticated.

    Impact summary: The trailing 1-15 bytes of a message may be exposed in
    cleartext on encryption and are not covered by the authentication tag,
    allowing an attacker to read or tamper with those bytes without detection.

    Reported by: Stanislav Fort (Aisle Research)

    (CVE-2025-69418)
    [Stanislav Fort]

 *) Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.

    Severity: Low

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously
    crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing
    non-ASCII BMP code point can trigger a one byte write before the allocated
    buffer.

    Impact summary: The out-of-bounds write can cause a memory corruption
    which can have various consequences including a Denial of Service.

    Reported by: Stanislav Fort (Aisle Research)

    (CVE-2025-69419)
    [Norbert Pócs]

 *) Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function.

    Severity: Low

    Issue summary: A type confusion vulnerability exists in the TimeStamp
    Response verification code where an ASN1_TYPE union member is accessed
    without first validating the type, causing an invalid or NULL pointer
    dereference when processing a malformed TimeStamp Response file.

    Impact summary: An application calling TS_RESP_verify_response()
    with a malformed TimeStamp Response can be caused to dereference an invalid
    or NULL pointer when reading, resulting in a Denial of Service.

    Reported by: Luigino Camastra (Aisle Research)

    (CVE-2025-69420)
    [Bob Beck]

 *) Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function.

    Severity: Low

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL
    pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

    Impact summary: A NULL pointer dereference can trigger a crash which leads
    to Denial of Service for an application processing PKCS#12 files.

    Reported by: Luigino Camastra (Aisle Research)

    (CVE-2025-69421)
    [Luigino Camastra]

 *) Fixed Missing ASN1_TYPE validation in PKCS#12 parsing.

    Severity: Low

    Issue summary: An invalid or NULL pointer dereference can happen in
    an application processing a malformed PKCS#12 file.

    Impact summary: An application processing a malformed PKCS#12 file can be
    caused to dereference an invalid or NULL pointer on memory read, resulting
    in a Denial of Service.

    Reported by: Luigino Camastra (Aisle Research)

    (CVE-2026-22795)
    [Bob Beck]

 *) Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes()
    function.

    Severity: Low

    Issue summary: A type confusion vulnerability exists in the signature
    verification of signed PKCS#7 data where an ASN1_TYPE union member
    is accessed without first validating the type, causing an invalid or NULL
    pointer dereference when processing malformed PKCS#7 data.

    Impact summary: An application performing signature verification of PKCS#7
    data or calling directly the PKCS7_digest_from_attributes() function can be
    caused to dereference an invalid or NULL pointer when reading, resulting in
    a Denial of Service.

    Reported by: Luigino Camastra (Aisle Research)

    (CVE-2026-22796)
    [Bob Beck]


 Changes between 1.1.1zb_p2 and 1.1.1zd [30 Sep 2025]

 *) Fix incorrect check of unwrapped key size in kek_unwrap_key()

    The check is off by 8 bytes so it is possible to overread by up to 8 bytes
    and overwrite up to 4 bytes.

    Although the consequences of a successful exploit of this vulnerability
    could be severe, the probability that the attacker would be able to perform
    it is low. Besides, password based (PWRI) encryption support in CMS
    messages is very rarely used.

    (CVE-2025-9230)
    [Stanislav Fort]
    [Viktor Dukhovni]


 Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025]

 *) Fix timing side-channel in ECDSA signature computation

    There is a timing signal of around 300 nanoseconds when the top word of
    the inverted ECDSA nonce value is zero. This can happen with significant
    probability only for some of the supported elliptic curves. In particular
    the NIST P-521 curve is affected. To be able to measure this leak, the
    attacker process must either be located in the same physical computer or
    must have a very fast network connection with low latency.

    Attacks on ECDSA nonce are also known as Minerva attack.

    (CVE-2024-13176)
    [Tomas Mraz]


 Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024]

 *) Fix the version number for versions that require two letters.

    [V Petrischew]
    [Ken Zalewski]


 Changes between 1.1.1za and 1.1.1zb [16 Oct 2024]

 *) Harden BN_GF2m_poly2arr against misuse

    The BN_GF2m_poly2arr() function converts characteristic-2 field
    (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
    to a compact array with just the exponents of the non-zero terms.

    These polynomials are then used in BN_GF2m_mod_arr() to perform modular
    reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
    polynomial must have a non-zero constant term (i.e. the array has `0` as
    its final element).

    Internally, callers of BN_GF2m_poly2arr() did not verify that
    precondition, and binary EC curve parameters with an invalid polynomial
    could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().

    The precondition is always true for polynomials that arise from the
    standard form of EC parameters for characteristic-two fields (X9.62).
    See the "Finite Field Identification" section of:

    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html

    The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
    basis X9.62 forms.

    This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
    the constant term is zero (i.e. the input bitmask BIGNUM is not odd).

    Additionally, the return value is made unambiguous when there is not
    enough space to also pad the array with a final `-1` sentinel value.
    The return value is now always the number of elements (including the
    final `-1`) that would be filled when the output array is sufficiently
    large.  Previously the same count was returned both when the array has
    just enough room for the final `-1` and when it had only enough space
    for non-sentinel values.

    Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
    degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
    CPU exhausition attacks via excessively large inputs.

    The above issues do not arise in processing X.509 certificates.  These
    generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
    disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
    constraint only after the certificate is decoded, but, even if explicit
    parameters are specified, they are in X9.62 form, which cannot represent
    problem values as noted above.

    (CVE-2024-9143)
    [Viktor Dukhovni]


 Changes between 1.1.1y and 1.1.1za [26 Jun 2024]

 *) Fix SSL_select_next_proto

    Ensure that the provided client list is non-NULL and starts with a valid
    entry. When called from the ALPN callback the client list should already
    have been validated by OpenSSL so this should not cause a problem. When
    called from the NPN callback the client list is locally configured and
    will not have already been validated. Therefore SSL_select_next_proto
    should not assume that it is correctly formatted.

    We implement stricter checking of the client protocol list. We also do the
    same for the server list while we are about it.

    (CVE-2024-5535)
    [Matt Caswell]


 Changes between 1.1.1x and 1.1.1y [27 May 2024]

 *) Only free the read buffers if we're not using them

    If we're part way through processing a record, or the application has
    not released all the records then we should not free our buffer because
    they are still needed.

    (CVE-2024-4741)
    [Matt Caswell]
    [Watson Ladd]

 *) Fix unconstrained session cache growth in TLSv1.3

    In TLSv1.3 we create a new session object for each ticket that we send.
    We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
    use then the new session will be added to the session cache. However, if
    early data is not in use (and therefore anti-replay protection is being
    used), then multiple threads could be resuming from the same session
    simultaneously. If this happens and a problem occurs on one of the threads,
    then the original session object could be marked as not_resumable. When we
    duplicate the session object this not_resumable status gets copied into the
    new session object. The new session object is then added to the session
    cache even though it is not_resumable.

    Subsequently, another bug means that the session_id_length is set to 0 for
    sessions that are marked as not_resumable - even though that session is
    still in the cache. Once this happens the session can never be removed from
    the cache. When that object gets to be the session cache tail object the
    cache never shrinks again and grows indefinitely.

    (CVE-2024-2511)
    [Matt Caswell]


 Changes between 1.1.1w and 1.1.1x [25 Jan 2024]

 *) Add NULL checks where ContentInfo data can be NULL

    PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
    optional and can be NULL even if the "type" is a valid value. OpenSSL
    was not properly accounting for this and a NULL dereference can occur
    causing a crash.

    (CVE-2024-0727)
    [Matt Caswell]

 *) Make DH_check_pub_key() and DH_generate_key() safer yet

    We already check for an excessively large P in DH_generate_key(), but not in
    DH_check_pub_key(), and none of them check for an excessively large Q.

    This change adds all the missing excessive size checks of P and Q.

    It's to be noted that behaviours surrounding excessively sized P and Q
    differ.  DH_check() raises an error on the excessively sized P, but only
    sets a flag for the excessively sized Q.  This behaviour is mimicked in
    DH_check_pub_key().

    (CVE-2024-5678)
    [Richard Levitte]
    [Hugo Landau]


 Changes between 1.1.1v and 1.1.1w [11 Sep 2023]

 *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.

    The POLY1305 MAC (message authentication code) implementation in OpenSSL
    does not save the contents of non-volatile XMM registers on Windows 64
    platform when calculating the MAC of data larger than 64 bytes. Before
    returning to the caller all the XMM registers are set to zero rather than
    restoring their previous content. The vulnerable code is used only on newer
    x86_64 processors supporting the AVX512-IFMA instructions.

    The consequences of this kind of internal application state corruption can
    be various - from no consequences, if the calling application does not
    depend on the contents of non-volatile XMM registers at all, to the worst
    consequences, where the attacker could get complete control of the
    application process. However given the contents of the registers are just
    zeroized so the attacker cannot put arbitrary values inside, the most likely
    consequence, if any, would be an incorrect result of some application
    dependent calculations or a crash leading to a denial of service.

    (CVE-2023-4807)
    [Bernd Edlinger]


 Changes between 1.1.1u and 1.1.1v [1 Aug 2023]

 *) Fix excessive time spent checking DH q parameter value.

    The function DH_check() performs various checks on DH parameters. After
    fixing CVE-2023-3446 it was discovered that a large q parameter value can
    also trigger an overly long computation during some of these checks.
    A correct q value, if present, cannot be larger than the modulus p
    parameter, thus it is unnecessary to perform these checks if q is larger
    than p.

    If DH_check() is called with such q parameter value,
    DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
    intensive checks are skipped.

    (CVE-2023-3817)
    [Tomáš Mráz]

 *) Fix DH_check() excessive time with over sized modulus

    The function DH_check() performs various checks on DH parameters. One of
    those checks confirms that the modulus ("p" parameter) is not too large.
    Trying to use a very large modulus is slow and OpenSSL will not normally use
    a modulus which is over 10,000 bits in length.

    However the DH_check() function checks numerous aspects of the key or
    parameters that have been supplied. Some of those checks use the supplied
    modulus value even if it has already been found to be too large.

    A new limit has been added to DH_check of 32,768 bits. Supplying a
    key/parameters with a modulus over this size will simply cause DH_check()
    to fail.
    (CVE-2023-3446)
    [Matt Caswell]

 Changes between 1.1.1t and 1.1.1u [30 May 2023]

  *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
     OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.

     OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
     numeric text form.  For gigantic sub-identifiers, this would take a very
     long time, the time complexity being O(n^2) where n is the size of that
     sub-identifier.  (CVE-2023-2650)

     To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
     IDENTIFIER to canonical numeric text form if the size of that OBJECT
     IDENTIFIER is 586 bytes or less, and fail otherwise.

     The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
     IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
     most 128 sub-identifiers, and that the maximum value that each sub-
     identifier may have is 2^32-1 (4294967295 decimal).

     For each byte of every sub-identifier, only the 7 lower bits are part of
     the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
     these restrictions may occupy is 32 * 128 / 7, which is approximately 586
     bytes.

     Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5

     [Richard Levitte]

  *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
     The previous fix for this timing side channel turned out to cause
     a severe 2-3x performance regression in the typical use case
     compared to 1.1.1s. The new fix uses existing constant time
     code paths, and restores the previous performance level while
     fully eliminating all existing timing side channels.
     The fix was developed by Bernd Edlinger with testing support
     by Hubert Kario.
     [Bernd Edlinger]

  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
     that it does not enable policy checking. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0466)
     [Tomas Mraz]

  *) Fixed an issue where invalid certificate policies in leaf certificates are
     silently ignored by OpenSSL and other certificate policy checks are skipped
     for that certificate. A malicious CA could use this to deliberately assert
     invalid certificate policies in order to circumvent policy checking on the
     certificate altogether. (CVE-2023-0465)
     [Matt Caswell]

  *) Limited the number of nodes created in a policy tree to mitigate
     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
     should be sufficient for most installations.  If required, the limit
     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
     time define to a desired maximum number of nodes or zero to allow
     unlimited growth. (CVE-2023-0464)
     [Paul Dale]

 Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

 Changes between 1.1.1r and 1.1.1s [1 Nov 2022]

  *) Fixed a regression introduced in 1.1.1r version not refreshing the
     certificate data to be signed before signing the certificate.
     [Gibeom Gwon]

 Changes between 1.1.1q and 1.1.1r [11 Oct 2022]

  *) Fixed the linux-mips64 Configure target which was missing the
     SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
     platform.
     [Adam Joseph]

  *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
     causing incorrect results in some cases as a result.
     [Paul Dale]

  *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
     report correct results in some cases
     [Matt Caswell]

  *) Fixed a regression introduced in 1.1.1o for re-signing certificates with
     different key sizes
     [Todd Short]

  *) Added the loongarch64 target
     [Shi Pujin]

  *) Fixed a DRBG seed propagation thread safety issue
     [Bernd Edlinger]

  *) Fixed a memory leak in tls13_generate_secret
     [Bernd Edlinger]

  *) Fixed reported performance degradation on aarch64. Restored the
     implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
     32-bit lane assignment in CTR mode") for 64bit targets only, since it is
     reportedly 2-17% slower and the silicon errata only affects 32bit targets.
     The new algorithm is still used for 32 bit targets.
     [Bernd Edlinger]

  *) Added a missing header for memcmp that caused compilation failure on some
     platforms
     [Gregor Jasny]

 Changes between 1.1.1p and 1.1.1q [5 Jul 2022]

  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
     implementation would not encrypt the entirety of the data under some
     circumstances.  This could reveal sixteen bytes of data that was
     preexisting in the memory that wasn't written.  In the special case of
     "in place" encryption, sixteen bytes of the plaintext would be revealed.

     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
     they are both unaffected.
     (CVE-2022-2097)
     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]

 Changes between 1.1.1o and 1.1.1p [21 Jun 2022]

  *) In addition to the c_rehash shell command injection identified in
     CVE-2022-1292, further bugs where the c_rehash script does not
     properly sanitise shell metacharacters to prevent command injection have been
     fixed.

     When the CVE-2022-1292 was fixed it was not discovered that there
     are other places in the script where the file names of certificates
     being hashed were possibly passed to a command executed through the shell.

     This script is distributed by some operating systems in a manner where
     it is automatically executed.  On such operating systems, an attacker
     could execute arbitrary commands with the privileges of the script.

     Use of the c_rehash script is considered obsolete and should be replaced
     by the OpenSSL rehash command line tool.
     (CVE-2022-2068)
     [Daniel Fiala, Tomáš Mráz]

  *) When OpenSSL TLS client is connecting without any supported elliptic
     curves and TLS-1.3 protocol is disabled the connection will no longer fail
     if a ciphersuite that does not use a key exchange based on elliptic
     curves can be negotiated.
     [Tomáš Mráz]

 Changes between 1.1.1n and 1.1.1o [3 May 2022]

  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
     metacharacters to prevent command injection.  This script is distributed
     by some operating systems in a manner where it is automatically executed.
     On such operating systems, an attacker could execute arbitrary commands
     with the privileges of the script.

     Use of the c_rehash script is considered obsolete and should be replaced
     by the OpenSSL rehash command line tool.
     (CVE-2022-1292)
     [Tomáš Mráz]

 Changes between 1.1.1m and 1.1.1n [15 Mar 2022]

  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
     for non-prime moduli.

     Internally this function is used when parsing certificates that contain
     elliptic curve public keys in compressed form or explicit elliptic curve
     parameters with a base point encoded in compressed form.

     It is possible to trigger the infinite loop by crafting a certificate that
     has invalid explicit curve parameters.

     Since certificate parsing happens prior to verification of the certificate
     signature, any process that parses an externally supplied certificate may
     thus be subject to a denial of service attack. The infinite loop can also
     be reached when parsing crafted private keys as they can contain explicit
     elliptic curve parameters.

     Thus vulnerable situations include:

      - TLS clients consuming server certificates
      - TLS servers consuming client certificates
      - Hosting providers taking certificates or private keys from customers
      - Certificate authorities parsing certification requests from subscribers
      - Anything else which parses ASN.1 elliptic curve parameters

     Also any other applications that use the BN_mod_sqrt() where the attacker
     can control the parameter values are vulnerable to this DoS issue.
     (CVE-2022-0778)
     [Tomáš Mráz]

  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
     to the list of ciphersuites providing Perfect Forward Secrecy as
     required by SECLEVEL >= 3.

     [Dmitry Belyavskiy, Nicola Tuveri]

 Changes between 1.1.1l and 1.1.1m [14 Dec 2021]

  *) Avoid loading of a dynamic engine twice.

     [Bernd Edlinger]

  *) Fixed building on Debian with kfreebsd kernels

     [Mattias Ellert]

  *) Prioritise DANE TLSA issuer certs over peer certs

     [Viktor Dukhovni]

  *) Fixed random API for MacOS prior to 10.12

     These MacOS versions don't support the CommonCrypto APIs

     [Lenny Primak]

 Changes between 1.1.1k and 1.1.1l [24 Aug 2021]

  *) Fixed an SM2 Decryption Buffer Overflow.

     In order to decrypt SM2 encrypted data an application is expected to call the
     API function EVP_PKEY_decrypt(). Typically an application will call this
     function twice. The first time, on entry, the "out" parameter can be NULL and,
     on exit, the "outlen" parameter is populated with the buffer size required to
     hold the decrypted plaintext. The application can then allocate a sufficiently
     sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
     value for the "out" parameter.

     A bug in the implementation of the SM2 decryption code means that the
     calculation of the buffer size required to hold the plaintext returned by the
     first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
     the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
     called by the application a second time with a buffer that is too small.

     A malicious attacker who is able present SM2 content for decryption to an
     application could cause attacker chosen data to overflow the buffer by up to a
     maximum of 62 bytes altering the contents of other data held after the
     buffer, possibly changing application behaviour or causing the application to
     crash. The location of the buffer is application dependent but is typically
     heap allocated.
     (CVE-2021-3711)
     [Matt Caswell]

  *) Fixed various read buffer overruns processing ASN.1 strings

     ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
     structure which contains a buffer holding the string data and a field holding
     the buffer length. This contrasts with normal C strings which are repesented as
     a buffer for the string data which is terminated with a NUL (0) byte.

     Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
     own "d2i" functions (and other similar parsing functions) as well as any string
     whose value has been set with the ASN1_STRING_set() function will additionally
     NUL terminate the byte array in the ASN1_STRING structure.

     However, it is possible for applications to directly construct valid ASN1_STRING
     structures which do not NUL terminate the byte array by directly setting the
     "data" and "length" fields in the ASN1_STRING array. This can also happen by
     using the ASN1_STRING_set0() function.

     Numerous OpenSSL functions that print ASN.1 data have been found to assume that
     the ASN1_STRING byte array will be NUL terminated, even though this is not
     guaranteed for strings that have been directly constructed. Where an application
     requests an ASN.1 structure to be printed, and where that ASN.1 structure
     contains ASN1_STRINGs that have been directly constructed by the application
     without NUL terminating the "data" field, then a read buffer overrun can occur.

     The same thing can also occur during name constraints processing of certificates
     (for example if a certificate has been directly constructed by the application
     instead of loading it via the OpenSSL parsing functions, and the certificate
     contains non NUL terminated ASN1_STRING structures). It can also occur in the
     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.

     If a malicious actor can cause an application to directly construct an
     ASN1_STRING and then process it through one of the affected OpenSSL functions
     then this issue could be hit. This might result in a crash (causing a Denial of
     Service attack). It could also result in the disclosure of private memory
     contents (such as private keys, or sensitive plaintext).
     (CVE-2021-3712)
     [Matt Caswell]

 Changes between 1.1.1j and 1.1.1k [25 Mar 2021]

  *) Fixed a problem with verifying a certificate chain when using the
     X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
     of the certificates present in a certificate chain. It is not set by
     default.

     Starting from OpenSSL version 1.1.1h a check to disallow certificates in
     the chain that have explicitly encoded elliptic curve parameters was added
     as an additional strict check.

     An error in the implementation of this check meant that the result of a
     previous check to confirm that certificates in the chain are valid CA
     certificates was overwritten. This effectively bypasses the check
     that non-CA certificates must not be able to issue other certificates.

     If a "purpose" has been configured then there is a subsequent opportunity
     for checks that the certificate is a valid CA.  All of the named "purpose"
     values implemented in libcrypto perform this check.  Therefore, where
     a purpose is set the certificate chain will still be rejected even when the
     strict flag has been used. A purpose is set by default in libssl client and
     server certificate verification routines, but it can be overridden or
     removed by an application.

     In order to be affected, an application must explicitly set the
     X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
     for the certificate verification or, in the case of TLS client or server
     applications, override the default purpose.
     (CVE-2021-3450)
     [Tomáš Mráz]

  *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
     crafted renegotiation ClientHello message from a client. If a TLSv1.2
     renegotiation ClientHello omits the signature_algorithms extension (where
     it was present in the initial ClientHello), but includes a
     signature_algorithms_cert extension then a NULL pointer dereference will
     result, leading to a crash and a denial of service attack.

     A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
     (which is the default configuration). OpenSSL TLS clients are not impacted
     by this issue.
     (CVE-2021-3449)
     [Peter Kästle and Samuel Sapalski]

 Changes between 1.1.1i and 1.1.1j [16 Feb 2021]

  *) Fixed the X509_issuer_and_serial_hash() function. It attempts to
     create a unique hash value based on the issuer and serial number data
     contained within an X509 certificate. However it was failing to correctly
     handle any errors that may occur while parsing the issuer field (which might
     occur if the issuer field is maliciously constructed). This may subsequently
     result in a NULL pointer deref and a crash leading to a potential denial of
     service attack.
     (CVE-2021-23841)
     [Matt Caswell]

  *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
     padding mode to correctly check for rollback attacks. This is considered a
     bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
     CVE-2021-23839.
     [Matt Caswell]

  *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
     functions. Previously they could overflow the output length argument in some
     cases where the input length is close to the maximum permissable length for
     an integer on the platform. In such cases the return value from the function
     call would be 1 (indicating success), but the output length value would be
     negative. This could cause applications to behave incorrectly or crash.
     (CVE-2021-23840)
     [Matt Caswell]

  *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
     implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
     could be exploited in a side channel attack to recover the password. Since
     the attack is local host only this is outside of the current OpenSSL
     threat model and therefore no CVE is assigned.

     Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
     issue.
     [Matt Caswell]

 Changes between 1.1.1h and 1.1.1i [8 Dec 2020]

  *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
     This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
     If an attacker can control both items being compared  then this could lead
     to a possible denial of service attack. OpenSSL itself uses the
     GENERAL_NAME_cmp function for two purposes:
     1) Comparing CRL distribution point names between an available CRL and a
        CRL distribution point embedded in an X509 certificate
     2) When verifying that a timestamp response token signer matches the
        timestamp authority name (exposed via the API functions
        TS_RESP_verify_response and TS_RESP_verify_token)
     (CVE-2020-1971)
     [Matt Caswell]

  *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
     [Stuart Carnie]

  *) The security callback, which can be customised by application code, supports
     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
     in the "other" parameter. In most places this is what is passed. All these
     places occur server side. However there was one client side call of this
     security operation and it passed a DH object instead. This is incorrect
     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
     of the other locations. Therefore this client side call has been changed to
     pass an EVP_PKEY instead.
     [Matt Caswell]

  *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
     when validating a certificate path. This check is restored in 1.1.1i.
     [David von Oheimb]

 Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

  *) Certificates with explicit curve parameters are now disallowed in
     verification chains if the X509_V_FLAG_X509_STRICT flag is used.
     [Tomas Mraz]

  *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
     ignore TLS protocol version bounds when configuring DTLS-based contexts, and
     conversely, silently ignore DTLS protocol version bounds when configuring
     TLS-based contexts.  The commands can be repeated to set bounds of both
     types.  The same applies with the corresponding "min_protocol" and
     "max_protocol" command-line switches, in case some application uses both TLS
     and DTLS.
  
     SSL_CTX instances that are created for a fixed protocol version (e.g.
     TLSv1_server_method()) also silently ignore version bounds.  Previously
     attempts to apply bounds to these protocol versions would result in an
     error.  Now only the "version-flexible" SSL_CTX instances are subject to
     limits in configuration files in command-line options.
     [Viktor Dukhovni]

  *) Handshake now fails if Extended Master Secret extension is dropped
     on renegotiation.
     [Tomas Mraz]

  *) Accidentally, an expired trusted (root) certificate is not anymore rejected
     when validating a certificate path.
     [David von Oheimb]

  *) The Oracle Developer Studio compiler will start reporting deprecated APIs

 Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

  *) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]

 Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

  *) Revert the change of EOF detection while reading in libssl to avoid
     regressions in applications depending on the current way of reporting
     the EOF. As the existing method is not fully accurate the change to
     reporting the EOF via SSL_ERROR_SSL is kept on the current development
     branch and will be present in the 3.0 release.
     [Tomas Mraz]

  *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
     when primes for RSA keys are computed.
     Since we previously always generated primes == 2 (mod 3) for RSA keys,
     the 2-prime and 3-prime RSA modules were easy to distinguish, since
     N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
     2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
     This avoids possible fingerprinting of newly generated RSA modules.
     [Bernd Edlinger]

 Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
  *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
     while reading in libssl then we would report an error back to the
     application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
     an error to the stack (which means we instead return SSL_ERROR_SSL) and
     therefore give a hint as to what went wrong.
     [Matt Caswell]

  *) Check that ed25519 and ed448 are allowed by the security level. Previously
     signature algorithms not using an MD were not being checked that they were
     allowed by the security level.
     [Kurt Roeckx]

  *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
     was not quite right. The behaviour was not consistent between resumption
     and normal handshakes, and also not quite consistent with historical
     behaviour. The behaviour in various scenarios has been clarified and
     it has been updated to make it match historical behaviour as closely as
     possible.
     [Matt Caswell]

  *) [VMS only] The header files that the VMS compilers include automatically,
     __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
     the C++ compiler doesn't understand.  This is a shortcoming in the
     compiler, but can be worked around with __cplusplus guards.

     C++ applications that use OpenSSL libraries must be compiled using the
     qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
     functions.  Otherwise, only functions with symbols of less than 31
     characters can be used, as the linker will not be able to successfully
     resolve symbols with longer names.
     [Richard Levitte]

  *) Corrected the documentation of the return values from the EVP_DigestSign*
     set of functions.  The documentation mentioned negative values for some
     errors, but this was never the case, so the mention of negative values
     was removed.

     Code that followed the documentation and thereby check with something
     like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
     [Richard Levitte]

  *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
     used in exponentiation with 512-bit moduli. No EC algorithms are
     affected. Analysis suggests that attacks against 2-prime RSA1024,
     3-prime RSA1536, and DSA1024 as a result of this defect would be very
     difficult to perform and are not believed likely. Attacks against DH512
     are considered just feasible. However, for an attack the target would
     have to re-use the DH512 private key, which is not recommended anyway.
     Also applications directly using the low level API BN_mod_exp may be
     affected if they use BN_FLG_CONSTTIME.
     (CVE-2019-1551)
     [Andy Polyakov]

  *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
     The presence of this system service is determined at run-time.
     [Richard Levitte]

  *) Added newline escaping functionality to a filename when using openssl dgst.
     This output format is to replicate the output format found in the '*sum'
     checksum programs. This aims to preserve backward compatibility.
     [Matt Eaton, Richard Levitte, and Paul Dale]

  *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
     the first value.
     [Jon Spillett]

 Changes between 1.1.1c and 1.1.1d [10 Sep 2019]

  *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
     number generator (RNG). This was intended to include protection in the
     event of a fork() system call in order to ensure that the parent and child
     processes did not share the same RNG state. However this protection was not
     being used in the default case.

     A partial mitigation for this issue is that the output from a high
     precision timer is mixed into the RNG state so the likelihood of a parent
     and child process sharing state is significantly reduced.

     If an application already calls OPENSSL_init_crypto() explicitly using
     OPENSSL_INIT_ATFORK then this problem does not occur at all.
     (CVE-2019-1549)
     [Matthias St. Pierre]

  *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
     used even when parsing explicit parameters, when loading a serialized key
     or calling `EC_GROUP_new_from_ecpkparameters()`/
     `EC_GROUP_new_from_ecparameters()`.
     This prevents bypass of security hardening and performance gains,
     especially for curves with specialized EC_METHODs.
     By default, if a key encoded with explicit parameters is loaded and later
     serialized, the output is still encoded with explicit parameters, even if
     internally a "named" EC_GROUP is used for computation.
     [Nicola Tuveri]

  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
     this change, EC_GROUP_set_generator would accept order and/or cofactor as
     NULL. After this change, only the cofactor parameter can be NULL. It also
     does some minimal sanity checks on the passed order.
     (CVE-2019-1547)
     [Billy Bob Brumley]

  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
     An attack is simple, if the first CMS_recipientInfo is valid but the
     second CMS_recipientInfo is chosen ciphertext. If the second
     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
     encryption key will be replaced by garbage, and the message cannot be
     decoded, but if the RSA decryption fails, the correct encryption key is
     used and the recipient will not notice the attack.
     As a work around for this potential attack the length of the decrypted
     key must be equal to the cipher default key length, in case the
     certifiate is not given and all recipientInfo are tried out.
     The old behaviour can be re-enabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag.
     (CVE-2019-1563)
     [Bernd Edlinger]

  *) Early start up entropy quality from the DEVRANDOM seed source has been
     improved for older Linux systems.  The RAND subsystem will wait for
     /dev/random to be producing output before seeding from /dev/urandom.
     The seeded state is stored for future library initialisations using
     a system global shared memory segment.  The shared memory identifier
     can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
     the desired value.  The default identifier is 114.
     [Paul Dale]

  *) Correct the extended master secret constant on EBCDIC systems. Without this
     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
     negotiate EMS will fail. Unfortunately this also means that TLS connections
     between EBCDIC systems with this fix, and EBCDIC systems without this
     fix will fail if they negotiate EMS.
     [Matt Caswell]

  *) Use Windows installation paths in the mingw builds

     Mingw isn't a POSIX environment per se, which means that Windows
     paths should be used for installation.
     (CVE-2019-1552)
     [Richard Levitte]

  *) Changed DH_check to accept parameters with order q and 2q subgroups.
     With order 2q subgroups the bit 0 of the private key is not secret
     but DH_generate_key works around that by clearing bit 0 of the
     private key for those. This avoids leaking bit 0 of the private key.
     [Bernd Edlinger]

  *) Significantly reduce secure memory usage by the randomness pools.
     [Paul Dale]

  *) Revert the DEVRANDOM_WAIT feature for Linux systems

     The DEVRANDOM_WAIT feature added a select() call to wait for the
     /dev/random device to become readable before reading from the
     /dev/urandom device.

     It turned out that this change had negative side effects on
     performance which were not acceptable. After some discussion it
     was decided to revert this feature and leave it up to the OS
     resp. the platform maintainer to ensure a proper initialization
     during early boot time.
     [Matthias St. Pierre]

 Changes between 1.1.1b and 1.1.1c [28 May 2019]

  *) Add build tests for C++.  These are generated files that only do one
     thing, to include one public OpenSSL head file each.  This tests that
     the public header files can be usefully included in a C++ application.

     This test isn't enabled by default.  It can be enabled with the option
     'enable-buildtest-c++'.
     [Richard Levitte]

  *) Enable SHA3 pre-hashing for ECDSA and DSA.
     [Patrick Steuer]

  *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
     This changes the size when using the genpkey app when no size is given. It
     fixes an omission in earlier changes that changed all RSA, DSA and DH
     generation apps to use 2048 bits by default.
     [Kurt Roeckx]

  *) Reorganize the manual pages to consistently have RETURN VALUES,
     EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
     util/fix-doc-nits accordingly.
     [Paul Yang, Joshua Lock]

  *) Add the missing accessor EVP_PKEY_get0_engine()
     [Matt Caswell]

  *) Have apps like 's_client' and 's_server' output the signature scheme
     along with other cipher suite parameters when debugging.
     [Lorinczy Zsigmond]

  *) Make OPENSSL_config() error agnostic again.
     [Richard Levitte]

  *) Do the error handling in RSA decryption constant time.
     [Bernd Edlinger]

  *) Prevent over long nonces in ChaCha20-Poly1305.

     ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
     for every encryption operation. RFC 7539 specifies that the nonce value
     (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
     and front pads the nonce with 0 bytes if it is less than 12
     bytes. However it also incorrectly allows a nonce to be set of up to 16
     bytes. In this case only the last 12 bytes are significant and any
     additional leading bytes are ignored.

     It is a requirement of using this cipher that nonce values are
     unique. Messages encrypted using a reused nonce value are susceptible to
     serious confidentiality and integrity attacks. If an application changes
     the default nonce length to be longer than 12 bytes and then makes a
     change to the leading bytes of the nonce expecting the new value to be a
     new unique nonce then such an application could inadvertently encrypt
     messages with a reused nonce.

     Additionally the ignored bytes in a long nonce are not covered by the
     integrity guarantee of this cipher. Any application that relies on the
     integrity of these ignored leading bytes of a long nonce may be further
     affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
     is safe because no such use sets such a long nonce value. However user
     applications that use this cipher directly and set a non-default nonce
     length to be longer than 12 bytes may be vulnerable.

     This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
     Greef of Ronomon.
     (CVE-2019-1543)
     [Matt Caswell]

  *) Add DEVRANDOM_WAIT feature for Linux systems

     On older Linux systems where the getrandom() system call is not available,
     OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
     Contrary to getrandom(), the /dev/urandom device will not block during
     early boot when the kernel CSPRNG has not been seeded yet.

     To mitigate this known weakness, use select() to wait for /dev/random to
     become readable before reading from /dev/urandom.

  *) Ensure that SM2 only uses SM3 as digest algorithm
     [Paul Yang]

 Changes between 1.1.1a and 1.1.1b [26 Feb 2019]

  *) Added SCA hardening for modular field inversion in EC_GROUP through
     a new dedicated field_inv() pointer in EC_METHOD.
     This also addresses a leakage affecting conversions from projective
     to affine coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change the info callback signals for the start and end of a post-handshake
     message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
     and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
     confused by this and assume that a TLSv1.2 renegotiation has started. This
     can break KeyUpdate handling. Instead we no longer signal the start and end
     of a post handshake message exchange (although the messages themselves are
     still signalled). This could break some applications that were expecting
     the old signals. However without this KeyUpdate is not usable for many
     applications.
     [Matt Caswell]

  *) Fix a bug in the computation of the endpoint-pair shared secret used
     by DTLS over SCTP. This breaks interoperability with older versions
     of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
     switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
     interoperability with such broken implementations. However, enabling
     this switch breaks interoperability with correct implementations.

  *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
     re-used X509_PUBKEY object if the second PUBKEY is malformed.
     [Bernd Edlinger]

  *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
     [Richard Levitte]

  *) Remove the 'dist' target and add a tarball building script.  The
     'dist' target has fallen out of use, and it shouldn't be
     necessary to configure just to create a source distribution.
     [Richard Levitte]

 Changes between 1.1.1 and 1.1.1a [20 Nov 2018]

  *) Timing vulnerability in DSA signature generation

     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
     (CVE-2018-0734)
     [Paul Dale]

  *) Timing vulnerability in ECDSA signature generation

     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
     timing side channel attack. An attacker could use variations in the signing
     algorithm to recover the private key.

     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
     (CVE-2018-0735)
     [Paul Dale]

  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
     are retained for backwards compatibility.
     [Antoine Salon]

  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
     of two gigabytes and the error handling improved.

     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
     categorized as a normal bug, not a security issue, because the DRBG reseeds
     automatically and is fully functional even without additional randomness
     provided by the application.

 Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

  *) Add a new ClientHello callback. Provides a callback interface that gives
     the application the ability to adjust the nascent SSL object at the
     earliest stage of ClientHello processing, immediately after extensions have
     been collected but before they have been processed. In particular, this
     callback can adjust the supported TLS versions in response to the contents
     of the ClientHello
     [Benjamin Kaduk]

  *) Add SM2 base algorithm support.
     [Jack Lloyd]

  *) s390x assembly pack: add (improved) hardware-support for the following
     cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
     aes-cfb/cfb8, aes-ecb.
     [Patrick Steuer]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for prime curves. The new implementation is based on formulae from
     differential addition-and-doubling in homogeneous projective coordinates
     from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
     against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
     and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
     to work in projective coordinates.
     [Billy Bob Brumley, Nicola Tuveri]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
     moving between systems, and to avoid confusion when a Windows build is
     done with mingw vs with MSVC.  For POSIX installs, there's still a
     symlink or copy named 'tsget' to avoid that confusion as well.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
     step for binary curves. The new implementation is based on formulae from
     differential addition-and-doubling in mixed Lopez-Dahab projective
     coordinates, modified to independently blind the operands.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Add a scaffold to optionally enhance the Montgomery ladder implementation
     for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
     EC_METHODs to implement their own specialized "ladder step", to take
     advantage of more favorable coordinate systems or more efficient
     differential addition-and-doubling algorithms.
     [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]

  *) Modified the random device based seed sources to keep the relevant
     file descriptors open rather than reopening them on each access.
     This allows such sources to operate in a chroot() jail without
     the associated device nodes being available. This behaviour can be
     controlled using RAND_keep_random_devices_open().
     [Paul Dale]

  *) Numerous side-channel attack mitigations have been applied. This may have
     performance impacts for some algorithms for the benefit of improved
     security. Specific changes are noted in this change log by their respective
     authors.
     [Matt Caswell]

  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]

  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Apply blinding to binary field modular inversion and remove patent
     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
     [Billy Bob Brumley]

  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
     binary and prime elliptic curves.
     [Billy Bob Brumley]

  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
     constant time fixed point multiplication.
     [Billy Bob Brumley]

  *) Revise elliptic curve scalar multiplication with timing attack
     defenses: ec_wNAF_mul redirects to a constant time implementation
     when computing fixed point and variable point multiplication (which
     in OpenSSL are mostly used with secret scalars in keygen, sign,
     ECDH derive operations).
     [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
      Sohaib ul Hassan]

  *) Updated CONTRIBUTING
     [Rich Salz]

  *) Updated DRBG / RAND to request nonce and additional low entropy
     randomness from the system.
     [Matthias St. Pierre]

  *) Updated 'openssl rehash' to use OpenSSL consistent default.
     [Richard Levitte]

  *) Moved the load of the ssl_conf module to libcrypto, which helps
     loading engines that libssl uses before libssl is initialised.
     [Matt Caswell]

  *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
     [Matt Caswell]

  *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
     [Ingo Schwarze, Rich Salz]

  *) Added output of accepting IP address and port for 'openssl s_server'
     [Richard Levitte]

  *) Added a new API for TLSv1.3 ciphersuites:
        SSL_CTX_set_ciphersuites()
        SSL_set_ciphersuites()
     [Matt Caswell]

  *) Memory allocation failures consistently add an error to the error
     stack.
     [Rich Salz]

  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
     in libcrypto when run as setuid/setgid.
     [Bernd Edlinger]

  *) Load any config file by default when libssl is used.
     [Matt Caswell]

  *) Added new public header file <openssl/rand_drbg.h> and documentation
     for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
     [Matthias St. Pierre]

  *) QNX support removed (cannot find contributors to get their approval
     for the license change).
     [Rich Salz]

  *) TLSv1.3 replay protection for early data has been implemented. See the
     SSL_read_early_data() man page for further details.
     [Matt Caswell]

  *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
     configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
     below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
     In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
     would otherwise inadvertently disable all TLSv1.3 ciphersuites the
     configuration has been separated out. See the ciphers man page or the
     SSL_CTX_set_ciphersuites() man page for more information.
     [Matt Caswell]

  *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
     in responder mode now supports the new "-multi" option, which
     spawns the specified number of child processes to handle OCSP
     requests.  The "-timeout" option now also limits the OCSP
     responder's patience to wait to receive the full client request
     on a newly accepted connection. Child processes are respawned
     as needed, and the CA index file is automatically reloaded
     when changed.  This makes it possible to run the "ocsp" responder
     as a long-running service, making the OpenSSL CA somewhat more
     feature-complete.  In this mode, most diagnostic messages logged
     after entering the event loop are logged via syslog(3) rather than
     written to stderr.
     [Viktor Dukhovni]

  *) Added support for X448 and Ed448. Heavily based on original work by
     Mike Hamburg.
     [Matt Caswell]

  *) Extend OSSL_STORE with capabilities to search and to narrow the set of
     objects loaded.  This adds the functions OSSL_STORE_expect() and
     OSSL_STORE_find() as well as needed tools to construct searches and
     get the search data out of them.
     [Richard Levitte]

  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
     version of OpenSSL should review their configuration settings to ensure
     that they are still appropriate for TLSv1.3. For further information see:
     https://wiki.openssl.org/index.php/TLS1.3
     [Matt Caswell]

  *) Grand redesign of the OpenSSL random generator

     The default RAND method now utilizes an AES-CTR DRBG according to
     NIST standard SP 800-90Ar1. The new random generator is essentially
     a port of the default random generator from the OpenSSL FIPS 2.0
     object module. It is a hybrid deterministic random bit generator
     using an AES-CTR bit stream and which seeds and reseeds itself
     automatically using trusted system entropy sources.

     Some of its new features are:
      o Support for multiple DRBG instances with seed chaining.
      o The default RAND method makes use of a DRBG.
      o There is a public and private DRBG instance.
      o The DRBG instances are fork-safe.
      o Keep all global DRBG instances on the secure heap if it is enabled.
      o The public and private DRBG instance are per thread for lock free
        operation
     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]

  *) Changed Configure so it only says what it does and doesn't dump
     so much data.  Instead, ./configdata.pm should be used as a script
     to display all sorts of configuration data.
     [Richard Levitte]

  *) Added processing of "make variables" to Configure.
     [Richard Levitte]

  *) Added SHA512/224 and SHA512/256 algorithm support.
     [Paul Dale]

  *) The last traces of Netware support, first removed in 1.1.0, have
     now been removed.
     [Rich Salz]

  *) Get rid of Makefile.shared, and in the process, make the processing
     of certain files (rc.obj, or the .def/.map/.opt files produced from
     the ordinal files) more visible and hopefully easier to trace and
     debug (or make silent).
     [Richard Levitte]

  *) Make it possible to have environment variable assignments as
     arguments to config / Configure.
     [Richard Levitte]

  *) Add multi-prime RSA (RFC 8017) support.
     [Paul Yang]

  *) Add SM3 implemented according to GB/T 32905-2016
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

  *) Add 'Maximum Fragment Length' TLS extension negotiation and support
     as documented in RFC6066.
     Based on a patch from Tomasz Moń
     [Filipe Raimundo da Silva]

  *) Add SM4 implemented according to GB/T 32907-2016.
     [ Jack Lloyd <jack.lloyd@ribose.com>,
       Ronald Tse <ronald.tse@ribose.com>,
       Erick Borsboom <erick.borsboom@ribose.com> ]

  *) Reimplement -newreq-nodes and ERR_error_string_n; the
     original author does not agree with the license change.
     [Rich Salz]

  *) Add ARIA AEAD TLS support.
     [Jon Spillett]

  *) Some macro definitions to support VS6 have been removed.  Visual
     Studio 6 has not worked since 1.1.0
     [Rich Salz]

  *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
     without clearing the errors.
     [Richard Levitte]

  *) Add "atfork" functions.  If building on a system that without
     pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
     requirements.  The RAND facility now uses/requires this.
     [Rich Salz]

  *) Add SHA3.
     [Andy Polyakov]

  *) The UI API becomes a permanent and integral part of libcrypto, i.e.
     not possible to disable entirely.  However, it's still possible to
     disable the console reading UI method, UI_OpenSSL() (use UI_null()
     as a fallback).

     To disable, configure with 'no-ui-console'.  'no-ui' is still
     possible to use as an alias.  Check at compile time with the
     macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
     possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
     [Richard Levitte]

  *) Add a STORE module, which implements a uniform and URI based reader of
     stores that can contain keys, certificates, CRLs and numerous other
     objects.  The main API is loosely based on a few stdio functions,
     and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
     OSSL_STORE_error and OSSL_STORE_close.
     The implementation uses backends called "loaders" to implement arbitrary
     URI schemes.  There is one built in "loader" for the 'file' scheme.
     [Richard Levitte]

  *) Add devcrypto engine.  This has been implemented against cryptodev-linux,
     then adjusted to work on FreeBSD 8.4 as well.
     Enable by configuring with 'enable-devcryptoeng'.  This is done by default
     on BSD implementations, as cryptodev.h is assumed to exist on all of them.
     [Richard Levitte]

  *) Module names can prefixed with OSSL_ or OPENSSL_.  This affects
     util/mkerr.pl, which is adapted to allow those prefixes, leading to
     error code calls like this:

         OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);

     With this change, we claim the namespaces OSSL and OPENSSL in a manner
     that can be encoded in C.  For the foreseeable future, this will only
     affect new modules.
     [Richard Levitte and Tim Hudson]

  *) Removed BSD cryptodev engine.
     [Rich Salz]

  *) Add a build target 'build_all_generated', to build all generated files
     and only that.  This can be used to prepare everything that requires
     things like perl for a system that lacks perl and then move everything
     to that system and do the rest of the build there.
     [Richard Levitte]

  *) In the UI interface, make it possible to duplicate the user data.  This
     can be used by engines that need to retain the data for a longer time
     than just the call where this user data is passed.
     [Richard Levitte]

  *) Ignore the '-named_curve auto' value for compatibility of applications
     with OpenSSL 1.0.2.
     [Tomas Mraz <tmraz@fedoraproject.org>]

  *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
     bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
     alerts across multiple records (some of which could be empty). In practice
     it make no sense to send an empty alert record, or to fragment one. TLSv1.3
     prohibits this altogether and other libraries (BoringSSL, NSS) do not
     support this at all. Supporting it adds significant complexity to the
     record layer, and its removal is unlikely to cause interoperability
     issues.
     [Matt Caswell]

  *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
     with Z.  These are meant to replace LONG and ZLONG and to be size safe.
     The use of LONG and ZLONG is discouraged and scheduled for deprecation
     in OpenSSL 1.2.0.
     [Richard Levitte]

  *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
     'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
     [Richard Levitte, Andy Polyakov]

  *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
     does for RSA, etc.
     [Richard Levitte]

  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
     platform rather than 'mingw'.
     [Richard Levitte]

  *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
     success if they are asked to add an object which already exists
     in the store. This change cascades to other functions which load
     certificates and CRLs.
     [Paul Dale]

  *) x86_64 assembly pack: annotate code with DWARF CFI directives to
     facilitate stack unwinding even from assembly subroutines.
     [Andy Polyakov]

  *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
     Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
     [Richard Levitte]

  *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
     VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
     which is the minimum version we support.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Add support for ARIA
     [Paul Dale]

  *) s_client will now send the Server Name Indication (SNI) extension by
     default unless the new "-noservername" option is used. The server name is
     based on the host provided to the "-connect" option unless overridden by
     using "-servername".
     [Matt Caswell]

  *) Add support for SipHash
     [Todd Short]

  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     prevent issues where no progress is being made and the peer continually
     sends unrecognised record types, using up resources processing them.
     [Matt Caswell]

  *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
     using the algorithm defined in
     https://www.akkadia.org/drepper/SHA-crypt.txt
     [Richard Levitte]

  *) Heartbeat support has been removed; the ABI is changed for now.
     [Richard Levitte, Rich Salz]

  *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
     [Emilia Käsper]

  *) The RSA "null" method, which was partially supported to avoid patent
     issues, has been replaced to always returns NULL.
     [Rich Salz]


 Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]

  *) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Fixed a text canonicalisation bug in CMS

     Where a CMS detached signature is used with text content the text goes
     through a canonicalisation process first prior to signing or verifying a
     signature. This process strips trailing space at the end of lines, converts
     line terminators to CRLF and removes additional trailing line terminators
     at the end of a file. A bug in the canonicalisation process meant that
     some characters, such as form-feed, were incorrectly treated as whitespace
     and removed. This is contrary to the specification (RFC5485). This fix
     could mean that detached text data signed with an earlier version of
     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
     signed with a fixed OpenSSL may fail to verify with an earlier version of
     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
     and use the "-binary" flag (for the "cms" command line application) or set
     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
     [Matt Caswell]

 Changes between 1.1.0g and 1.1.0h [27 Mar 2018]

  *) Constructed ASN.1 types with a recursive definition could exceed the stack

     Constructed ASN.1 types with a recursive definition (such as can be found
     in PKCS7) could eventually exceed the stack given malicious input with
     excessive recursion. This could result in a Denial Of Service attack. There
     are no such structures used within SSL/TLS that come from untrusted sources
     so this is considered safe.

     This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
     project.
     (CVE-2018-0739)
     [Matt Caswell]

  *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC

     Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
     effectively reduced to only comparing the least significant bit of each
     byte. This allows an attacker to forge messages that would be considered as
     authenticated in an amount of tries lower than that guaranteed by the
     security claims of the scheme. The module can only be compiled by the
     HP-UX assembler, so that only HP-UX PA-RISC targets are affected.

     This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
     (IBM).
     (CVE-2018-0733)
     [Andy Polyakov]

  *) Add a build target 'build_all_generated', to build all generated files
     and only that.  This can be used to prepare everything that requires
     things like perl for a system that lacks perl and then move everything
     to that system and do the rest of the build there.
     [Richard Levitte]

  *) Backport SSL_OP_NO_RENGOTIATION

     OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
     (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
     changes this is no longer possible in 1.1.0. Therefore the new
     SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
     1.1.0 to provide equivalent functionality.

     Note that if an application built against 1.1.0h headers (or above) is run
     using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
     accepted but nothing will happen, i.e. renegotiation will not be prevented.
     [Matt Caswell]

  *) Removed the OS390-Unix config target.  It relied on a script that doesn't
     exist.
     [Rich Salz]

  *) rsaz_1024_mul_avx2 overflow bug on x86_64

     There is an overflow bug in the AVX2 Montgomery multiplication procedure
     used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
     Analysis suggests that attacks against RSA and DSA as a result of this
     defect would be very difficult to perform and are not believed likely.
     Attacks against DH1024 are considered just feasible, because most of the
     work necessary to deduce information about a private key may be performed
     offline. The amount of resources required for such an attack would be
     significant. However, for an attack on TLS to be meaningful, the server
     would have to share the DH1024 private key among multiple clients, which is
     no longer an option since CVE-2016-0701.

     This only affects processors that support the AVX2 but not ADX extensions
     like Intel Haswell (4th generation).

     This issue was reported to OpenSSL by David Benjamin (Google). The issue
     was originally found via the OSS-Fuzz project.
     (CVE-2017-3738)
     [Andy Polyakov]

 Changes between 1.1.0f and 1.1.0g [2 Nov 2017]

  *) bn_sqrx8x_internal carry bug on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients.

     This only affects processors that support the BMI1, BMI2 and ADX extensions
     like Intel Broadwell (5th generation) and later or AMD Ryzen.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3736)
     [Andy Polyakov]

  *) Malformed X.509 IPAddressFamily could cause OOB read

     If an X.509 certificate has a malformed IPAddressFamily extension,
     OpenSSL could do a one-byte buffer overread. The most likely result
     would be an erroneous display of the certificate in text format.

     This issue was reported to OpenSSL by the OSS-Fuzz project.
     (CVE-2017-3735)
     [Rich Salz]

 Changes between 1.1.0e and 1.1.0f [25 May 2017]

  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
     platform rather than 'mingw'.
     [Richard Levitte]

  *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
     VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
     which is the minimum version we support.
     [Richard Levitte]

 Changes between 1.1.0d and 1.1.0e [16 Feb 2017]

  *) Encrypt-Then-Mac renegotiation crash

     During a renegotiation handshake if the Encrypt-Then-Mac extension is
     negotiated where it was not in the original handshake (or vice-versa) then
     this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
     and servers are affected.

     This issue was reported to OpenSSL by Joe Orton (Red Hat).
     (CVE-2017-3733)
     [Matt Caswell]

 Changes between 1.1.0c and 1.1.0d [26 Jan 2017]

  *) Truncated packet could crash via OOB read

     If one side of an SSL/TLS path is running on a 32-bit host and a specific
     cipher is being used, then a truncated packet can cause that host to
     perform an out-of-bounds read, usually resulting in a crash.

     This issue was reported to OpenSSL by Robert Święcki of Google.
     (CVE-2017-3731)
     [Andy Polyakov]

  *) Bad (EC)DHE parameters cause a client crash

     If a malicious server supplies bad parameters for a DHE or ECDHE key
     exchange then this can result in the client attempting to dereference a
     NULL pointer leading to a client crash. This could be exploited in a Denial
     of Service attack.

     This issue was reported to OpenSSL by Guido Vranken.
     (CVE-2017-3730)
     [Matt Caswell]

  *) BN_mod_exp may produce incorrect results on x86_64

     There is a carry propagating bug in the x86_64 Montgomery squaring
     procedure. No EC algorithms are affected. Analysis suggests that attacks
     against RSA and DSA as a result of this defect would be very difficult to
     perform and are not believed likely. Attacks against DH are considered just
     feasible (although very difficult) because most of the work necessary to
     deduce information about a private key may be performed offline. The amount
     of resources required for such an attack would be very significant and
     likely only accessible to a limited number of attackers. An attacker would
     additionally need online access to an unpatched system using the target
     private key in a scenario with persistent DH parameters and a private
     key that is shared between multiple clients. For example this can occur by
     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
     similar to CVE-2015-3193 but must be treated as a separate problem.

