openssl-3.5.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

OpenSSL 3.5 - Changes between 3.4 and 3.5.0 [8 Apr 2025]

• Added server side support for QUIC

• Tolerate PKCS#8 version 2 with optional public keys. The public key data is currently ignored.

• Signature schemes without an explicit signing digest in CMS are now supported. Examples of such schemes are ED25519 or ML-DSA.

• The TLS Signature algorithms defaults now include all three ML-DSA variants as first algorithms.

• Added a no-tls-deprecated-ec configuration option.

The no-tls-deprecated-ec option disables support for TLS elliptic curve groups deprecated in RFC8422 at compile time. This does not affect use of the associated curves outside TLS. By default support for these groups is compiled in, but, as before, they are not included in the default run-time list of supported groups.

With the enable-tls-deprecated-ec option these TLS groups remain enabled at compile time even if the default configuration is changed, provided the underlying EC curves remain implemented.

• Added new API to enable 0-RTT for 3rd party QUIC stacks.

• Added support for a new callback registration SSL_CTX_set_new_pending_conn_cb, which allows for application notification of new connection SSL object creation, which occurs independently of calls to SSL_accept_connection(). Note: QUIC objects passed through SSL callbacks should not have their state mutated via calls back into the SSL api until such time as they have been received via a call to SSL_accept_connection().

• Add SLH-DSA as specified in FIPS 205.

• ML-KEM as specified in FIPS 203.

Based on the original implementation in BoringSSL, ported from C++ to C, refactored, and integrated into the OpenSSL default and FIPS providers. Including also the X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024 TLS hybrid key post-quantum/classical key agreement schemes.

• Add ML-DSA as specified in FIPS 204.

The base code was derived from BoringSSL C++ code.

• Added new API calls to enable 3rd party QUIC stacks to use the OpenSSL TLS implementation.

• The default DRBG implementations have been changed to prefer to fetch algorithm implementations from the default provider (the provider the DRBG implementation is built in) regardless of the default properties set in the configuration file. The code will still fallback to find an implementation, as done previously, if needed.

• Initial support for opaque symmetric keys objects (EVP_SKEY). These replace the ad-hoc byte arrays that are pervasive throughout the library.

• The default TLS group list setting is now set to: ?*X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072 This means two key shares (X25519MLKEM768 and X25519) will be sent by default by the TLS client. GOST groups and FFDHE groups larger than 3072 bits are no longer enabled by default.

The group names in the group list setting are now also case insensitive.

• For TLSv1.3: Add capability for a client to send multiple key shares. Extend the scope of SSL_OP_CIPHER_SERVER_PREFERENCE to cover server-side key exchange group selection.

Extend the server-side key exchange group selection algorithm and related group list syntax to support multiple group priorities, e.g. to prioritize (hybrid-)KEMs.

• A new random generation API has been introduced which modifies all of the L<RAND_bytes(3)> family of calls so they are routed through a specific named provider instead of being resolved via the normal DRBG chaining. In a future OpenSSL release, this will obsolete RAND_METHOD.

• New inline functions were added to support loads and stores of unsigned 16-bit, 32-bit and 64-bit integers in either little-endian or big-endian form, regardless of the host byte-order. See the OPENSSL_load_u16_le(3) manpage for details.

• All the BIO_meth_get_*() functions allowing reuse of the internal OpenSSL BIO method implementations were deprecated. The reuse is unsafe due to dependency on the code of the internal methods not changing.

• Support DEFAULT keyword and '-' prefix in SSL_CTX_set1_groups_list(). SSL_CTX_set1_groups_list() now supports the DEFAULT keyword which sets the available groups to the default selection. The '-' prefix allows the calling application to remove a group from the selection.

• Updated the default encryption cipher for the req, cms, and smime applications from des-ede3-cbc to aes-256-cbc.

AES-256 provides a stronger 256-bit key encryption than legacy 3DES.

• Enhanced PKCS#7 inner contents verification. In the PKCS7_verify() function, the BIO *indata parameter refers to the signed data if the content is detached from p7. Otherwise, indata should be NULL, and then the signed data must be in p7.

The previous OpenSSL implementation only supported MIME inner content [RFC 5652, section 5.2].

The added functionality now enables support for PKCS#7 inner content [RFC 2315, section 7].

• The -rawin option of the pkeyutl command is now implied (and thus no longer required) when using -digest or when signing or verifying with an Ed25519 or Ed448 key. The -digest and -rawin option may only be given with -sign or verify.

• X509_PURPOSE_add() has been modified to take sname instead of id as the primary purpose identifier. For its convenient use, X509_PURPOSE_get_unused_id() has been added.

• Added support for central key generation in CMP.

• Optionally allow the FIPS provider to use the JITTER entropy source. Note that using this option will require the resulting FIPS provider to undergo entropy source validation [ESV] by the [CMVP], without this the FIPS provider will not be FIPS compliant. Enable this using the configuration option enable-fips-jitter.

• Extended OPENSSL_ia32cap support to accommodate additional CPUID feature/capability bits in leaf 0x7 (Extended Feature Flags) as well as leaf 0x24 (Converged Vector ISA).

• Cipher pipelining support for provided ciphers with new API functions EVP_CIPHER_can_pipeline(), EVP_CipherPipelineEncryptInit(), EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate(), and EVP_CipherPipelineFinal(). Cipher pipelining support allows application to submit multiple chunks of data in one cipher update call, thereby allowing the provided implementation to take advantage of parallel computing. There are currently no built-in ciphers that support pipelining. This new API replaces the legacy pipeline API [SSL_CTX_set_max_pipelines] (​https://docs.openssl.org/3.3/man3/SSL_CTX_set_split_send_fragment/) used with Engines.
• Add CMS_NO_SIGNING_TIME flag to CMS_sign(), CMS_add1_signer()

Previously there was no way to create a CMS SignedData signature without a signing time attribute, because CMS_SignerInfo_sign added it unconditionally. However, there is a use case (PAdES signatures [ETSI EN 319 142-1] (​https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf) ) where this attribute is not allowed, so a new flag was added to the CMS API that causes this attribute to be omitted at signing time.

The new -no_signing_time option of the cms command enables this flag.

• Parallel dual-prime 1024/1536/2048-bit modular exponentiation for AVX_IFMA capable processors (Intel Sierra Forest and its successor).

This optimization brings performance enhancement, ranging from 1.8 to 2.2 times, for the sign/decryption operations of rsaz-2k/3k/4k (openssl speed rsa) on the Intel Sierra Forest.

• VAES/AVX-512 support for AES-XTS.

For capable processors (>= Intel Icelake), this provides a vectorized implementation of AES-XTS with a throughput improvement between 1.3x to 2x, depending on the block size.

• Fixed EVP_DecodeUpdate() to not write padding zeros to the decoded output.

According to the documentation, for every 4 valid base64 bytes processed (ignoring whitespace, carriage returns and line feeds), EVP_DecodeUpdate() produces 3 bytes of binary output data (except at the end of data terminated with one or two padding characters). However, the function behaved like an EVP_DecodeBlock(). It produced exactly 3 output bytes for every 4 input bytes. Such behaviour could cause writes to a non-allocated output buffer if a user allocates its size based on the documentation and knowing the padding size.

The fix makes EVP_DecodeUpdate() produce exactly as many output bytes as in the initial non-encoded message.

• Added support for aAissuingDistributionPoint, allowedAttributeAssignments, timeSpecification, attributeDescriptor, roleSpecCertIdentifier, authorityAttributeIdentifier and attributeMappings X.509v3 extensions.

• Added a new CLI option -provparam and API functions for setting of provider configuration parameters.

• Fixed benchmarking for AEAD ciphers in the openssl speed utility.

• Added a build configuration option enable-sslkeylog for enabling support for SSLKEYLOGFILE environment variable to log TLS connection secrets.

• Added EVP_get_default_properties() function to retrieve the current default property query string.

[Bruce Dubbs]

Fixed at commit d470cdb21c.