LibreSSL 3.5.0 initial changelog

author: Theo Buehler <tb@openbsd.org> 2022-02-13 20:57:51 +0100
committer: Theo Buehler <tb@openbsd.org> 2022-02-13 20:57:51 +0100
commit: 314555aa93eeab326beccc37cc61b2139b563946 (patch)
tree: c43d0b96ccf75d1a3103dbf4b169cd469865a9da /ChangeLog
parent: a27642bf418cb1d464d2d19226e5a13007068cf6 (diff)
download: portable-314555aa93eeab326beccc37cc61b2139b563946.tar.gz
portable-314555aa93eeab326beccc37cc61b2139b563946.tar.bz2
portable-314555aa93eeab326beccc37cc61b2139b563946.zip
1 files changed, 234 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 83a8946..8c73750 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,240 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
+3.5.0 - Development release
+        * New Features
+          - libtls has a new tls_signer interface to help privsep daemons
+            separate their secrets from the network facing processes.
+            Documentation will follow.
+          - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
+            regression tests were added and the code was cleaned up.
+          - Certificate Transparency was ported from OpenSSL. Many internal
+            improvements were made, resulting in cleaner and safer code.
+            Regress coverage was added. libssl does not yet make use of it.
+        * Portable Improvements
+          - Fixed various POSIX compliance and other portability issues
+            found by the port to the Sortix operating system.
+        * Compatibility Changes
+          - Most structs that were previously defined in the following headers
+            are now opaque as they are in OpenSSL 1.1:
+            bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
+            x509.h, x509v3.h, x509_vfy.h
+          - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
+            OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
+            of using something consistent with the previous naming. Various
+            test suites expect these names (instead of checking for the much
+            more sensible cipher numbers). The old names are still accepted
+            as aliases.
+          - Subject alternative names and name constraints are now validated
+            when they are added to certificates. Various interoperability
+            problems with stacks that validate certificates more strictly
+            than OpenSSL can be avoided this way.
+          - Attempt to opportunistically use the host name for SNI in s_client
+        * Bug fixes
+          - In some situations, the verifier would discard the error on an
+            unvalidated certificate chain. This would happen when the
+            verification callback was in use, instructing the verifier to
+            continue unconditionally. This could lead to incorrect decisions
+            being made in software.
+          - Avoid an infinite loop in SSL_shutdown()
+          - Fix another return 0 bug in SSL_shutdown()
+          - Handle zero byte reads/writes that trigger handshakes in the
+            TLSv1.3 stack
+          - A long standing memleak in libtls CRL handling was fixed
+        * Internal Improvements
+          - Cache the SHA-512 hash instead of the SHA-1 hash and cache
+            notBefore and notAfter times when X.509 certificates are parsed.
+          - The X.509 lookup code has been simplified and cleaned up.
+          - Fixed numerous issues flagged by coverity and the cryptofuzz
+            project
+          - Increased the number of Miller-Rabin checks in DH and DSA
+            key/parameter generation
+          - Started using the bytestring API in libcrypto for cleaner and
+            safer code
+          - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
+            ASN1
+          - Convert ASN1_OBJECT_new() to calloc()
+          - Convert ASN1_STRING_type_new() to calloc()
+          - Rewrite ASN1_STRING_cmp()
+          - Use calloc() for X509_CRL_METHOD_new() instead of malloc()
+          - Convert ASN1_PCTX_new() to calloc()
+          - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
+            function
+          - Consolidate {d2i,i2d}_{pr,pu}.c
+          - Remove handling of a NULL BUF_MEM from asn1_collect()
+          - Pull the recursion depth check up to the top of asn1_collect()
+          - Inline collect_data() in asn1_collect()
+          - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
+          - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
+          - Consolidate ASN.1 universal tag type data
+          - Rewrite ASN.1 identifier/length parsing in CBS
+          - Make OBJ_obj2nid() work correctly with NID_undef
+          - tlsext_tick_lifetime_hint is now an uint32_t
+          - Untangle ssl3_get_message() return values
+          - Rename tls13_buffer to tls_buffer
+          - Fold DTLS_STATE_INTERNAL into DTLS1_STATE
+          - Provide a way to determine our maximum legacy version
+          - Mop up enc_read_ctx and read_hash
+          - Fold SSL_SESSION_INTERNAL into SSL_SESSION
+          - Use ssl_force_want_read in the DTLS code
+          - Add record processing limit to DTLS code
+          - Add explicit CBS_contains_zero_byte() check in CBS_strdup()
+          - Improve SNI hostname validation
+          - Ensure SSL_set_tlsext_host_name() is given a valid hostname
+          - Fix a strange check in the auto DH codepath
+          - Factor out/rewrite DHE key exchange
+          - Convert server serialisation of DHE parameters/public key to new
+            functions
+          - Check DH public key in ssl_kex_peer_public_dhe()
+          - Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
+          - Clean up and refactor server side DHE key exchange
+          - Provide CBS_get_last_u8()
+          - Provide CBS_get_u64()
+          - Provide CBS_add_u64()
+          - Provide various CBS_peek_* functions
+          - Use CBS_get_last_u8() to find the content type in TLSv1.3 records
+          - unifdef TLS13_USE_LEGACY_CLIENT_AUTH
+          - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
+          - Only allow zero length key shares when we know we're doing HRR
+          - Pull key share group/length CBB code up from
+            tls13_key_share_public()
+          - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
+            validation
+          - Return 0 on failure from send/get kex functions in the legacy
+            stack
+          - Rename tls13_key_share to tls_key_share
+          - Allocate and free the EVP_AEAD_CTX struct in
+            tls13_record_protection
+          - Convert legacy TLS client to tls_key_share
+          - Convert legacy TLS server to tls_key_share
+          - Stop attempting to duplicate the public and private key of dh_tmp
+          - Rename dh_tmp to dhe_params
+          - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
+          - Clean up pkey handling in ssl3_get_server_key_exchange()
+          - Fix GOST skip certificate verify handling
+          - Simplify tlsext_keyshare_server_parse()
+          - Plumb decode errors through key share parsing code
+          - Simplify SSL_get_peer_certificate()
+          - Cleanup/simplify ssl_cert_type()
+          - The S3I macro was removed
+          - The openssl(1) cms and smime subcommands option handling was
+            converted and the C source was cleaned up.
+        * Documentation improvements
+          - 45 new manual pages, most of which were written from scratch.
+            Documentation coverage of ASN.1 and X.509 code has been
+            significantly improved.
+        * API additions and removals
+          - libtls API additions
+            tls_config_set_sign_cb tls_signer_add_keypair_file
+            tls_signer_add_keypair_mem tls_signer_free tls_signer_new
+            tls_signer_sign
+          - libssl
+            API additions
+              SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
+            API stubs for compatibility
+              SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
+              SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
+              SSL_get_num_tickets SSL_set_num_tickets
+          - libcrypto
+            added API (some of these were previously available as macros):
+              ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
+              ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
+              ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
+              BIO_get_init BIO_set_callback_ex BIO_set_next
+              BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
+              BN_abs_is_word BN_bn2lebinpad BN_get_flags BN_is_negative
+              BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
+              BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
+              CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
+              CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
+              CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
+              CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
+              CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
+              CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
+              CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
+              CT_POLICY_EVAL_CTX_set1_issuer
+              CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
+              CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
+              DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
+              DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
+              ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
+              EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
+              EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
+              EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx
+              EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new
+              EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup
+              EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final
+              EVP_MD_meth_set_flags EVP_MD_meth_set_init
+              EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size
+              EVP_MD_meth_set_update EVP_PKEY_asn1_set_check
+              EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check
+              EVP_PKEY_check EVP_PKEY_meth_set_check
+              EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check
+              EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode
+              FIPS_mode_set IPAddressChoice_free IPAddressChoice_new
+              IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free
+              IPAddressOrRange_new IPAddressRange_free IPAddressRange_new
+              OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id
+              OCSP_resp_get0_produced_at OCSP_resp_get0_respdata
+              OCSP_resp_get0_signature OCSP_resp_get0_signer
+              OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional
+              RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp
+              RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q
+              SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free
+              SCT_get0_extensions SCT_get0_log_id SCT_get0_signature
+              SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source
+              SCT_get_timestamp SCT_get_validation_status SCT_get_version
+              SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions
+              SCT_set0_log_id SCT_set0_signature SCT_set1_extensions
+              SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type
+              SCT_set_signature_nid SCT_set_source SCT_set_timestamp
+              SCT_set_version SCT_validate SCT_validation_status_string
+              X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey
+              X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject
+              X509_STORE_CTX_get_num_untrusted
+              X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify
+              X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain
+              X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth
+              X509_STORE_CTX_set_verify X509_STORE_get_verify
+              X509_STORE_get_verify_cb X509_STORE_set_verify
+              X509_get_X509_PUBKEY X509_get_extended_key_usage
+              X509_get_extension_flags X509_get_key_usage
+              X509v3_addr_add_inherit X509v3_addr_add_prefix
+              X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi
+              X509v3_addr_get_range X509v3_addr_inherits
+              X509v3_addr_is_canonical X509v3_addr_subset
+              X509v3_addr_validate_path X509v3_addr_validate_resource_set
+              X509v3_asid_add_id_or_range X509v3_asid_add_inherit
+              X509v3_asid_canonize X509v3_asid_inherits
+              X509v3_asid_is_canonical X509v3_asid_subset
+              X509v3_asid_validate_path X509v3_asid_validate_resource_set
+              d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers
+              d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily
+              d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST
+              i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers
+              i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily
+              i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST
+              i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT
+              i2o_SCT_LIST o2i_SCT o2i_SCT_LIST
+          removed API:
+              ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss
+              EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init
+              NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new
+              NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free
+              NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit
+              PEM_SealUpdate PEM_read_X509_CERT_PAIR
+              PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR
+              PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free
+              X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb
+              asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore
+              asn1_enc_save asn1_ex_c2i asn1_get_choice_selector
+              asn1_get_field_ptr asn1_set_choice_selector check_defer
+              d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY
+              d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET
+              d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY
+              i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET
+              i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer
 3.4.1 - Stable release
        * New Features
author	Theo Buehler <tb@openbsd.org>	2022-02-13 20:57:51 +0100
committer	Theo Buehler <tb@openbsd.org>	2022-02-13 20:57:51 +0100
commit	314555aa93eeab326beccc37cc61b2139b563946 (patch)
tree	c43d0b96ccf75d1a3103dbf4b169cd469865a9da /ChangeLog
parent	a27642bf418cb1d464d2d19226e5a13007068cf6 (diff)
download	portable-314555aa93eeab326beccc37cc61b2139b563946.tar.gz portable-314555aa93eeab326beccc37cc61b2139b563946.tar.bz2 portable-314555aa93eeab326beccc37cc61b2139b563946.zip

diff --git a/ChangeLog b/ChangeLog index 83a8946..8c73750 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -28,6 +28,240 @@ history is also available from Git.
28		28
29	LibreSSL Portable Release Notes:	29	LibreSSL Portable Release Notes:
30		30
		31	3.5.0 - Development release
		32	* New Features
		33	- libtls has a new tls_signer interface to help privsep daemons
		34	separate their secrets from the network facing processes.
		35	Documentation will follow.
		36	- The RFC 3779 API was ported from OpenSSL. Many bugs were fixed,
		37	regression tests were added and the code was cleaned up.
		38	- Certificate Transparency was ported from OpenSSL. Many internal
		39	improvements were made, resulting in cleaner and safer code.
		40	Regress coverage was added. libssl does not yet make use of it.
		41	* Portable Improvements
		42	- Fixed various POSIX compliance and other portability issues
		43	found by the port to the Sortix operating system.
		44	* Compatibility Changes
		45	- Most structs that were previously defined in the following headers
		46	are now opaque as they are in OpenSSL 1.1:
		47	bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
		48	x509.h, x509v3.h, x509_vfy.h
		49	- Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
		50	OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead
		51	of using something consistent with the previous naming. Various
		52	test suites expect these names (instead of checking for the much
		53	more sensible cipher numbers). The old names are still accepted
		54	as aliases.
		55	- Subject alternative names and name constraints are now validated
		56	when they are added to certificates. Various interoperability
		57	problems with stacks that validate certificates more strictly
		58	than OpenSSL can be avoided this way.
		59	- Attempt to opportunistically use the host name for SNI in s_client
		60	* Bug fixes
		61	- In some situations, the verifier would discard the error on an
		62	unvalidated certificate chain. This would happen when the
		63	verification callback was in use, instructing the verifier to
		64	continue unconditionally. This could lead to incorrect decisions
		65	being made in software.
		66	- Avoid an infinite loop in SSL_shutdown()
		67	- Fix another return 0 bug in SSL_shutdown()
		68	- Handle zero byte reads/writes that trigger handshakes in the
		69	TLSv1.3 stack
		70	- A long standing memleak in libtls CRL handling was fixed
		71	* Internal Improvements
		72	- Cache the SHA-512 hash instead of the SHA-1 hash and cache
		73	notBefore and notAfter times when X.509 certificates are parsed.
		74	- The X.509 lookup code has been simplified and cleaned up.
		75	- Fixed numerous issues flagged by coverity and the cryptofuzz
		76	project
		77	- Increased the number of Miller-Rabin checks in DH and DSA
		78	key/parameter generation
		79	- Started using the bytestring API in libcrypto for cleaner and
		80	safer code
		81	- Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated
		82	ASN1
		83	- Convert ASN1_OBJECT_new() to calloc()
		84	- Convert ASN1_STRING_type_new() to calloc()
		85	- Rewrite ASN1_STRING_cmp()
		86	- Use calloc() for X509_CRL_METHOD_new() instead of malloc()
		87	- Convert ASN1_PCTX_new() to calloc()
		88	- Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a
		89	function
		90	- Consolidate {d2i,i2d}_{pr,pu}.c
		91	- Remove handling of a NULL BUF_MEM from asn1_collect()
		92	- Pull the recursion depth check up to the top of asn1_collect()
		93	- Inline collect_data() in asn1_collect()
		94	- Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
		95	- Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
		96	- Consolidate ASN.1 universal tag type data
		97	- Rewrite ASN.1 identifier/length parsing in CBS
		98	- Make OBJ_obj2nid() work correctly with NID_undef
		99	- tlsext_tick_lifetime_hint is now an uint32_t
		100	- Untangle ssl3_get_message() return values
		101	- Rename tls13_buffer to tls_buffer
		102	- Fold DTLS_STATE_INTERNAL into DTLS1_STATE
		103	- Provide a way to determine our maximum legacy version
		104	- Mop up enc_read_ctx and read_hash
		105	- Fold SSL_SESSION_INTERNAL into SSL_SESSION
		106	- Use ssl_force_want_read in the DTLS code
		107	- Add record processing limit to DTLS code
		108	- Add explicit CBS_contains_zero_byte() check in CBS_strdup()
		109	- Improve SNI hostname validation
		110	- Ensure SSL_set_tlsext_host_name() is given a valid hostname
		111	- Fix a strange check in the auto DH codepath
		112	- Factor out/rewrite DHE key exchange
		113	- Convert server serialisation of DHE parameters/public key to new
		114	functions
		115	- Check DH public key in ssl_kex_peer_public_dhe()
		116	- Move the minimum DHE key size check into ssl_kex_peer_params_dhe()
		117	- Clean up and refactor server side DHE key exchange
		118	- Provide CBS_get_last_u8()
		119	- Provide CBS_get_u64()
		120	- Provide CBS_add_u64()
		121	- Provide various CBS_peek_* functions
		122	- Use CBS_get_last_u8() to find the content type in TLSv1.3 records
		123	- unifdef TLS13_USE_LEGACY_CLIENT_AUTH
		124	- Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
		125	- Only allow zero length key shares when we know we're doing HRR
		126	- Pull key share group/length CBB code up from
		127	tls13_key_share_public()
		128	- Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
		129	validation
		130	- Return 0 on failure from send/get kex functions in the legacy
		131	stack
		132	- Rename tls13_key_share to tls_key_share
		133	- Allocate and free the EVP_AEAD_CTX struct in
		134	tls13_record_protection
		135	- Convert legacy TLS client to tls_key_share
		136	- Convert legacy TLS server to tls_key_share
		137	- Stop attempting to duplicate the public and private key of dh_tmp
		138	- Rename dh_tmp to dhe_params
		139	- Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY
		140	- Clean up pkey handling in ssl3_get_server_key_exchange()
		141	- Fix GOST skip certificate verify handling
		142	- Simplify tlsext_keyshare_server_parse()
		143	- Plumb decode errors through key share parsing code
		144	- Simplify SSL_get_peer_certificate()
		145	- Cleanup/simplify ssl_cert_type()
		146	- The S3I macro was removed
		147	- The openssl(1) cms and smime subcommands option handling was
		148	converted and the C source was cleaned up.
		149	* Documentation improvements
		150	- 45 new manual pages, most of which were written from scratch.
		151	Documentation coverage of ASN.1 and X.509 code has been
		152	significantly improved.
		153	* API additions and removals
		154	- libtls API additions
		155	tls_config_set_sign_cb tls_signer_add_keypair_file
		156	tls_signer_add_keypair_mem tls_signer_free tls_signer_new
		157	tls_signer_sign
		158	- libssl
		159	API additions
		160	SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex
		161	API stubs for compatibility
		162	SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets
		163	SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets
		164	SSL_get_num_tickets SSL_set_num_tickets
		165	- libcrypto
		166	added API (some of these were previously available as macros):
		167	ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free
		168	ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new
		169	ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex
		170	BIO_get_init BIO_set_callback_ex BIO_set_next
		171	BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old
		172	BN_abs_is_word BN_bn2lebinpad BN_get_flags BN_is_negative
		173	BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags
		174	BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free
		175	CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file
		176	CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free
		177	CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key
		178	CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free
		179	CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer
		180	CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time
		181	CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert
		182	CT_POLICY_EVAL_CTX_set1_issuer
		183	CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE
		184	CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key
		185	DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g
		186	DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q
		187	ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free
		188	EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst
		189	EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data
		190	EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx
		191	EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new
		192	EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup
		193	EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final
		194	EVP_MD_meth_set_flags EVP_MD_meth_set_init
		195	EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size
		196	EVP_MD_meth_set_update EVP_PKEY_asn1_set_check
		197	EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check
		198	EVP_PKEY_check EVP_PKEY_meth_set_check
		199	EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check
		200	EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode
		201	FIPS_mode_set IPAddressChoice_free IPAddressChoice_new
		202	IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free
		203	IPAddressOrRange_new IPAddressRange_free IPAddressRange_new
		204	OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id
		205	OCSP_resp_get0_produced_at OCSP_resp_get0_respdata
		206	OCSP_resp_get0_signature OCSP_resp_get0_signer
		207	OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional
		208	RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp
		209	RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q
		210	SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free
		211	SCT_get0_extensions SCT_get0_log_id SCT_get0_signature
		212	SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source
		213	SCT_get_timestamp SCT_get_validation_status SCT_get_version
		214	SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions
		215	SCT_set0_log_id SCT_set0_signature SCT_set1_extensions
		216	SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type
		217	SCT_set_signature_nid SCT_set_source SCT_set_timestamp
		218	SCT_set_version SCT_validate SCT_validation_status_string
		219	X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey
		220	X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject
		221	X509_STORE_CTX_get_num_untrusted
		222	X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify
		223	X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain
		224	X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth
		225	X509_STORE_CTX_set_verify X509_STORE_get_verify
		226	X509_STORE_get_verify_cb X509_STORE_set_verify
		227	X509_get_X509_PUBKEY X509_get_extended_key_usage
		228	X509_get_extension_flags X509_get_key_usage
		229	X509v3_addr_add_inherit X509v3_addr_add_prefix
		230	X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi
		231	X509v3_addr_get_range X509v3_addr_inherits
		232	X509v3_addr_is_canonical X509v3_addr_subset
		233	X509v3_addr_validate_path X509v3_addr_validate_resource_set
		234	X509v3_asid_add_id_or_range X509v3_asid_add_inherit
		235	X509v3_asid_canonize X509v3_asid_inherits
		236	X509v3_asid_is_canonical X509v3_asid_subset
		237	X509v3_asid_validate_path X509v3_asid_validate_resource_set
		238	d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers
		239	d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily
		240	d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST
		241	i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers
		242	i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily
		243	i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST
		244	i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT
		245	i2o_SCT_LIST o2i_SCT o2i_SCT_LIST
		246	removed API:
		247	ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss
		248	EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init
		249	NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new
		250	NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free
		251	NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit
		252	PEM_SealUpdate PEM_read_X509_CERT_PAIR
		253	PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR
		254	PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free
		255	X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb
		256	asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore
		257	asn1_enc_save asn1_ex_c2i asn1_get_choice_selector
		258	asn1_get_field_ptr asn1_set_choice_selector check_defer
		259	d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY
		260	d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET
		261	d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY
		262	i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET
		263	i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer
		264
31	3.4.1 - Stable release	265	3.4.1 - Stable release
32		266
33	* New Features	267	* New Features