]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
7b3a9b00 | 5 | Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] |
aaf35f11 | 6 | |
b3310161 DSH |
7 | *) New build option no-ec2m to disable characteristic 2 code. |
8 | [Steve Henson] | |
9 | ||
30b56225 DSH |
10 | *) New build option "fipscanisteronly". This only builds fipscanister.o |
11 | and (currently) associated fips utilities. Uses the file Makefile.fips | |
12 | instead of Makefile.org as the prototype. | |
13 | [Steve Henson] | |
14 | ||
b3d8022e DSH |
15 | *) Add some FIPS mode restrictions to GCM. Add internal IV generator. |
16 | Update fips_gcmtest to use IV generator. | |
17 | [Steve Henson] | |
18 | ||
bdaa5415 DSH |
19 | *) Initial, experimental EVP support for AES-GCM. AAD can be input by |
20 | setting output buffer to NULL. The *Final function must be | |
21 | called although it will not retrieve any additional data. The tag | |
22 | can be set or retrieved with a ctrl. The IV length is by default 12 | |
23 | bytes (96 bits) but can be set to an alternative value. If the IV | |
24 | length exceeds the maximum IV length (currently 16 bytes) it cannot be | |
25 | set before the key. | |
26 | [Steve Henson] | |
27 | ||
3da0ca79 DSH |
28 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
29 | underlying do_cipher function handles all cipher semantics itself | |
30 | including padding and finalisation. This is useful if (for example) | |
31 | an ENGINE cipher handles block padding itself. The behaviour of | |
32 | do_cipher is subtly changed if this flag is set: the return value | |
33 | is the number of characters written to the output buffer (zero is | |
34 | no longer an error code) or a negative error code. Also if the | |
d45087c6 | 35 | input buffer is NULL and length 0 finalisation should be performed. |
3da0ca79 DSH |
36 | [Steve Henson] |
37 | ||
2b3936e8 DSH |
38 | *) If a candidate issuer certificate is already part of the constructed |
39 | path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. | |
40 | [Steve Henson] | |
41 | ||
7c2d4fee BM |
42 | *) Improve forward-security support: add functions |
43 | ||
44 | void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) | |
45 | void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) | |
46 | ||
47 | for use by SSL/TLS servers; the callback function will be called whenever a | |
48 | new session is created, and gets to decide whether the session may be | |
49 | cached to make it resumable (return 0) or not (return 1). (As by the | |
50 | SSL/TLS protocol specifications, the session_id sent by the server will be | |
51 | empty to indicate that the session is not resumable; also, the server will | |
52 | not generate RFC 4507 (RFC 5077) session tickets.) | |
53 | ||
54 | A simple reasonable callback implementation is to return is_forward_secure. | |
55 | This parameter will be set to 1 or 0 depending on the ciphersuite selected | |
56 | by the SSL/TLS server library, indicating whether it can provide forward | |
57 | security. | |
58 |