Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Transparently support X9.42 DH parameters when calling
+ PEM_read_bio_DHparameters. This means existing applications can handle
+ the new parameter format automatically.
+ [Steve Henson]
+
+ *) Initial experimental support for X9.42 DH parameter format: mainly
+ to support use of 'q' parameter for RFC5114 parameters.
+ [Steve Henson]
+
+ *) Add DH parameters from RFC5114 including test data to dhtest.
+ [Steve Henson]
+
+ *) Update fips_test_suite to support multiple command line options. New
+ test to induce all self test errors in sequence and check expected
+ failures.
+ [Steve Henson]
+
+ *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
+ sign or verify all in one operation.
+ [Steve Henson]
+
+ *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
+ test programs and fips_test_suite. Includes functionality to parse
+ the minimal script output of fipsalgest.pl directly.
+ [Steve Henson]
+
+ *) Add authorisation parameter to FIPS_module_mode_set().
+ [Steve Henson]
+
+ *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
+ [Steve Henson]
+
+ *) Use separate DRBG fields for internal and external flags. New function
+ FIPS_drbg_health_check() to perform on demand health checking. Add
+ generation tests to fips_test_suite with reduced health check interval to
+ demonstrate periodic health checking. Add "nodh" option to
+ fips_test_suite to skip very slow DH test.
+ [Steve Henson]
+
+ *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
+ based on NID.
+ [Steve Henson]
+
+ *) More extensive health check for DRBG checking many more failure modes.
+ New function FIPS_selftest_drbg_all() to handle every possible DRBG
+ combination: call this in fips_test_suite.
+ [Steve Henson]
+
+ *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
+ and POST to handle Dual EC cases.
+ [Steve Henson]
+
+ *) Add support for canonical generation of DSA parameter 'g'. See
+ FIPS 186-3 A.2.3.
+
+ *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
+ POST to handle HMAC cases.
+ [Steve Henson]
+
+ *) Add functions FIPS_module_version() and FIPS_module_version_text()
+ to return numberical and string versions of the FIPS module number.
+ [Steve Henson]
+
+ *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
+ FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
+ outside the validated module in the FIPS capable OpenSSL.
+ [Steve Henson]
+
+ *) Minor change to DRBG entropy callback semantics. In some cases
+ there is no mutiple of the block length between min_len and
+ max_len. Allow the callback to return more than max_len bytes
+ of entropy but discard any extra: it is the callback's responsibility
+ to ensure that the extra data discarded does not impact the
+ requested amount of entropy.
+ [Steve Henson]
+
+ *) Add PRNG security strength checks to RSA, DSA and ECDSA using
+ information in FIPS186-3, SP800-57 and SP800-131A.
+ [Steve Henson]
+
+ *) CCM support via EVP. Interface is very similar to GCM case except we
+ must supply all data in one chunk (i.e. no update, final) and the
+ message length must be supplied if AAD is used. Add algorithm test
+ support.
+ [Steve Henson]
+
+ *) Initial version of POST overhaul. Add POST callback to allow the status
+ of POST to be monitored and/or failures induced. Modify fips_test_suite
+ to use callback. Always run all selftests even if one fails.
+ [Steve Henson]
+
+ *) XTS support including algorithm test driver in the fips_gcmtest program.
+ Note: this does increase the maximum key length from 32 to 64 bytes but
+ there should be no binary compatibility issues as existing applications
+ will never use XTS mode.
+ [Steve Henson]
+
+ *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
+ to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
+ performs algorithm blocking for unapproved PRNG types. Also do not
+ set PRNG type in FIPS_mode_set(): leave this to the application.
+ Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
+ the standard OpenSSL PRNG: set additional data to a date time vector.
+ [Steve Henson]
+
+ *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
+ This shouldn't present any incompatibility problems because applications
+ shouldn't be using these directly and any that are will need to rethink
+ anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
+ [Steve Henson]
+
*) Extensive self tests and health checking required by SP800-90 DRBG.
Remove strength parameter from FIPS_drbg_instantiate and always
instantiate at maximum supported strength.
[Steve Henson]
- *) Add SRP support.
- [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
-
*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
[Steve Henson]
security.
[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+ *) New function OPENSSL_gmtime_diff to find the difference in days
+ and seconds between two tm structures. This will be used to provide
+ additional functionality for ASN1_TIME.
+ [Steve Henson]
+
+ *) Add -trusted_first option which attempts to find certificates in the
+ trusted store even if an untrusted chain is also supplied.
+ [Steve Henson]
+
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust or reject.
+ [Steve Henson]
+
+ *) New -verify_name option in command line utilities to set verification
+ parameters by name.
+ [Steve Henson]
+
+ *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
+ Add CMAC pkey methods.
+ [Steve Henson]
+
+ *) Experimental regnegotiation in s_server -www mode. If the client
+ browses /reneg connection is renegotiated. If /renegcert it is
+ renegotiated requesting a certificate.
+ [Steve Henson]
+
+ *) Add an "external" session cache for debugging purposes to s_server. This
+ should help trace issues which normally are only apparent in deployed
+ multi-process servers.
+ [Steve Henson]
+
+ *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
+ return value is ignored. NB. The functions RAND_add(), RAND_seed(),
+ BIO_set_cipher() and some obscure PEM functions were changed so they
+ can now return an error. The RAND changes required a change to the
+ RAND_METHOD structure.
+ [Steve Henson]
+
+ *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
+ a gcc attribute to warn if the result of a function is ignored. This
+ is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
+ whose return value is often ignored.
+ [Steve Henson]
+
+ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
+
+ *) Add -attime option to openssl utilities.
+ [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
+
+ *) Add TLS key material exporter from RFC 5705.
+ [Eric Rescorla]
+
+ *) Add DTLS-SRTP negotiation from RFC 5764.
+ [Eric Rescorla]
+
*) Add Next Protocol Negotiation,
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
disabled with a no-npn flag to config or Configure. Code donated
by Google.
[Adam Langley <agl@google.com> and Ben Laurie]
+ *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
+ NIST-P256, NIST-P521, with constant-time single point multiplication on
+ typical inputs. Compiler support for the nonstandard type __uint128_t is
+ required to use this (present in gcc 4.4 and later, for 64-bit builds).
+ Code made available under Apache License version 2.0.
+
+ Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
+ line to include this in your build of OpenSSL, and run "make depend" (or
+ "make update"). This enables the following EC_METHODs:
+
+ EC_GFp_nistp224_method()
+ EC_GFp_nistp256_method()
+ EC_GFp_nistp521_method()
+
+ EC_GROUP_new_by_curve_name() will automatically use these (while
+ EC_GROUP_new_curve_GFp() currently prefers the more flexible
+ implementations).
+ [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
+
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
- *) New function OPENSSL_gmtime_diff to find the difference in days
- and seconds between two tm structures. This will be used to provide
- additional functionality for ASN1_TIME.
- [Steve Henson]
-
*) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS.
parameters r, s.
[Steve Henson]
- *) Add -trusted_first option which attempts to find certificates in the
- trusted store even if an untrusted chain is also supplied.
+ *) Password based recipient info support for CMS library: implementing
+ RFC3211.
[Steve Henson]
- *) Initial experimental support for explicitly trusted non-root CAs.
- OpenSSL still tries to build a complete chain to a root but if an
- intermediate CA has a trust setting included that is used. The first
- setting is used: whether to trust or reject.
+ *) Split password based encryption into PBES2 and PBKDF2 functions. This
+ neatly separates the code into cipher and PBE sections and is required
+ for some algorithms that split PBES2 into separate pieces (such as
+ password based CMS).
[Steve Henson]
- *) New -verify_name option in command line utilities to set verification
- parameters by name.
+ *) Session-handling fixes:
+ - Fix handling of connections that are resuming with a session ID,
+ but also support Session Tickets.
+ - Fix a bug that suppressed issuing of a new ticket if the client
+ presented a ticket with an expired session.
+ - Try to set the ticket lifetime hint to something reasonable.
+ - Make tickets shorter by excluding irrelevant information.
+ - On the client side, don't ignore renewed tickets.
+ [Adam Langley, Bodo Moeller (Google)]
+
+ *) Fix PSK session representation.
+ [Bodo Moeller]
+
+ *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
+
+ This work was sponsored by Intel.
+ [Andy Polyakov]
+
+ *) Add GCM support to TLS library. Some custom code is needed to split
+ the IV between the fixed (from PRF) and explicit (from TLS record)
+ portions. This adds all GCM ciphersuites supported by RFC5288 and
+ RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
+ add a special AESGCM string for GCM only.
[Steve Henson]
- *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
- Add CMAC pkey methods.
+ *) Expand range of ctrls for AES GCM. Permit setting invocation
+ field on decrypt and retrieval of invocation field only on encrypt.
[Steve Henson]
- *) Experiemental regnegotiation in s_server -www mode. If the client
- browses /reneg connection is renegotiated. If /renegcert it is
- renegotiated requesting a certificate.
+ *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
+ As required by RFC5289 these ciphersuites cannot be used if for
+ versions of TLS earlier than 1.2.
[Steve Henson]
- *) Add an "external" session cache for debugging purposes to s_server. This
- should help trace issues which normally are only apparent in deployed
- multi-process servers.
+ *) For FIPS capable OpenSSL interpret a NULL default public key method
+ as unset and return the appopriate default but do *not* set the default.
+ This means we can return the appopriate method in applications that
+ swicth between FIPS and non-FIPS modes.
[Steve Henson]
- *) Experiemental password based recipient info support for CMS library:
- implementing RFC3211.
+ *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
+ ENGINE is used then we cannot handle that in the FIPS module so we
+ keep original code iff non-FIPS operations are allowed.
[Steve Henson]
- *) Split password based encryption into PBES2 and PBKDF2 functions. This
- neatly separates the code into cipher and PBE sections and is required
- for some algorithms that split PBES2 into separate pieces (such as
- password based CMS).
+ *) Add -attime option to openssl verify.
+ [Peter Eckersley <pde@eff.org> and Ben Laurie]
+
+ *) Redirect DSA and DH operations to FIPS module in FIPS mode.
[Steve Henson]
- *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
- return value is ignored. NB. The functions RAND_add(), RAND_seed(),
- BIO_set_cipher() and some obscure PEM functions were changed so they
- can now return an error. The RAND changes required a change to the
- RAND_METHOD structure.
+ *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
+ FIPS EC methods unconditionally for now.
[Steve Henson]
- *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
- a gcc attribute to warn if the result of a function is ignored. This
- is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
- whose return value is often ignored.
+ *) New build option no-ec2m to disable characteristic 2 code.
[Steve Henson]
-
- Changes between 1.0.0d and 1.0.1 [xx XXX xxxx]
- *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
+ *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
+ all cases can be covered as some introduce binary incompatibilities.
[Steve Henson]
- *) Add EC_GFp_nistp224_method(), a 64-bit optimized implementation for
- elliptic curve NIST-P224 with constant-time single point multiplication on
- typical inputs. EC_GROUP_new_by_curve_name() will automatically use this
- (while EC_GROUP_new_curve_GFp() currently won't and prefers the more
- flexible implementations).
+ *) Redirect RSA operations to FIPS module including keygen,
+ encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
+ [Steve Henson]
- The implementation requires support for the nonstandard type __uint128_t,
- and so is disabled by default. To include this in your build of OpenSSL,
- use -DEC_NISTP224_64_GCC_128 on the Configure (or config) command line,
- and run "make depend" (or "make update").
- [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+ *) Add similar low level API blocking to ciphers.
+ [Steve Henson]
+
+ *) Low level digest APIs are not approved in FIPS mode: any attempt
+ to use these will cause a fatal error. Applications that *really* want
+ to use them can use the private_* version instead.
+ [Steve Henson]
+
+ *) Redirect cipher operations to FIPS module for FIPS builds.
+ [Steve Henson]
+
+ *) Redirect digest operations to FIPS module for FIPS builds.
+ [Steve Henson]
+
+ *) Update build system to add "fips" flag which will link in fipscanister.o
+ for static and shared library builds embedding a signature if needed.
+ [Steve Henson]
+
+ *) Output TLS supported curves in preference order instead of numerical
+ order. This is currently hardcoded for the highest order curves first.
+ This should be configurable so applications can judge speed vs strength.
+ [Steve Henson]
+
+ *) Add TLS v1.2 server support for client authentication.
+ [Steve Henson]
+
+ *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
+ and enable MD5.
+ [Steve Henson]
+
+ *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
+ FIPS modules versions.
+ [Steve Henson]
+
+ *) Add TLS v1.2 client side support for client authentication. Keep cache
+ of handshake records longer as we don't know the hash algorithm to use
+ until after the certificate request message is received.
+ [Steve Henson]
+
+ *) Initial TLS v1.2 client support. Add a default signature algorithms
+ extension including all the algorithms we support. Parse new signature
+ format in client key exchange. Relax some ECC signing restrictions for
+ TLS v1.2 as indicated in RFC5246.
+ [Steve Henson]
+
+ *) Add server support for TLS v1.2 signature algorithms extension. Switch
+ to new signature format when needed using client digest preference.
+ All server ciphersuites should now work correctly in TLS v1.2. No client
+ support yet and no support for client certificates.
+ [Steve Henson]
+
+ *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
+ to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
+ ciphersuites. At present only RSA key exchange ciphersuites work with
+ TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
+ SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
+ and version checking.
+ [Steve Henson]
+
+ *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
+ with this defined it will not be affected by any changes to ssl internal
+ structures. Add several utility functions to allow openssl application
+ to work with OPENSSL_NO_SSL_INTERN defined.
+ [Steve Henson]
+
+ *) Add SRP support.
+ [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
+
+ *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
+ [Steve Henson]
*) Permit abbreviated handshakes when renegotiating using the function
SSL_renegotiate_abbreviated().
Add command line options to s_client/s_server.
[Steve Henson]
+ Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
+
+ *) Fix ssl_ciph.c set-up race.
+ [Adam Langley (Google)]
+
+ *) Fix spurious failures in ecdsatest.c.
+ [Emilia Käsper (Google)]
+
+ *) Fix the BIO_f_buffer() implementation (which was mixing different
+ interpretations of the '..._len' fields).
+ [Adam Langley (Google)]
+
+ *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
+ BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
+ threads won't reuse the same blinding coefficients.
+
+ This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
+ lock to call BN_BLINDING_invert_ex, and avoids one use of
+ BN_BLINDING_update for each BN_BLINDING structure (previously,
+ the last update always remained unused).
+ [Emilia Käsper (Google)]
+
+ *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
+ [Bob Buckholz (Google)]
+
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
+
+ *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
+ by initialising X509_STORE_CTX properly. (CVE-2011-3207)
+ [Kaspar Brand <ossl@velox.ch>]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH. (CVE-2011-3210)
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
+ signature public key algorithm by using OID xref utilities instead.
+ Before this you could only use some ECC ciphersuites with SHA1 only.
+ [Steve Henson]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
*) Change 'Configure' script to enable Camellia by default.
[NTT]
+ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+
+ *) Fix ssl_ciph.c set-up race.
+ [Adam Langley (Google)]
+
+ *) Fix spurious failures in ecdsatest.c.
+ [Emilia Käsper (Google)]
+
+ *) Fix the BIO_f_buffer() implementation (which was mixing different
+ interpretations of the '..._len' fields).
+ [Adam Langley (Google)]
+
+ *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
+ BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
+ threads won't reuse the same blinding coefficients.
+
+ This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
+ lock to call BN_BLINDING_invert_ex, and avoids one use of
+ BN_BLINDING_update for each BN_BLINDING structure (previously,
+ the last update always remained unused).
+ [Emilia Käsper (Google)]
+
+ *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
+ for multi-threaded use of ECDH.
+ [Adam Langley (Google)]
+
+ *) Fix x509_name_ex_d2i memory leak on bad inputs.
+ [Bodo Moeller]
+
+ *) Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+
+ http://eprint.iacr.org/2011/232.pdf
+
+ [Billy Bob Brumley and Nicola Tuveri]
+
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
projects / openssl.git / blobdiff