CHANGES

 OpenSSL CHANGES
 _______________

 This is a high-level summary of the most important changes.
 For a full list of changes, see the git commit log; for example,
 https://github.com/openssl/openssl/commits/ and pick the appropriate
 release branch.

 Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]

  *) AIX shared library support overhaul. Switch to AIX "natural" way of
     handling shared libraries, which means collecting shared objects of
     different versions and bitnesses in one common archive. This allows to
     mitigate conflict between 1.0 and 1.1 side-by-side installations. It
     doesn't affect the way 3rd party applications are linked, only how
     multi-version installation is managed.
     [Andy Polyakov]

  *) Make ec_group_do_inverse_ord() more robust and available to other
     EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
     mitigations are applied to the fallback BN_mod_inverse().
     When using this function rather than BN_mod_inverse() directly, new
     EC cryptosystem implementations are then safer-by-default.
     [Billy Bob Brumley]

  *) Add coordinate blinding for EC_POINT and implement projective
     coordinate blinding for generic prime curves as a countermeasure to
     chosen point SCA attacks.
     [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) Enforce checking in the pkeyutl command line app to ensure that the input
     length does not exceed the maximum supported digest length when performing
     a sign, verify or verifyrecover operation.
     [Matt Caswell]

  *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
     I/O in combination with something like select() or poll() will hang. This
     can be turned off again using SSL_CTX_clear_mode().
     Many applications do not properly handle non-application data records, and
     TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
     around the problems in those applications, but can also break some.
     It's recommended to read the manpages about SSL_read(), SSL_write(),
     SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
     SSL_CTX_set_read_ahead() again.
     [Kurt Roeckx]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Apply blinding to binary field modular inversion and remove patent
     pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
     [Billy Bob Brumley]

  *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
     binary and prime elliptic curves.
     [Billy Bob Brumley]

  *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
     constant time fixed point multiplication.
     [Billy Bob Brumley]

  *) Revise elliptic curve scalar multiplication with timing attack
     defenses: ec_wNAF_mul redirects to a constant time implementation
     when computing fixed point and variable point multiplication (which
     in OpenSSL are mostly used with secret scalars in keygen, sign,
     ECDH derive operations).
     [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
      Sohaib ul Hassan]

  *) Updated CONTRIBUTING
     [Rich Salz]

  *) Updated DRBG / RAND to request nonce and additional low entropy
     randomness from the system.
     [Matthias St. Pierre]

  *) Updated 'openssl rehash' to use OpenSSL consistent default.
     [Richard Levitte]

  *) Moved the load of the ssl_conf module to libcrypto, which helps
     loading engines that libssl uses before libssl is initialised.
     [Matt Caswell]

  *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
     [Matt Caswell]

  *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
     [Ingo Schwarze, Rich Salz]

  *) Added output of accepting IP address and port for 'openssl s_server'
     [Richard Levitte]

  *) Added a new API for TLSv1.3 ciphersuites:
        SSL_CTX_set_ciphersuites()
        SSL_set_ciphersuites()
     [Matt Caswell]

  *) Memory allocation failures consistenly add an error to the error
     stack.
     [Rich Salz]

  *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
     in libcrypto when run as setuid/setgid.
     [Bernd Edlinger]

  *) Load any config file by default when libssl is used.
     [Matt Caswell]

  *) Added new public header file <openssl/rand_drbg.h> and documentation
     for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
     [Matthias St. Pierre]

  *) QNX support removed (cannot find contributors to get their approval
     for the license change).
     [Rich Salz]

  *) TLSv1.3 replay protection for early data has been implemented. See the
     SSL_read_early_data() man page for further details.
     [Matt Caswell]

  *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
     configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
     below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
     In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
     would otherwise inadvertently disable all TLSv1.3 ciphersuites the
     configuration has been separated out. See the ciphers man page or the
     SSL_CTX_set_ciphersuites() man page for more information.
     [Matt Caswell]

  *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
     in responder mode now supports the new "-multi" option, which
     spawns the specified number of child processes to handle OCSP
     requests.  The "-timeout" option now also limits the OCSP
     responder's patience to wait to receive the full client request
     on a newly accepted connection. Child processes are respawned
     as needed, and the CA index file is automatically reloaded
     when changed.  This makes it possible to run the "ocsp" responder
     as a long-running service, making the OpenSSL CA somewhat more
     feature-complete.  In this mode, most diagnostic messages logged
     after entering the event loop are logged via syslog(3) rather than
     written to stderr.
     [Viktor Dukhovni]

  *) Added support for X448 and Ed448. Heavily based on original work by
     Mike Hamburg.
     [Matt Caswell]

  *) Extend OSSL_STORE with capabilities to search and to narrow the set of
     objects loaded.  This adds the functions OSSL_STORE_expect() and
     OSSL_STORE_find() as well as needed tools to construct searches and
     get the search data out of them.
     [Richard Levitte]

  *) Support for TLSv1.3 added. Note that users upgrading from an earlier
     version of OpenSSL should review their configuration settings to ensure
     that they are still appropriate for TLSv1.3. For further information see:
     https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/

     NOTE: In this pre-release of OpenSSL a draft version of the
     TLSv1.3 standard has been implemented. Implementations of different draft
     versions of the standard do not inter-operate, and this version will not
     inter-operate with an implementation of the final standard when it is
     eventually published. Different pre-release versions may implement
     different versions of the draft. The final version of OpenSSL 1.1.1 will
     implement the final version of the standard.
     TODO(TLS1.3): Remove the above note before final release
     [Matt Caswell]

  *) Grand redesign of the OpenSSL random generator

     The default RAND method now utilizes an AES-CTR DRBG according to
     NIST standard SP 800-90Ar1. The new random generator is essentially
     a port of the default random generator from the OpenSSL FIPS 2.0
     object module. It is a hybrid deterministic random bit generator
     using an AES-CTR bit stream and which seeds and reseeds itself
     automatically using trusted system entropy sources.

     Some of its new features are:
      o Support for multiple DRBG instances with seed chaining.
      o Add a public DRBG instance for the default RAND method.
      o Add a dedicated DRBG instance for generating long term private keys.
      o Make the DRBG instances fork-safe.
      o Keep all global DRBG instances on the secure heap if it is enabled.
      o Add a DRBG instance to every SSL instance for lock free operation
        and to increase unpredictability.
     [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]

  *) Changed Configure so it only says what it does and doesn't dump
     so much data.  Instead, ./configdata.pm should be used as a script
     to display all sorts of configuration data.
     [Richard Levitte]

  *) Added processing of "make variables" to Configure.
     [Richard Levitte]