summaryrefslogtreecommitdiffstats
path: root/CHANGES (follow)
Commit message (Collapse)AuthorAgeFilesLines
* ts: Use sha256 as default digest for TS queryTomas Mraz2019-06-121-0/+3
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7900)
* PBKDF2 updates to conform to SP800-132Shane Lontis2019-06-111-1/+10
| | | | | | | | | | | | | | | | The existing code used PKCS5 specifications. SP800-132 adds the following additional constraints for: - the range of the key length. - the minimum iteration count (1000 recommended). - salt length (at least 128 bits). These additional constraints may cause errors (in scrypt, and some PKCS5 related test vectors). To disable the new constraints use the new ctrl string "pkcs5". For backwards compatability, the checks are only enabled by default for fips mode. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8868)
* Change cipher default strings to a functionTodd Short2019-06-111-0/+4
| | | | | | | | | | | | Making the default cipher strings a function gives the library more control over the defaults. Potentially allowing a change in the future as ciphers become deprecated or dangerous. Also allows third party distributors to change the defaults for their installations. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8686)
* Improve the Windows OneCore target support. (Add targets for building ↵MouriNaruto2019-06-101-0/+5
| | | | | | | | libraries for Windows Store apps.) Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8917)
* Join the x509 and x509v3 directoriesRichard Levitte2019-05-291-0/+3
| | | | | | | | | | | | This has been long overdue. Note that this does not join the X509 and X509V3 error modules, that will be too many macro changes at this stage. Fixes #8919 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8925)
* Change default RSA, DSA and DH size to 2048 bitKurt Roeckx2019-05-211-0/+6
| | | | | | | | Fixes: #8737 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #8741
* added openssl app 'kdf' and 'mac' to the NEWS and CHANGES docsShane Lontis2019-04-241-0/+6
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8762)
* Add a way for the application to get OpenSSL configuration dataRichard Levitte2019-04-231-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSL_version(OPENSSL_DIR) gives you a nicely formatted string for display, but if all you really want is the directory itself, you were forced to parsed the string. This introduces a new function to get diverse configuration data from the library, OPENSSL_info(). This works the same way as OpenSSL_version(), but has its own series of types, currently including: OPENSSL_INFO_CONFIG_DIR returns OPENSSLDIR OPENSSL_INFO_ENGINES_DIR returns ENGINESDIR OPENSSL_INFO_MODULES_DIR returns MODULESDIR OPENSSL_INFO_DSO_EXTENSION returns DSO_EXTENSION OPENSSL_INFO_DIR_FILENAME_SEPARATOR returns directory/filename separator OPENSSL_INFO_LIST_SEPARATOR returns list separator For scripting purposes, this also adds the command 'openssl info'. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8709)
* Deprecate AES_ige_encrypt() and AES_bi_ige_encrypt()Matt Caswell2019-04-121-0/+11
| | | | | | | | | | | | | These undocumented functions were never integrated into the EVP layer and implement the AES Infinite Garble Extension (IGE) mode and AES Bi-directional IGE mode. These modes were never formally standardised and usage of these functions is believed to be very small. In particular AES_bi_ige_encrypt() has a known bug. It accepts 2 AES keys, but only one is ever used. The security implications are believed to be minimal, but this issue was never fixed for backwards compatibility reasons. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8710)
* Add prediction resistance capability to the DRBG reseeding process.Pauli2019-04-121-0/+4
| | | | | | | | | | | Refer to NIST SP 800-90C section 5.4 "Prediction Resistance.l" This requires the seed sources to be approved as entropy sources, after which they should be considered live sources as per section 5.3.2 "Live Entropy Source Availability." Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8647)
* AES-XTS block limit.Pauli2019-04-031-0/+3
| | | | | | | | | | | Limit the number of AES blocks in a data unit to 2^20 or less. This corresponds to the mandates in IEEE Std 1619-2018 and NIST SP 800-38E. Note: that this is a change from IEEE Std 1619-2007 which only recommended this limit. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/8627)
* Restore the "heartbeats" configuration option among the deprecatedRichard Levitte2019-04-011-0/+1
| | | | | | | | Removing the option entirely would break builds unnecessarily, so let's make it deprecated. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8632)
* issue-8493: Fix for filenames with newlines using openssl dgstPauli2019-03-301-0/+5
| | | | | | | | | | The output format now matches coreutils *dgst tools. [ edited to remove trailing white space ] Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8578)
* Remove heartbeats completelyRichard Levitte2019-03-291-0/+4
| | | | | | | Fixes #4856 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1928)
* openssl dgst: show MD name at all times - CHANGES entryRichard Levitte2019-03-291-0/+4
| | | | | | | Related to #8609 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8612)
* Single step kdf implementationShane Lontis2019-03-191-0/+6
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8230)
* Configure: disable new trace api by defaultDr. Matthias St. Pierre2019-03-141-3/+8
| | | | | | | Fixes #8472 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8474)
* Add a log about the tracing functionalityRichard Levitte2019-03-061-0/+9
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8198)
* Configure: make C++ build tests optional and configurableRichard Levitte2019-03-051-0/+8
| | | | | | | | | Disabled by default Fixes #8360 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8370)
* Properties for implementation selection.Pauli2019-02-181-0/+4
| | | | | | | | | | | | | | | | | | | Properties are a sequence of comma separated name=value pairs. A name without a corresponding value is assumed to be a Boolean and have the true value 'yes'. Values are either strings or numbers. Strings can be quoted either _"_ or _'_ or unquoted (with restrictions). There are no escape characters inside strings. Number are either decimal digits or '0x' followed by hexidecimal digits. Numbers are represented internally as signed sixty four bit values. Queries on properties are a sequence comma separated conditional tests. These take the form of name=value (equality test), name!=value (inequality test) or name (Boolean test for truth). Queries can be parsed, compared against a definition or merged pairwise. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8224)
* SCA hardening for mod. field inversion in EC_GROUPBilly Brumley2019-02-171-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8254)
* Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messagesMatt Caswell2019-02-141-0/+13
| | | | | | | | | | | | | | | | | | | | | | The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message exchange in TLSv1.3. Unfortunately experience has shown that this confuses some applications who mistake it for a TLSv1.2 renegotiation. This means that KeyUpdate messages are not handled properly. This commit removes the use of SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake message exchange. Individual post-handshake messages are still signalled in the normal way. This is a potentially breaking change if there are any applications already written that expect to see these TLSv1.3 events. However, without it, KeyUpdate is not currently usable for many applications. Fixes #8069 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8096)
* Added new EVP/KDF API.David Makepeace2019-02-131-0/+7
| | | | | | | | | | Changed PKEY/KDF API to call the new API. Added wrappers for PKCS5_PBKDF2_HMAC() and EVP_PBE_scrypt() to call the new EVP KDF APIs. Documentation updated. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6674)
* CHANGES: add note about building devcrypto dynamicEneas U de Queiroz2019-02-121-0/+3
| | | | | | | | Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7859)
* Add CHANGES entry for blake2macAntoine Salon2019-02-071-0/+3
| | | | | | | | Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8172)
* Remove unnecessary trailing whitespaceSam Roberts2019-02-051-1/+1
| | | | | | | | | | | | Trim trailing whitespace. It doesn't match OpenSSL coding standards, AFAICT, and it can cause problems with git tooling. Trailing whitespace remains in test data and external source. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8092)
* Add an entry to the CHANGES for the d2i_X509_PUBKEY fixBernd Edlinger2019-02-011-0/+4
| | | | | | | | The commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot to add a short description to the CHANGES file. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8144)
* Fix end-point shared secret for DTLS/SCTPMichael Tuexen2019-02-011-0/+7
| | | | | | | | | | | | | When computing the end-point shared secret, don't take the terminating NULL character into account. Please note that this fix breaks interoperability with older versions of OpenSSL, which are not fixed. Fixes #7956 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7957)
* Add RFC5297 AES-SIV supportTodd Short2018-12-111-0/+3
| | | | | | | | | | | | | | Based originally on github.com/dfoxfranke/libaes_siv This creates an SIV128 mode that uses EVP interfaces for the CBC, CTR and CMAC code to reduce complexity at the cost of perfomance. The expected use is for short inputs, not TLS-sized records. Add multiple AAD input capacity in the EVP tests. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/3540)
* typo ANS1 -> ASN1nxtstep2018-12-111-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7857)
* CHANGES: Add Linux Kernel TLS data-pathBoris Pismenny2018-12-071-0/+5
| | | | | | | | | Signed-off-by: Boris Pismenny <borisp@mellanox.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5253)
* Make EVP_PKEY_asn1_add0() stricter about its inputRichard Levitte2018-12-071-0/+3
| | | | | | | | | | | | It turns out that the strictness that was implemented in EVP_PKEY_asn1_new() (see Github openssl/openssl#6880) was badly placed for some usages, and that it's better to do this check only when the method is getting registered. Fixes #7758 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7847)
* Change license to the Apache License v2.0Richard Levitte2018-12-061-0/+3
| | | | | | | | | | This applies to the 'master' git branch and OpenSSL version 3.0.0 and up. Pre-3.0.0 versions retain the previous license. The boilerplate will change in increments after this change. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7764)
* Refactor the computation of API version limitsRichard Levitte2018-12-061-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the API version limit was indicated with a numeric version number. This was "natural" in the pre-3.0.0 because the version was this simple number. With 3.0.0, the version is divided into three separate numbers, and it's only the major number that counts, but we still need to be able to support pre-3.0.0 version limits. Therefore, we allow OPENSSL_API_COMPAT to be defined with a pre-3.0.0 style numeric version number or with a simple major number, i.e. can be defined like this for any application: -D OPENSSL_API_COMPAT=0x10100000L -D OPENSSL_API_COMPAT=3 Since the pre-3.0.0 numerical version numbers are high, it's easy to distinguish between a simple major number and a pre-3.0.0 numerical version number and to thereby support both forms at the same time. Internally, we define the following macros depending on the value of OPENSSL_API_COMPAT: OPENSSL_API_0_9_8 OPENSSL_API_1_0_0 OPENSSL_API_1_1_0 OPENSSL_API_3 They indicate that functions marked for deprecation in the corresponding major release shall not be built if defined. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7724)
* Switch to MAJOR.MINOR.PATCH versioning and version 3.0.0-devRichard Levitte2018-12-061-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We're strictly use version numbers of the form MAJOR.MINOR.PATCH. Letter releases are things of days past. The most central change is that we now express the version number with three macros, one for each part of the version number: OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR OPENSSL_VERSION_PATCH We also provide two additional macros to express pre-release and build metadata information (also specified in semantic versioning): OPENSSL_VERSION_PRE_RELEASE OPENSSL_VERSION_BUILD_METADATA To get the library's idea of all those values, we introduce the following functions: unsigned int OPENSSL_version_major(void); unsigned int OPENSSL_version_minor(void); unsigned int OPENSSL_version_patch(void); const char *OPENSSL_version_pre_release(void); const char *OPENSSL_version_build_metadata(void); Additionally, for shared library versioning (which is out of scope in semantic versioning, but that we still need): OPENSSL_SHLIB_VERSION We also provide a macro that contains the release date. This is not part of the version number, but is extra information that we want to be able to display: OPENSSL_RELEASE_DATE Finally, also provide the following convenience functions: const char *OPENSSL_version_text(void); const char *OPENSSL_version_text_full(void); The following macros and functions are deprecated, and while currently existing for backward compatibility, they are expected to disappear: OPENSSL_VERSION_NUMBER OPENSSL_VERSION_TEXT OPENSSL_VERSION OpenSSL_version_num() OpenSSL_version() Also, this function is introduced to replace OpenSSL_version() for all indexes except for OPENSSL_VERSION: OPENSSL_info() For configuration, the option 'newversion-only' is added to disable all the macros and functions that are mentioned as deprecated above. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7724)
* Document the removed 'dist' targetRichard Levitte2018-11-241-0/+5
| | | | | | | Also adds missing copyright boilerplate to util/mktar.sh Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7696)
* Update CHANGES and NEWS for new releaseMatt Caswell2018-11-201-1/+21
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7663)
* Recreate the OS390-Unix config targetRichard Levitte2018-11-101-0/+4
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5035)
* Build: make it possibly to specify subdirs in build.infoRichard Levitte2018-11-051-0/+5
| | | | | | | | | | | | This adds a keyword SUBDIRS for build.info, to be used like this: SUBDIRS=foo bar This tells Configure that it should look for 'build.info' in the relative subdirectories 'foo' and 'bar' as well. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7558)
* GMAC implementationPauli2018-11-041-0/+3
| | | | | | | Remove GMAC demo program because it has been superceded by the EVP MAC one Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7548)
* Add blurbs about EVP_MAC in NEWS and CHANGESRichard Levitte2018-10-301-0/+9
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7526)
* Deprecate ECDH_KDF_X9_62()Antoine Salon2018-10-171-0/+4
| | | | | | | | Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7345)
* EVP module documentation passAntoine Salon2018-10-171-0/+5
| | | | | | | | | | Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63() Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7345)
* DRBG: fix reseeding via RAND_add()/RAND_seed() with large inputDr. Matthias St. Pierre2018-10-161-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed() was implemented by buffering the data in a random pool where it is picked up later by the rand_drbg_get_entropy() callback. This buffer was limited to the size of 4096 bytes. When a larger input was added via RAND_add() or RAND_seed() to the DRBG, the reseeding failed, but the error returned by the DRBG was ignored by the two calling functions, which both don't return an error code. As a consequence, the data provided by the application was effectively ignored. This commit fixes the problem by a more efficient implementation which does not copy the data in memory and by raising the buffer the size limit to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits but it was chosen intentionally to avoid platform dependent problems like integer sizes and/or signed/unsigned conversion. Additionally, the DRBG is now less permissive on errors: In addition to pushing a message to the openssl error stack, it enters the error state, which forces a reinstantiation on next call. Thanks go to Dr. Falko Strenzke for reporting this issue to the openssl-security mailing list. After internal discussion the issue has been categorized as not being security relevant, because the DRBG reseeds automatically and is fully functional even without additional randomness provided by the application. Fixes #7381 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7382)
* 'openssl list': add option -objects to list built in objectsRichard Levitte2018-10-011-0/+4
| | | | | | | Related to #6696 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6702)
* Configure: Name object files according to the product they are part ofRichard Levitte2018-09-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | This will allow to have different object files for different products, even if they share the same source code, and possibly different builds for those different object files. For example, one can have something like this: SOURCES[libfoo]=cookie.c INCLUDES[libfoo]=include/foo SOURCES[libbar]=cookie.c INCLUDES[libbar]=include/bar This would mean that the object files and libraries would be build somewhat like this: $(CC) -Iinclude/foo -o libfoo-lib-cookie.o cookie.c $(AR) $(ARFLAGS) libfoo.a libfoo-lib-cookie.o $(CC) -Iinclude/bar -o libbar-lib-cookie.o cookie.c $(AR) $(ARFLAGS) libbar.a libbar-lib-cookie.o Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7159)
* Add a note to CHANGES indicating that AES-XTS now enforces two differentPauli2018-09-121-8/+6
| | | | | | | keys. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7120)
* FIPS 140-2 IG A.9 XTS key check.Pauli2018-09-121-0/+7
| | | | | | | | | | Add a check that the two keys used for AES-XTS are different. One test case uses the same key for both of the AES-XTS keys. This causes a failure under FIP 140-2 IG A.9. Mark the test as returning a failure. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7120)
* The next version in master is at least 1.1.2, not 1.1.1xRichard Levitte2018-09-111-1/+1
| | | | | | | | The OMC hasn't yet decided what the next release version will be, but it's at least going to 1.1.2, so we set that value for the moment. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7180)
* Prepare for 1.1.1a-devMatt Caswell2018-09-111-0/+4
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>