|
|
|
|
|
|
|
|
|
OpenSSL CHANGES
|
|
|
|
|
_______________
|
|
|
|
|
|
|
|
|
|
Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
|
|
|
|
|
|
|
|
|
|
*) Automatic Darwin/OSX configuration has had a refresh, it will now
|
|
|
|
|
recognise x86_64 architectures automatically. You can still decide
|
|
|
|
|
to build for a different bitness with the environment variable
|
|
|
|
|
KERNEL_BITS (can be 32 or 64), for example:
|
|
|
|
|
|
|
|
|
|
KERNEL_BITS=32 ./config
|
|
|
|
|
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
|
|
|
|
|
256 bit AES and HMAC with SHA256.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Triple-DES ciphers have been moved from HIGH to MEDIUM.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) To enable users to have their own config files and build file templates,
|
|
|
|
|
Configure looks in the directory indicated by the environment variable
|
|
|
|
|
OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
|
|
|
|
|
directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
|
|
|
|
|
name and is used as is.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
|
|
|
|
|
X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
|
|
|
|
|
X509_CERT_FILE_CTX was removed.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) "shared" builds are now the default. To create only static libraries use
|
|
|
|
|
the "no-shared" Configure option.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
|
|
|
|
|
All of these option have not worked for some while and are fundamental
|
|
|
|
|
algorithms.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Make various cleanup routines no-ops and mark them as deprecated. Most
|
|
|
|
|
global cleanup functions are no longer required because they are handled
|
|
|
|
|
via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
|
|
|
|
|
Explicitly de-initing can cause problems (e.g. where a library that uses
|
|
|
|
|
OpenSSL de-inits, but an application is still using it). The affected
|
|
|
|
|
functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
|
|
|
|
|
EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
|
|
|
|
|
RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
|
|
|
|
|
COMP_zlib_cleanup().
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) --strict-warnings no longer enables runtime debugging options
|
|
|
|
|
such as REF_DEBUG. Instead, debug options are automatically
|
|
|
|
|
enabled with '--debug' builds.
|
|
|
|
|
[Andy Polyakov, Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Made DH and DH_METHOD opaque. The structures for managing DH objects
|
|
|
|
|
have been moved out of the public header files. New functions for managing
|
|
|
|
|
these have been added.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Made RSA and RSA_METHOD opaque. The structures for managing RSA
|
|
|
|
|
objects have been moved out of the public header files. New
|
|
|
|
|
functions for managing these have been added.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
|
|
|
|
|
have been moved out of the public header files. New functions for managing
|
|
|
|
|
these have been added.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
|
|
|
|
|
moved out of the public header files. New functions for managing these
|
|
|
|
|
have been added.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Removed no-rijndael as a config option. Rijndael is an old name for AES.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Removed the mk1mf build scripts.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
|
|
|
|
|
it is always safe to #include a header now.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Removed the aged BC-32 config and all its supporting scripts
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Removed support for Ultrix, Netware, and OS/2.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Add support for HKDF.
|
|
|
|
|
[Alessandro Ghedini]
|
|
|
|
|
|
|
|
|
|
*) Add support for blake2b and blake2s
|
|
|
|
|
[Bill Cox]
|
|
|
|
|
|
|
|
|
|
*) Added support for "pipelining". Ciphers that have the
|
|
|
|
|
EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
|
|
|
|
|
encryptions/decryptions simultaneously. There are currently no built-in
|
|
|
|
|
ciphers with this property but the expectation is that engines will be able
|
|
|
|
|
to offer it to significantly improve throughput. Support has been extended
|
|
|
|
|
into libssl so that multiple records for a single connection can be
|
|
|
|
|
processed in one go (for >=TLS 1.1).
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Added the AFALG engine. This is an async capable engine which is able to
|
|
|
|
|
offload work to the Linux kernel. In this initial version it only supports
|
|
|
|
|
AES128-CBC. The kernel must be version 4.1.0 or greater.
|
|
|
|
|
[Catriona Lucey]
|
|
|
|
|
|
|
|
|
|
*) OpenSSL now uses a new threading API. It is no longer necessary to
|
|
|
|
|
set locking callbacks to use OpenSSL in a multi-threaded environment. There
|
|
|
|
|
are two supported threading models: pthreads and windows threads. It is
|
|
|
|
|
also possible to configure OpenSSL at compile time for "no-threads". The
|
|
|
|
|
old threading API should no longer be used. The functions have been
|
|
|
|
|
replaced with "no-op" compatibility macros.
|
|
|
|
|
[Alessandro Ghedini, Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Modify behavior of ALPN to invoke callback after SNI/servername
|
|
|
|
|
callback, such that updates to the SSL_CTX affect ALPN.
|
|
|
|
|
[Todd Short]
|
|
|
|
|
|
|
|
|
|
*) Add SSL_CIPHER queries for authentication and key-exchange.
|
|
|
|
|
[Todd Short]
|
|
|
|
|
|
|
|
|
|
*) Changes to the DEFAULT cipherlist:
|
|
|
|
|
- Prefer (EC)DHE handshakes over plain RSA.
|
|
|
|
|
- Prefer AEAD ciphers over legacy ciphers.
|
|
|
|
|
- Prefer ECDSA over RSA when both certificates are available.
|
|
|
|
|
- Prefer TLSv1.2 ciphers/PRF.
|
|
|
|
|
- Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
|
|
|
|
|
default cipherlist.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Change the ECC default curve list to be this, in order: x25519,
|
|
|
|
|
secp256r1, secp521r1, secp384r1.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
|
|
|
|
|
disabled by default. They can be re-enabled using the
|
|
|
|
|
enable-weak-ssl-ciphers option to Configure.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) If the server has ALPN configured, but supports no protocols that the
|
|
|
|
|
client advertises, send a fatal "no_application_protocol" alert.
|
|
|
|
|
This behaviour is SHALL in RFC 7301, though it isn't universally
|
|
|
|
|
implemented by other servers.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Add X25519 support.
|
|
|
|
|
Integrate support for X25519 into EC library. This includes support
|
|
|
|
|
for public and private key encoding using the format documented in
|
|
|
|
|
draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
|
|
|
|
|
OID from that draft, encodes public keys using little endian
|
|
|
|
|
format in the ECPoint structure and private keys using
|
|
|
|
|
little endian form in the privateKey field of the ECPrivateKey
|
|
|
|
|
structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
|
|
|
|
|
and uses X25519(29).
|
|
|
|
|
|
|
|
|
|
Note: the current version supports key generation, public and
|
|
|
|
|
private key encoding and ECDH key agreement using the EC API.
|
|
|
|
|
Low level point operations such as EC_POINT_add(), EC_POINT_mul()
|
|
|
|
|
are NOT supported.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Deprecate SRP_VBASE_get_by_user.
|
|
|
|
|
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
|
|
|
|
|
In order to fix an unavoidable memory leak (CVE-2016-0798),
|
|
|
|
|
SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
|
|
|
|
|
seed, even if the seed is configured.
|
|
|
|
|
|
|
|
|
|
Users should use SRP_VBASE_get1_by_user instead. Note that in
|
|
|
|
|
SRP_VBASE_get1_by_user, caller must free the returned value. Note
|
|
|
|
|
also that even though configuring the SRP seed attempts to hide
|
|
|
|
|
invalid usernames by continuing the handshake with fake
|
|
|
|
|
credentials, this behaviour is not constant time and no strong
|
|
|
|
|
guarantees are made that the handshake is indistinguishable from
|
|
|
|
|
that of a valid user.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Configuration change; it's now possible to build dynamic engines
|
|
|
|
|
without having to build shared libraries and vice versa. This
|
|
|
|
|
only applies to the engines in engines/, those in crypto/engine/
|
|
|
|
|
will always be built into libcrypto (i.e. "static").
|
|
|
|
|
|
|
|
|
|
Building dynamic engines is enabled by default; to disable, use
|
|
|
|
|
the configuration option "disable-dynamic-engine".
|
|
|
|
|
|
|
|
|
|
The only requirements for building dynamic engines are the
|
|
|
|
|
presence of the DSO module and building with position independent
|
|
|
|
|
code, so they will also automatically be disabled if configuring
|
|
|
|
|
with "disable-dso" or "disable-pic".
|
|
|
|
|
|
|
|
|
|
The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
|
|
|
|
|
are also taken away from openssl/opensslconf.h, as they are
|
|
|
|
|
irrelevant.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Configuration change; if there is a known flag to compile
|
|
|
|
|
position independent code, it will always be applied on the
|
|
|
|
|
libcrypto and libssl object files, and never on the application
|
|
|
|
|
object files. This means other libraries that use routines from
|
|
|
|
|
libcrypto / libssl can be made into shared libraries regardless
|
|
|
|
|
of how OpenSSL was configured.
|
|
|
|
|
|
|
|
|
|
If this isn't desirable, the configuration options "disable-pic"
|
|
|
|
|
or "no-pic" can be used to disable the use of PIC. This will
|
|
|
|
|
also disable building shared libraries and dynamic engines.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Removed JPAKE code. It was experimental and has no wide use.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) The INSTALL_PREFIX Makefile variable has been renamed to
|
|
|
|
|
DESTDIR. That makes for less confusion on what this variable
|
|
|
|
|
is for. Also, the configuration option --install_prefix is
|
|
|
|
|
removed.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Heartbeat for TLS has been removed and is disabled by default
|
|
|
|
|
for DTLS; configure with enable-heartbeats. Code that uses the
|
|
|
|
|
old #define's might need to be updated.
|
|
|
|
|
[Emilia Käsper, Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Rename REF_CHECK to REF_DEBUG.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) New "unified" build system
|
|
|
|
|
|
|
|
|
|
The "unified" build system is aimed to be a common system for all
|
|
|
|
|
platforms we support. With it comes new support for VMS.
|
|
|
|
|
|
|
|
|
|
This system builds supports building in a different directory tree
|
|
|
|
|
than the source tree. It produces one Makefile (for unix family
|
|
|
|
|
or lookalikes), or one descrip.mms (for VMS).
|
|
|
|
|
|
|
|
|
|
The source of information to make the Makefile / descrip.mms is
|
|
|
|
|
small files called 'build.info', holding the necessary
|
|
|
|
|
information for each directory with source to compile, and a
|
|
|
|
|
template in Configurations, like unix-Makefile.tmpl or
|
|
|
|
|
descrip.mms.tmpl.
|
|
|
|
|
|
|
|
|
|
We rely heavily on the perl module Text::Template.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Added support for auto-initialisation and de-initialisation of the library.
|
|
|
|
|
OpenSSL no longer requires explicit init or deinit routines to be called,
|
|
|
|
|
except in certain circumstances. See the OPENSSL_init_crypto() and
|
|
|
|
|
OPENSSL_init_ssl() man pages for further information.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) The arguments to the DTLSv1_listen function have changed. Specifically the
|
|
|
|
|
"peer" argument is now expected to be a BIO_ADDR object.
|
|
|
|
|
|
|
|
|
|
*) Rewrite of BIO networking library. The BIO library lacked consistent
|
|
|
|
|
support of IPv6, and adding it required some more extensive
|
|
|
|
|
modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
|
|
|
|
|
which hold all types of addresses and chains of address information.
|
|
|
|
|
It also introduces a new API, with functions like BIO_socket,
|
|
|
|
|
BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
|
|
|
|
|
The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
|
|
|
|
|
have been adapted accordingly.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
|
|
|
|
|
the leading 0-byte.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) CRIME protection: disable compression by default, even if OpenSSL is
|
|
|
|
|
compiled with zlib enabled. Applications can still enable compression
|
|
|
|
|
by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
|
|
|
|
|
using the SSL_CONF library to configure compression.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) The signature of the session callback configured with
|
|
|
|
|
SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
|
|
|
|
|
was explicitly marked as 'const unsigned char*' instead of
|
|
|
|
|
'unsigned char*'.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Always DPURIFY. Remove the use of uninitialized memory in the
|
|
|
|
|
RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Removed many obsolete configuration items, including
|
|
|
|
|
DES_PTR, DES_RISC1, DES_RISC2, DES_INT
|
|
|
|
|
MD2_CHAR, MD2_INT, MD2_LONG
|
|
|
|
|
BF_PTR, BF_PTR2
|
|
|
|
|
IDEA_SHORT, IDEA_LONG
|
|
|
|
|
RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
|
|
|
|
|
[Rich Salz, with advice from Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Many BN internals have been moved to an internal header file.
|
|
|
|
|
[Rich Salz with help from Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) Configuration and writing out the results from it has changed.
|
|
|
|
|
Files such as Makefile include/openssl/opensslconf.h and are now
|
|
|
|
|
produced through general templates, such as Makefile.in and
|
|
|
|
|
crypto/opensslconf.h.in and some help from the perl module
|
|
|
|
|
Text::Template.
|
|
|
|
|
|
|
|
|
|
Also, the center of configuration information is no longer
|
|
|
|
|
Makefile. Instead, Configure produces a perl module in
|
|
|
|
|
configdata.pm which holds most of the config data (in the hash
|
|
|
|
|
table %config), the target data that comes from the target
|
|
|
|
|
configuration in one of the Configurations/*.conf files (in
|
|
|
|
|
%target).
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) To clarify their intended purposes, the Configure options
|
|
|
|
|
--prefix and --openssldir change their semantics, and become more
|
|
|
|
|
straightforward and less interdependent.
|
|
|
|
|
|
|
|
|
|
--prefix shall be used exclusively to give the location INSTALLTOP
|
|
|
|
|
where programs, scripts, libraries, include files and manuals are
|
|
|
|
|
going to be installed. The default is now /usr/local.
|
|
|
|
|
|
|
|
|
|
--openssldir shall be used exclusively to give the default
|
|
|
|
|
location OPENSSLDIR where certificates, private keys, CRLs are
|
|
|
|
|
managed. This is also where the default openssl.cnf gets
|
|
|
|
|
installed.
|
|
|
|
|
If the directory given with this option is a relative path, the
|
|
|
|
|
values of both the --prefix value and the --openssldir value will
|
|
|
|
|
be combined to become OPENSSLDIR.
|
|
|
|
|
The default for --openssldir is INSTALLTOP/ssl.
|
|
|
|
|
|
|
|
|
|
Anyone who uses --openssldir to specify where OpenSSL is to be
|
|
|
|
|
installed MUST change to use --prefix instead.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) The GOST engine was out of date and therefore it has been removed. An up
|
|
|
|
|
to date GOST engine is now being maintained in an external repository.
|
|
|
|
|
See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
|
|
|
|
|
support for GOST ciphersuites (these are only activated if a GOST engine
|
|
|
|
|
is present).
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) EGD is no longer supported by default; use enable-egd when
|
|
|
|
|
configuring.
|
|
|
|
|
[Ben Kaduk and Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) The distribution now has Makefile.in files, which are used to
|
|
|
|
|
create Makefile's when Configure is run. *Configure must be run
|
|
|
|
|
before trying to build now.*
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) The return value for SSL_CIPHER_description() for error conditions
|
|
|
|
|
has changed.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
|
|
|
|
|
|
|
|
|
|
Obtaining and performing DNSSEC validation of TLSA records is
|
|
|
|
|
the application's responsibility. The application provides
|
|
|
|
|
the TLSA records of its choice to OpenSSL, and these are then
|
|
|
|
|
used to authenticate the peer.
|
|
|
|
|
|
|
|
|
|
The TLSA records need not even come from DNS. They can, for
|
|
|
|
|
example, be used to implement local end-entity certificate or
|
|
|
|
|
trust-anchor "pinning", where the "pin" data takes the form
|
|
|
|
|
of TLSA records, which can augment or replace verification
|
|
|
|
|
based on the usual WebPKI public certification authorities.
|
|
|
|
|
[Viktor Dukhovni]
|
|
|
|
|
|
|
|
|
|
*) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
|
|
|
|
|
continues to support deprecated interfaces in default builds.
|
|
|
|
|
However, applications are strongly advised to compile their
|
|
|
|
|
source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
|
|
|
|
|
the declarations of all interfaces deprecated in 0.9.8, 1.0.0
|
|
|
|
|
or the 1.1.0 releases.
|
|
|
|
|
|
|
|
|
|
In environments in which all applications have been ported to
|
|
|
|
|
not use any deprecated interfaces OpenSSL's Configure script
|
|
|
|
|
should be used with the --api=1.1.0 option to entirely remove
|
|
|
|
|
support for the deprecated features from the library and
|
|
|
|
|
unconditionally disable them in the installed headers.
|
|
|
|
|
Essentially the same effect can be achieved with the "no-deprecated"
|
|
|
|
|
argument to Configure, except that this will always restrict
|
|
|
|
|
the build to just the latest API, rather than a fixed API
|
|
|
|
|
version.
|
|
|
|
|
|
|
|
|
|
As applications are ported to future revisions of the API,
|
|
|
|
|
they should update their compile-time OPENSSL_API_COMPAT define
|
|
|
|
|
accordingly, but in most cases should be able to continue to
|
|
|
|
|
compile with later releases.
|
|
|
|
|
|
|
|
|
|
The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
|
|
|
|
|
0x10000000L and 0x00908000L, respectively. However those
|
|
|
|
|
versions did not support the OPENSSL_API_COMPAT feature, and
|
|
|
|
|
so applications are not typically tested for explicit support
|
|
|
|
|
of just the undeprecated features of either release.
|
|
|
|
|
[Viktor Dukhovni]
|
|
|
|
|
|
|
|
|
|
*) Add support for setting the minimum and maximum supported protocol.
|
|
|
|
|
It can bet set via the SSL_set_min_proto_version() and
|
|
|
|
|
SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
|
|
|
|
|
MaxProtcol. It's recommended to use the new APIs to disable
|
|
|
|
|
protocols instead of disabling individual protocols using
|
|
|
|
|
SSL_set_options() or SSL_CONF's Protocol. This change also
|
|
|
|
|
removes support for disabling TLS 1.2 in the OpenSSL TLS
|
|
|
|
|
client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
|
|
|
|
|
[Andy Polyakov]
|
|
|
|
|
|
|
|
|
|
*) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
|
|
|
|
|
and integrates ECDSA and ECDH functionality into EC. Implementations can
|
|
|
|
|
now redirect key generation and no longer need to convert to or from
|
|
|
|
|
ECDSA_SIG format.
|
|
|
|
|
|
|
|
|
|
Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
|
|
|
|
|
include the ec.h header file instead.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Remove support for all 40 and 56 bit ciphers. This includes all the export
|
|
|
|
|
ciphers who are no longer supported and drops support the ephemeral RSA key
|
|
|
|
|
exchange. The LOW ciphers currently doesn't have any ciphers in it.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
|
|
|
|
|
opaque. For HMAC_CTX, the following constructors and destructors
|
|
|
|
|
were added:
|
|
|
|
|
|
|
|
|
|
HMAC_CTX *HMAC_CTX_new(void);
|
|
|
|
|
void HMAC_CTX_free(HMAC_CTX *ctx);
|
|
|
|
|
|
|
|
|
|
For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
|
|
|
|
|
destroy such methods has been added. See EVP_MD_meth_new(3) and
|
|
|
|
|
EVP_CIPHER_meth_new(3) for documentation.
|
|
|
|
|
|
|
|
|
|
Additional changes:
|
|
|
|
|
1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
|
|
|
|
|
HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
|
|
|
|
|
EVP_MD_CTX_reset() should be called instead to reinitialise
|
|
|
|
|
an already created structure.
|
|
|
|
|
2) For consistency with the majority of our object creators and
|
|
|
|
|
destructors, EVP_MD_CTX_(create|destroy) were renamed to
|
|
|
|
|
EVP_MD_CTX_(new|free). The old names are retained as macros
|
|
|
|
|
for deprecated builds.
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Added ASYNC support. Libcrypto now includes the async sub-library to enable
|
|
|
|
|
cryptographic operations to be performed asynchronously as long as an
|
|
|
|
|
asynchronous capable engine is used. See the ASYNC_start_job() man page for
|
|
|
|
|
further details. Libssl has also had this capability integrated with the
|
|
|
|
|
introduction of the new mode SSL_MODE_ASYNC and associated error
|
|
|
|
|
SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
|
|
|
|
|
pages. This work was developed in partnership with Intel Corp.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
|
|
|
|
|
always enabled now. If you want to disable the support you should
|
|
|
|
|
exclude it using the list of supported ciphers. This also means that the
|
|
|
|
|
"-no_ecdhe" option has been removed from s_server.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
|
|
|
|
|
SSL_{CTX_}set1_curves() which can set a list.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the
|
|
|
|
|
curve you want to support using SSL_{CTX_}set1_curves().
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) State machine rewrite. The state machine code has been significantly
|
|
|
|
|
refactored in order to remove much duplication of code and solve issues
|
|
|
|
|
with the old code (see ssl/statem/README for further details). This change
|
|
|
|
|
does have some associated API changes. Notably the SSL_state() function
|
|
|
|
|
has been removed and replaced by SSL_get_state which now returns an
|
|
|
|
|
"OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
|
|
|
|
|
altogether. The previous handshake states defined in ssl.h and ssl3.h have
|
|
|
|
|
also been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) All instances of the string "ssleay" in the public API were replaced
|
|
|
|
|
with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
|
|
|
|
|
Some error codes related to internal RSA_eay API's were renamed.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) The demo files in crypto/threads were moved to demo/threads.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
|
|
|
|
|
sureware and ubsec.
|
|
|
|
|
[Matt Caswell, Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) New ASN.1 embed macro.
|
|
|
|
|
|
|
|
|
|
New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
|
|
|
|
|
structure is not allocated: it is part of the parent. That is instead of
|
|
|
|
|
|
|
|
|
|
FOO *x;
|
|
|
|
|
|
|
|
|
|
it must be:
|
|
|
|
|
|
|
|
|
|
FOO x;
|
|
|
|
|
|
|
|
|
|
This reduces memory fragmentation and make it impossible to accidentally
|
|
|
|
|
set a mandatory field to NULL.
|
|
|
|
|
|
|
|
|
|
This currently only works for some fields specifically a SEQUENCE, CHOICE,
|
|
|
|
|
or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
|
|
|
|
|
equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
|
|
|
|
|
SEQUENCE OF.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
|
|
|
|
|
in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
|
|
|
|
|
an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
|
|
|
|
|
DES and RC4 ciphersuites.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
|
|
|
|
|
This changes the decoding behaviour for some invalid messages,
|
|
|
|
|
though the change is mostly in the more lenient direction, and
|
|
|
|
|
legacy behaviour is preserved as much as possible.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) Fix no-stdio build.
|
|
|
|
|
[ David Woodhouse <David.Woodhouse@intel.com> and also
|
|
|
|
|
Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
|
|
|
|
|
|
|
|
|
|
*) New testing framework
|
|
|
|
|
The testing framework has been largely rewritten and is now using
|
|
|
|
|
perl and the perl modules Test::Harness and an extended variant of
|
|
|
|
|
Test::More called OpenSSL::Test to do its work. All test scripts in
|
|
|
|
|
test/ have been rewritten into test recipes, and all direct calls to
|
|
|
|
|
executables in test/Makefile have become individual recipes using the
|
|
|
|
|
simplified testing OpenSSL::Test::Simple.
|
|
|
|
|
|
|
|
|
|
For documentation on our testing modules, do:
|
|
|
|
|
|
|
|
|
|
perldoc test/testlib/OpenSSL/Test/Simple.pm
|
|
|
|
|
perldoc test/testlib/OpenSSL/Test.pm
|
|
|
|
|
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
|
|
|
|
|
are used; the latter aborts on memory leaks (usually checked on exit).
|
|
|
|
|
Some undocumented "set malloc, etc., hooks" functions were removed
|
|
|
|
|
and others were changed. All are now documented.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) In DSA_generate_parameters_ex, if the provided seed is too short,
|
|
|
|
|
return an error
|
|
|
|
|
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
|
|
|
|
|
|
|
|
|
|
*) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
|
|
|
|
|
from RFC4279, RFC4785, RFC5487, RFC5489.
|
|
|
|
|
|
|
|
|
|
Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
|
|
|
|
|
original RSA_PSK patch.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
|
|
|
|
|
era flag was never set throughout the codebase (only read). Also removed
|
|
|
|
|
SSL3_FLAGS_POP_BUFFER which was only used if
|
|
|
|
|
SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Changed the default name options in the "ca", "crl", "req" and "x509"
|
|
|
|
|
to be "oneline" instead of "compat".
|
|
|
|
|
[Richard Levitte]
|
|
|
|
|
|
|
|
|
|
*) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
|
|
|
|
|
not aware of clients that still exhibit this bug, and the workaround
|
|
|
|
|
hasn't been working properly for a while.
|
|
|
|
|
[Emilia Käsper]
|
|
|
|
|
|
|
|
|
|
*) The return type of BIO_number_read() and BIO_number_written() as well as
|
|
|
|
|
the corresponding num_read and num_write members in the BIO structure has
|
|
|
|
|
changed from unsigned long to uint64_t. On platforms where an unsigned
|
|
|
|
|
long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
|
|
|
|
|
transferred.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Given the pervasive nature of TLS extensions it is inadvisable to run
|
|
|
|
|
OpenSSL without support for them. It also means that maintaining
|
|
|
|
|
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
|
|
|
|
|
not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Removed support for the two export grade static DH ciphersuites
|
|
|
|
|
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
|
|
|
|
|
were newly added (along with a number of other static DH ciphersuites) to
|
|
|
|
|
1.0.2. However the two export ones have *never* worked since they were
|
|
|
|
|
introduced. It seems strange in any case to be adding new export
|
|
|
|
|
ciphersuites, and given "logjam" it also does not seem correct to fix them.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Version negotiation has been rewritten. In particular SSLv23_method(),
|
|
|
|
|
SSLv23_client_method() and SSLv23_server_method() have been deprecated,
|
|
|
|
|
and turned into macros which simply call the new preferred function names
|
|
|
|
|
TLS_method(), TLS_client_method() and TLS_server_method(). All new code
|
|
|
|
|
should use the new names instead. Also as part of this change the ssl23.h
|
|
|
|
|
header file has been removed.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
|
|
|
|
|
code and the associated standard is no longer considered fit-for-purpose.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) RT2547 was closed. When generating a private key, try to make the
|
|
|
|
|
output file readable only by the owner. This behavior change might
|
|
|
|
|
be noticeable when interacting with other software.
|
|
|
|
|
|
|
|
|
|
*) Documented all exdata functions. Added CRYPTO_free_ex_index.
|
|
|
|
|
Added a test.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Added HTTP GET support to the ocsp command.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Changed default digest for the dgst and enc commands from MD5 to
|
|
|
|
|
sha256
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Added support for TLS extended master secret from
|
|
|
|
|
draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
|
|
|
|
|
initial patch which was a great help during development.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) All libssl internal structures have been removed from the public header
|
|
|
|
|
files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
|
|
|
|
|
now redundant). Users should not attempt to access internal structures
|
|
|
|
|
directly. Instead they should use the provided API functions.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
|
|
|
|
|
Access to deprecated functions can be re-enabled by running config with
|
|
|
|
|
"enable-deprecated". In addition applications wishing to use deprecated
|
|
|
|
|
functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
|
|
|
|
|
will, by default, disable some transitive includes that previously existed
|
|
|
|
|
in the header files (e.g. ec.h will no longer, by default, include bn.h)
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) Added support for OCB mode. OpenSSL has been granted a patent license
|
|
|
|
|
compatible with the OpenSSL license for use of OCB. Details are available
|
|
|
|
|
at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
|
|
|
|
|
for OCB can be removed by calling config with no-ocb.
|
|
|
|
|
[Matt Caswell]
|
|
|
|
|
|
|
|
|
|
*) SSLv2 support has been removed. It still supports receiving a SSLv2
|
|
|
|
|
compatible client hello.
|
|
|
|
|
[Kurt Roeckx]
|
|
|
|
|
|
|
|
|
|
*) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
|
|
|
|
|
done while fixing the error code for the key-too-small case.
|
|
|
|
|
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
|
|
|
|
|
|
|
|
|
|
*) CA.sh has been removmed; use CA.pl instead.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Removed old DES API.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Remove various unsupported platforms:
|
|
|
|
|
Sony NEWS4
|
|
|
|
|
BEOS and BEOS_R5
|
|
|
|
|
NeXT
|
|
|
|
|
SUNOS
|
|
|
|
|
MPE/iX
|
|
|
|
|
Sinix/ReliantUNIX RM400
|
|
|
|
|
DGUX
|
|
|
|
|
NCR
|
|
|
|
|
Tandem
|
|
|
|
|
Cray
|
|
|
|
|
16-bit platforms such as WIN16
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Clean up OPENSSL_NO_xxx #define's
|
|
|
|
|
Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
|
|
|
|
|
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
|
|
|
|
|
OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
|
|
|
|
|
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
|
|
|
|
|
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
|
|
|
|
|
Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
|
|
|
|
|
OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
|
|
|
|
|
OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
|
|
|
|
|
OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
|
|
|
|
|
Remove MS_STATIC; it's a relic from platforms <32 bits.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Cleaned up dead code
|
|
|
|
|
Remove all but one '#ifdef undef' which is to be looked at.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Clean up calling of xxx_free routines.
|
|
|
|
|
Just like free(), fix most of the xxx_free routines to accept
|
|
|
|
|
NULL. Remove the non-null checks from callers. Save much code.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Add secure heap for storage of private keys (when possible).
|
|
|
|
|
Add BIO_s_secmem(), CBIGNUM, etc.
|
|
|
|
|
Contributed by Akamai Technologies under our Corporate CLA.
|
|
|
|
|
[Rich Salz]
|
|
|
|
|
|
|
|
|
|
*) Experimental support for a new, fast, unbiased prime candidate generator,
|
|
|
|
|
bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
|
|
|
|
|
[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
|
|
|
|
|
|
|
|
|
|
*) New output format NSS in the sess_id command line tool. This allows
|
|
|
|
|
exporting the session id and the master key in NSS keylog format.
|
|
|
|
|
[Martin Kaiser <martin@kaiser.cx>]
|
|
|
|
|
|
|
|
|
|
*) Harmonize version and its documentation. -f flag is used to display
|
|
|
|
|
compilation flags.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
|
|
|
|
|
in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) Fix some double frees. These are not thought to be exploitable.
|
|
|
|
|
[mancha <mancha1@zoho.com>]
|
|
|
|
|
|
|
|
|
|
*) A missing bounds check in the handling of the TLS heartbeat extension
|
|
|
|
|
can be used to reveal up to 64k of memory to a connected client or
|
|
|
|
|
server.
|
|
|
|
|
|
|
|
|
|
Thanks for Neel Mehta of Google Security for discovering this bug and to
|
|
|
|
|
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
|
|
|
|
|
preparing the fix (CVE-2014-0160)
|
|
|
|
|
[Adam Langley, Bodo Moeller]
|
|
|
|
|
|
|
|
|
|
*) Fix for the attack described in the paper "Recovering OpenSSL
|
|
|
|
|
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
|
|
|
|
|
by Yuval Yarom and Naomi Benger. Details can be obtained from:
|
|
|
|
|
http://eprint.iacr.org/2014/140
|
|
|
|
|
|
|
|
|
|
Thanks to Yuval Yarom and Naomi Benger for discovering this
|
|
|
|
|
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
|
|
|
|
|
[Yuval Yarom and Naomi Benger]
|
|
|
|
|
|
|
|
|
|
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
|
|
|
|
|
this fixes a limitation in previous versions of OpenSSL.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Experimental encrypt-then-mac support.
|
|
|
|
|
|
|
|
|
|
Experimental support for encrypt then mac from
|
|
|
|
|
draft-gutmann-tls-encrypt-then-mac-02.txt
|
|
|
|
|
|
|
|
|
|
To enable it set the appropriate extension number (0x42 for the test
|
|
|
|
|
server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
|
|
|
|
|
|
|
|
|
|
For non-compliant peers (i.e. just about everything) this should have no
|
|
|
|
|
effect.
|
|
|
|
|
|
|
|
|
|
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
|
|
|
|
|
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add EVP support for key wrapping algorithms, to avoid problems with
|
|
|
|
|
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
|
|
|
|
|
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
|
|
|
|
|
algorithms and include tests cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
|
|
|
|
|
enveloped data.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
|
|
|
|
|
MGF1 digest and OAEP label.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Make openssl verify return errors.
|
|
|
|
|
[Chris Palmer <palmer@google.com> and Ben Laurie]
|
|
|
|
|
|
|
|
|
|
*) New function ASN1_TIME_diff to calculate the difference between two
|
|
|
|
|
ASN1_TIME structures or one structure and the current time.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Update fips_test_suite to support multiple command line options. New
|
|
|
|
|
test to induce all self test errors in sequence and check expected
|
|
|
|
|
failures.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
|
|
|
|
|
sign or verify all in one operation.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add fips_algvs: a multicall fips utility incorporating all the algorithm
|
|
|
|
|
test programs and fips_test_suite. Includes functionality to parse
|
|
|
|
|
the minimal script output of fipsalgest.pl directly.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add authorisation parameter to FIPS_module_mode_set().
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Use separate DRBG fields for internal and external flags. New function
|
|
|
|
|
FIPS_drbg_health_check() to perform on demand health checking. Add
|
|
|
|
|
generation tests to fips_test_suite with reduced health check interval to
|
|
|
|
|
demonstrate periodic health checking. Add "nodh" option to
|
|
|
|
|
fips_test_suite to skip very slow DH test.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
|
|
|
|
|
based on NID.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) More extensive health check for DRBG checking many more failure modes.
|
|
|
|
|
New function FIPS_selftest_drbg_all() to handle every possible DRBG
|
|
|
|
|
combination: call this in fips_test_suite.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
|
|
|
|
|
and POST to handle Dual EC cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add support for canonical generation of DSA parameter 'g'. See
|
|
|
|
|
FIPS 186-3 A.2.3.
|
|
|
|
|
|
|
|
|
|
*) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
|
|
|
|
|
POST to handle HMAC cases.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add functions FIPS_module_version() and FIPS_module_version_text()
|
|
|
|
|
to return numerical and string versions of the FIPS module number.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
|
|
|
|
|
FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
|
|
|
|
|
outside the validated module in the FIPS capable OpenSSL.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Minor change to DRBG entropy callback semantics. In some cases
|
|
|
|
|
there is no multiple of the block length between min_len and
|
|
|
|
|
max_len. Allow the callback to return more than max_len bytes
|
|
|
|
|
of entropy but discard any extra: it is the callback's responsibility
|
|
|
|
|
to ensure that the extra data discarded does not impact the
|
|
|
|
|
requested amount of entropy.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Add PRNG security strength checks to RSA, DSA and ECDSA using
|
|
|
|
|
information in FIPS186-3, SP800-57 and SP800-131A.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) CCM support via EVP. Interface is very similar to GCM case except we
|
|
|
|
|
must supply all data in one chunk (i.e. no update, final) and the
|
|
|
|
|
message length must be supplied if AAD is used. Add algorithm test
|
|
|
|
|
support.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) Initial version of POST overhaul. Add POST callback to allow the status
|
|
|
|
|
of POST to be monitored and/or failures induced. Modify fips_test_suite
|
|
|
|
|
to use callback. Always run all selftests even if one fails.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
|
|
*) XTS support including algorithm test driver in the fips_gcmtest program.
|
|
|
|
|
Note: this does increase the maximum key length from 32 to 64 bytes but
|
|
|
|
|
there should be no binary compatibility issues as existing applications
|
|
|
|
|
will never use XTS mode.
|
|
|
|
|
[Steve Henson]
|
|
|
|
|
|
|
|
