v. 2.6.SR.1 - fixed "multiple definition of symbol" linker issue for QSEE TAs v. 2.6 - library release v. 2.6 (RC 1) - used toolchain for library build: - TEEGRIS (TZ OS version 4.2 and above): Teegris SDK v4.2.0 (TZSL/Secure OS 19538818/19526410) - page size alignment for __stack_chk_guard_addr v. 2.6 (beta 2) - used toolchain for library build: - QSEE (TZ OS version 4.0.6 and above): llvm 10.0.4 - TEEGRIS (TZ OS version 4.2 and above): Teegris SDK v4.2.0 (18978180) - changed library naming for Teegris platform, name of corresponding library contains tag "teegris", where "VERSION_*" corresponds to the version of Teegris SDK. Example: for Teegris SDK 4.1.0 library name contains tag "teegris410" - removed deprecated functions from public header files: - bio: function: BIO_f_base64 - blowfish: functions: BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt, BF_set_key structure: BF_KEY macros: BF_ENCRYPT, BF_DECRYPT, BF_ROUNDS, BF_BLOCK - cipher: functions: EVP_bf_ecb, EVP_bf_cbc, EVP_bf_cfb, EVP_cast5_ecb, EVP_cast5_cbc, EVP_aes_128_cfb128, EVP_aes_256_cfb128 - cast: functions: CAST_set_key, CAST_ecb_encrypt, CAST_encrypt, CAST_decrypt, CAST_cbc_encrypt, CAST_cfb64_encrypt structure: CAST_KEY macros: CAST_ENCRYPT, CAST_DECRYPT, CAST_BLOCK, CAST_KEY_LENGTH - des: functions: DES_ede3_cfb64_encrypt, DES_ede3_cfb_encrypt - dh: function: DH_generate_parameters - dsa: function: DSA_generate_parameters - digest: function: EVP_dss1 - evp: functions: EVP_CIPHER_do_all_sorted, EVP_MD_do_all_sorted - obj: functions: OBJ_NAME_do_all_sorted, OBJ_NAME_do_all structure: OBJ_NAME macros: OBJ_NAME_TYPE_MD_METH, OBJ_NAME_TYPE_CIPHER_METH - rc4: function: RC4_options - ripemd: functions: RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final, RIPEMD160, RIPEMD160_Transform structs: RIPEMD160state_st, RIPEMD160_CTX macros: RIPEMD160_CBLOCK, RIPEMD160_LBLOCK, RIPEMD160_DIGEST_LENGTH - rsa: functions: RSA_generate_key, RSA_padding_add_PKCS1_PSS, RSA_verify_PKCS1_PSS, RSA_padding_add_PKCS1_OAEP - x509: function: X509V3_EXT_conf_nid v. 2.6 (beta 1) - version of BoringSSL API is "9", version OpenSSL is 0x1010007f - used toolchains for library build: - QSEE (TZ OS version 4.0.6 and above): llvm 8.0.9 - TEEGRIS (TZ OS version 3.0): Teegris SDK v3.0.0 update 4 (2018-10-30) - TEEGRIS (TZ OS version 4 and above): Teegris SDK v4.1.0 - other changes are below: - aead: added EVP_aead_aes_192_gcm - aes: added AES_wrap_key_padded, AES_unwrap_key_padded - buf: added as deprecated BUF_strdup, BUF_strnlen, BUF_strndup, BUF_memdup, BUF_strlcpy, BUF_strlcat - bytestring: added CBS_get_u16le, CBS_get_u32le, CBS_get_u64le, CBS_get_asn1_int64, CBB_add_u16le, CBB_add_u32le, CBB_add_u64le, CBB_add_asn1_int64 modified structure "cbb_st": renamed field "is_top_level" to "is_child" - cipher: changed function prototype: from "void EVP_CIPHER_CTX_reset" to "int EVP_CIPHER_CTX_reset" (functions returns one) added to decrepit EVP_aes_256_cfb128 - digest: added EVP_DigestFinalXOF and EVP_MD_meth_get_flags - ec_key: added EC_KEY_derive_from_secret changed function prototype: from "int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y)" to "int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, const BIGNUM *x, const BIGNUM *y)" from "size_t EC_KEY_key2buf(EC_KEY *key, point_conversion_form_t form, unsigned char **out_buf, BN_CTX *ctx)" to "size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form, unsigned char **out_buf, BN_CTX *ctx)" - ecdsa: added ECDSA_SIG_get0_r, ECDSA_SIG_get0_s - engine: changed function prototype: from "void ENGINE_free" to "int ENGINE_free" (functions returns one) - err: changed function prototype: from "void ERR_error_string_n" to "char *ERR_error_string_n" (functions returns a human-readable string representing error) - evp: removed EVP_PKEY_new_ed25519_public, EVP_PKEY_new_ed25519_private added EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key, EVP_PKEY_set1_tls_encodedpoint, EVP_PKEY_get1_tls_encodedpoint, EVP_PKEY_base_id, EVP_PKEY_CTX_set_rsa_pss_keygen_md, EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen, EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md - md4: changed function prototype: from "int MD4_Final(uint8_t *md, MD4_CTX *md4)" to "int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *md4)" from "uint8_t *MD4(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH])" from "void MD4_Transform(MD4_CTX *md4, const uint8_t *block)" to "void MD4_Transform(MD4_CTX *md4, const uint8_t block[MD4_CBLOCK])" - md5: changed function prototype: from "int MD5_Final(uint8_t *md, MD5_CTX *md5)" to "int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *md5)" from "uint8_t *MD5(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]): from "void MD5_Transform(MD5_CTX *md5, const uint8_t *block)" to "void MD5_Transform(MD5_CTX *md5, const uint8_t block[MD5_CBLOCK])" - mem: added OPENSSL_strndup, OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat - ripemd: changed function prototype: from "int RIPEMD160_Final(uint8_t *md, RIPEMD160_CTX *ctx)" to "int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *ctx)" from "uint8_t *RIPEMD160(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *RIPEMD160(const uint8_t *data, size_t len, uint8_t out[RIPEMD160_DIGEST_LENGTH])" from "void RIPEMD160_Transform(RIPEMD160_CTX *ctx, const uint8_t *block)" to "void RIPEMD160_Transform(RIPEMD160_CTX *ctx, const uint8_t block[RIPEMD160_CBLOCK])" - rsa: added RSA_get0_n, RSA_get0_e, RSA_get0_d, RSA_get0_p, RSA_get0_q, RSA_get0_dmp1, RSA_get0_dmq1, RSA_get0_iqmp - sha: changed function prototype: from "int SHA1_Final(uint8_t *md, SHA_CTX *sha)" to "int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha)" from "uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH])" from "void SHA1_Transform(SHA_CTX *sha, const uint8_t *block)" to "void SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK])" from "int SHA224_Final(uint8_t *md, SHA256_CTX *sha)" to "int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha" from "uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t out[SHA224_DIGEST_LENGTH])" from "int SHA256_Final(uint8_t *md, SHA256_CTX *sha)" to "int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *sha)" from "uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t out[SHA256_DIGEST_LENGTH])" from "void SHA256_Transform(SHA256_CTX *sha, const uint8_t *block)" to "void SHA256_Transform(SHA256_CTX *sha, const uint8_t block[SHA256_CBLOCK])" from "int SHA384_Final(uint8_t *md, SHA512_CTX *sha)" to "int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha)" from "uint8_t *SHA384(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *SHA384(const uint8_t *data, size_t len, uint8_t out[SHA384_DIGEST_LENGTH])" from "int SHA512_Final(uint8_t *md, SHA512_CTX *sha)" to "int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha)" from "uint8_t *SHA512(const uint8_t *data, size_t len, uint8_t *out)" to "uint8_t *SHA512(const uint8_t *data, size_t len, uint8_t out[SHA512_DIGEST_LENGTH])" from "void SHA512_Transform(SHA512_CTX *sha, const uint8_t *block)" to "void SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK])" - siphash: added SIPHASH_24 - x509: added X509_getm_notBefore, X509_getm_notAfter changed function prototype: from "int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set)" to "int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len, int loc, int set)" from "int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set)" to "int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, const unsigned char *bytes, int len, int loc, int set)" from "X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, unsigned char *bytes, int len)" to "X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, const unsigned char *bytes, int len)" - x509v3: added as deprecated X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, X509_CHECK_FLAG_NO_WILDCARDS, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS, X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS, X509_CHECK_FLAG_NEVER_CHECK_SUBJECT v. 2.5.1 - changed suffix "sys_dbg" to "sys_4test" for TEEGRIS system library used for internal TEEGRIS OS testing - added option to use GP API as underlying system API on KINIBI platform v. 2.5 - added license note v. 2.5 (RC 1) - fixed mobicore trustlet build linker error with trampoline-armv4.S - used toolchains for library build: - QSEE (TZ OS version 4.0.6 and above): llvm 8.0.9 - TEEGRIS (TZ OS version 4 and above): Teegris SDK v4.1.0, name of corresponding library contains tag "teegris4" - set default symbol visibility as hidden - enabled relocation read-only option for TEEGRIS (version 4) system library v. 2.5 (beta 2) - removed "#include " from public headers: include/openssl/base.h include/openssl/thread.h v. 2.5 (beta 1) - version of BoringSSL API is "9", version OpenSSL is 0x1010007f - improved imprint scheme: used HMAC SHA-256 instead of HMAC SHA-1, renamed script "imprint" to "imprint256". WARNING: incompatible with imprint scheme of previous versions of SCrypto - added function "ECDH_compute_key_fips" that uses appropriate SHA function as KDF - modified macro "OPENSSL_COMPILE_ASSERT(condition, msg_as_variable)" to "OPENSSL_STATIC_ASSERT(condition, msg_as_string)" - modified structure "bignum_st" (aka BIGNUM): renamed field "top" to "width" - modified structure "rsa_st" (aka RSA): added fields "d_fixed", "dmp1_fixed", "dmq1_fixed", "inv_small_mod_large_mont", "private_key_frozen" - removed functions like "EVP_aes_128_cfb...", "EVP_aes_192_cfb...", "EVP_aes_256_cfb..." - added a structured-lattice-based post-quantum key encapsulation mechanism HRSS - used toolchains for library build: - QSEE (TZ OS version 4.0.6 and above): llvm 4.0.11 - TEEGRIS (TZ OS version 3.0): Teegris SDK v3.0.0 update 4 (2018-10-30), name of corresponding library contains tag "teegris3" - TEEGRIS (TZ OS version 4 and above): Teegris SDK v4.0.0_Beta, name of corresponding library contains tag "teegris4" - other changes are below: aead: added EVP_aead_xchacha20_poly1305, EVP_aead_aes_128_ccm_bluetooth, evp_aead_ctx_st_state, EVP_aead_aes_128_gcm_tls13, EVP_aead_aes_256_gcm_tls13 changed evp_aead_ctx_st (aka EVP_AEAD_CTX), EVP_AEAD_MAX_NONCE_LENGTH removed EVP_aead_aes_128_cbc_sha1_ssl3, EVP_aead_aes_256_cbc_sha1_ssl3, EVP_aead_des_ede3_cbc_sha1_ssl3, EVP_aead_null_sha1_ssl3 asn1: removed D2I_OF, I2D_OF, I2D_OF_const, CHECKED_D2I_OF, CHECKED_I2D_OF, CHECKED_NEW_OF, CHECKED_PPTR_OF, d2i_ASN1_UINTEGER, ASN1_dup, ASN1_d2i_bio, ASN1_i2d_bio bio: added BIO_write_all bn: added BN_count_low_zero_bits, BN_MONT_CTX_new_consttime, BN_bn2binpad changed bignum_st removed BN_less_than_consttime bytestring: added CBS_get_u64, CBB_add_u64 cipher: added EVP_CIPHER_CTX_encrypting added as deprecated EVP_aes_192_ofb, EVP_des_ede3_ecb removed EVP_aes_128_cfb1, EVP_aes_128_cfb8, EVP_aes_192_cfb128, EVP_aes_192_cfb1, EVP_aes_192_cfb8, EVP_aes_256_cfb128, EVP_aes_256_cfb1, EVP_aes_256_cfb8 cmac: added CMAC_CTX_copy ec: added EC_GROUP_order_bits, EC_curve_nid2nist, EC_curve_nist2nid removed EC_POINT_make_affine, EC_POINTs_make_affine ec_key: added EC_KEY_key2buf removed EC_KEY_copy ecdh: added ECDH_compute_key_fips evp: added EVP_PKEY_paramgen_init, EVP_PKEY_paramgen added as deprecated d2i_PublicKey, EVP_PKEY_get1_DH, EVP_PKEY_CTX_set_ec_param_enc lhash: changed lh_retrieve, lh_retrieve_key, lh_insert, lh_delete: specified prototypes of callback functions mem: added OPENSSL_clear_free as a wrapper for OPENSSL_free, note: OPENSSL_free already zeros the allocated memory, see release notes of v. 2.4 (RC 1) pkcs7: added as deprecated PKCS7_SIGNED, PKCS7_SIGN_ENVELOPE, PKCS7, d2i_PKCS7, d2i_PKCS7_bio, i2d_PKCS7, i2d_PKCS7_bio, PKCS7_free, PKCS7_type_is_data, PKCS7_type_is_digest, PKCS7_type_is_encrypted, PKCS7_type_is_enveloped, PKCS7_type_is_signed, PKCS7_type_is_signedAndEnveloped, PKCS7_sign pkcs8: added as deprecated i2d_PKCS12, i2d_PKCS12_bio, i2d_PKCS12_fp, PKCS12_create pool: added CRYPTO_BUFFER_alloc rsa: added RSA_print changed rsa_st sha: added SHA256_TransformBlocks changed sha512_state_st removed SHA384_Transform stack: added sk_pop_free_ex changed prototype of sk_find, sk_deep_copy, sk_pop_free type_check: added OPENSSL_STATIC_ASSERT removed OPENSSL_COMPILE_ASSERT, CHECKED_PTR_OF x509: added X509_CRL_get0_lastUpdate, X509_CRL_get0_nextUpdate, d2i_DHparams_bio, i2d_DHparams_bio, i2d_re_X509_tbs, X509_get0_tbs_sigalg, X509_REQ_get0_signature, X509_REQ_get_signature_nid, i2d_re_X509_REQ_tbs, X509_CRL_get0_signature, X509_CRL_get_signature_nid, i2d_re_X509_CRL_tbs, X509_REVOKED_get0_serialNumber, X509_REVOKED_get0_revocationDate x509v3: added X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage removed X509V3_EXT_CRL_add_conf, hex_to_string, string_to_hex, name_cmp v. 2.4.3 - changed names of cache objects FIPS_SELFTEST_STATUS_SOURCE under Teegris SDK v4: from "fips/fips_selftest_status_source_64" to "/fips/fips_selftest_status_source_64" from "fips/fips_selftest_status_source_32" to "/fips/fips_selftest_status_source_32" - added MTK x32 platform support (chipset mtk6765), name of corresponding library contains tag "mediatek" - added symbol versioning for TEEGRIS platform under Teegris SDK v4 - made shared library executable for TEEGRIS platform under Teegris SDK v4 to run selftest without trustlet v. 2.4.2 - added support of chipsets with limited HW capabilities for MC (KINIBI): CE disabled, NEON enabled, name of corresponding library has suffix "_neon" - switched from HWRNG to PRNG to speed up obtaining additional_data in DRBG - added freeing of EC precomputed data via destructor on QSEE (except legacy) and TEEGRIS - added zeroization of CTR DRBG data via destructor on QSEE (except legacy) and TEEGRIS v. 2.4.1 - added info of machine bitness to the log output - modified binary naming scheme - added extended version info to output file name of binary - module version string definition FIPS_SCRYPTO_MODULE_VERSION_STR was moved from include/openssl/base.h to include/openssl/scrypto_version.h - added numerical module version definition FIPS_SCRYPTO_MODULE_VERSION_NUM (include/openssl/scrypto_version.h) v. 2.4 - added functional tests ECDH, KBKDF and AES KW - removed functional tests RSA PSS and DSA - used toolchains for library build: - QSEE (TZ OS version 4.0.6 and above): llvm 4.0.11 - TEEGRIS (TZ OS version 3.0 and above): Teegris SDK v3.0.0 update 4 (2018-10-30) v. 2.4 (RC 2) - added KBKDF, AES KW and ECDH selftests - removed RSA PSS selftest - removed DSA from FIPS boundary - removed function DSA_generate_key_fips from DSA API v. 2.4 (RC 1) - version of BoringSSL API is "7", version OpenSSL is 0x1010007f - function "OPENSSL_free" also zeros the allocated memory (i.e. no need to call "OPENSSL_cleanse" before "OPENSSL_free") - function "OPENSSL_realloc" also zeros previous allocated memory, note: it doesn't call platform realloc - header openssl/fips_drbg.h was removed, instead of "FIPS_drbg_bytes" use "RAND_bytes" - low level GCM API was excluded from public API, openssl/gcm.h was removed, use EVP API instead - function "RSA_generate_key_186_4" was removed, use new function "RSA_generate_key_fips" instead, note: the public exponent is always 65537 and bits must be either 2048 or 3072 - added function "DSA_generate_key_fips" (which includes PWCT) to use instead of "DSA_generate_key" - added function "EC_KEY_generate_key_fips" (which includes PWCT) to use instead of "EC_KEY_generate_key" - function "bn_expand" returns one on success or zero on allocation failure - function "RSA_padding_check_PKCS1_OAEP_mgf1" returns one on success and zero on error, also its prototype has changed - other changed are below aead: changed EVP_AEAD_CTX asn1: changed ASN1_ADB_st removed NETSCAPE_X509, ASN1_BIT_STRING_name_print, ASN1_BIT_STRING_num_asc, ASN1_BIT_STRING_set_asc, UTF8_getc, UTF8_putc, a2d_ASN1_OBJECT, asn1_Finish, asn1_const_Finish, ASN1_check_infinite_end, ASN1_const_check_infinite_end, ASN1_UNIVERSALSTRING_to_string, ASN1_template_d2i, ASN1_template_i2d base: added OPENSSL_INIT_SETTINGS removed NETSCAPE_CERT_SEQUENCE, X509_OBJECTS, SSL_CUSTOM_EXTENSION, X509_CERT_PAIR bio: added BIO_set_shutdown, BIO_get_shutdown, BIO_meth_set_puts changed bio_st (aka BIO) removed BIO_set_callback, BIO_set_callback_arg, BIO_get_callback_arg bn: added BN_less_than_consttime, BN_MONT_CTX_new_for_modulus excluded from public API bn_correct_top, bn_wexpand, BN_kronecker deprecated BN_MONT_CTX_new (use BN_MONT_CTX_new_for_modulus instead), BN_MONT_CTX_set removed BN_generate_dsa_nonce buf: added BUF_MEM_append bytestring: added CBS_get_asn1_bool, CBS_asn1_oid_to_text, CBB_add_asn1_octet_string, CBB_add_asn1_bool, CBB_add_asn1_oid_from_text, CBB_flush_asn1_set_of functions CBS_get_any_asn1, CBS_get_any_asn1_element, CBB_add_asn1 support tag numbers greater than 30 chiper: added EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX_set_flags crypto: added OpenSSL_version, OpenSSL_version_num, OPENSSL_init_crypto function FIPS_mode returns FIPS_status() dh: added DH_set0_key, DH_set0_pqg, EVP_MD_CTX_new, EVP_MD_CTX_free removed DH_get_1024_160, DH_get_2048_224, DH_get_2048_256 digest: added EVP_MD_CTX_reset, EVP_parse_digest_algorithm, EVP_marshal_digest_algorithm deprecated EVP_MD_CTX_create (use EVP_MD_CTX_new instead), EVP_MD_CTX_destroy (use EVP_MD_CTX_free instead) dsa: added DSA_set0_key, DSA_set0_pqg, DSA_generate_key_fips excluded from public API DSA_sign_setup changed dsa_st (aka DSA) ec: deprecated EC_POINT_clear_free (use EC_POINT_free instead) ec_key: added EC_KEY_check_fips, EC_KEY_generate_key_fips changed ecdsa_method_st (aka ECDSA_METHOD) ecdsa: added ECDSA_SIG_get0, ECDSA_SIG_set0 removed ECDSA_sign_setup, ECDSA_do_sign_ex, ECDSA_sign_ex evp: added EVP_PKEY_new_ed25519_public, EVP_PKEY_new_ed25519_private, EVP_DigestSign, EVP_DigestVerify, EVP_PBE_scrypt changed evp_pkey_st (aka EVP_PKEY) removed EVP_PKEY_supports_digest hmac: added HMAC_CTX_new, HMAC_CTX_free, HMAC_CTX_reset mem: removed OPENSSL_realloc_clean (use OPENSSL_realloc instead) obj: added OBJ_get0_data, OBJ_length rsa: added RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, RSA_generate_key_fips, RSA_sign_pss_mgf1, RSA_verify_pss_mgf1, RSA_check_fips, RSA_flags function PKCS1_MGF1 is added to public API changed rsa_meth_st (aka RSA_METHOD) removed RSA_supports_digest, RSA_recover_crt_params, RSA_parse_public_key_buggy, RSA_generate_key_186_4 (use RSA_generate_key_fips instead) x509: added X509_NAME_ENTRY_set, X509_NAME_get0_der, X509_get0_notBefore, X509_get0_notAfter functions PKCS7_... were moved to openssl/pkcs7.h removed X509_objects_st, x509_cert_pair_st, Netscape_certificate_sequence, X509_certificate_type x509_vfy: added X509_OBJECT_get_type, X509_OBJECT_get0_X509, X509_STORE_get0_objects, X509_STORE_get0_param, X509_STORE_CTX_zero, X509_STORE_CTX_get0_untrusted removed x509_file_st v. 2.3 - added Teegris support (x32 and x64): static library for regular TAs - added Teegris support (x32 and x64): shared library for library of system cryptography - added stack smashing protector for all supported platforms. Level of SSP is "-fstack-protector-strong" - using internal SSP "Canary" and error handler - added run once selftests on Teegris platform (shared library) v. 2.2.1 - added embedding internal version of SCrypto in binaries - added function FIPS_SCRYPTO_get_internal_version: getting the internal version in format "CL XXXXXX", where XXXXXX number of CL from P4 v. 2.2 - version info of BoringSSL is 2016.03, version OpenSSL is 0x100020af, API version is "3" - SCrypto doesn't need external libc for MC and QC - instead header #include "modes/internal.h" use #include "openssl/gcm.h" - symbol function EC_GFp_mont_method() was removed, instead of the function must use variable EC_GFp_mont_method direct - structure EC_KEY don't have members "flags" and "version" - structure EC_GROUP don't have member "cofactor", and added member "one" - structure EC_POINT don't have member "Z_is_one" - definition of BN_FLG_CONSTTIME is removed - functions "AES_wrap_key" and "AES_unwrap_key" return "-1" on error - symbols change from FIPS_bssl_xxx to FIPS_SCRYPTO_xxx (to get rid of misunderstanding with displayed logs and analizing ram dumps) - RSA 186-4 keygen PWCT do by the atcual signature generation and verification using RSA signature scheme (RSA PKCS 1.5) (FIPS 140-2 Section 4.9) - increased the amount of entropy for DRBG (60 bytes for entropy and 20 bytes for nonce) - KBKDF and SHA1 selftests are to be removed from FIPS section - removed DRBG CRNGT - RSA public exponent max size has been reduced from 64 to 33 bits v. 2.1 - imprint script was improved and from now on it works with stripped binaries (like MC TAs in release mode). Warning: incompatible with SCrypto-2.0 imprint scheme v. 2.0 - enabled CE (ARM Cryptography Extension) - aarch64 for QC - added driver version for MC, name of corresponding library has suffix "_dr" - added constructor for QSEE 4.x - added fucntion ERR_print_all(): prints an error stack in a human readable form - new imprint approach. Warning: incompatible with SCrypto-1.0 imprint scheme - BoringSSL based version v. 1.0 - initial version (OpenSSL based)