]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
0e1f390b | 5 | Changes between 1.0.x and 1.1.0 [xx XXX xxxx] |
fefc111a | 6 | |
5c84d2f5 DSH |
7 | *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for |
8 | enveloped data. | |
9 | [Steve Henson] | |
10 | ||
271fef0e DSH |
11 | *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, |
12 | MGF1 digest and OAEP label. | |
13 | [Steve Henson] | |
14 | ||
a398f821 T |
15 | *) Add callbacks for arbitrary TLS extensions. |
16 | [Trevor Perrin <trevp@trevp.net> and Ben Laurie] | |
17 | ||
c6913eeb DSH |
18 | *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() |
19 | supports both DTLS 1.2 and 1.0 and should use whatever version the peer | |
20 | supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. | |
21 | [Steve Henson] | |
22 | ||
fefc111a BL |
23 | *) Make openssl verify return errors. |
24 | [Chris Palmer <palmer@google.com> and Ben Laurie] | |
25 | ||
30c278aa BL |
26 | *) Fix OCSP checking. |
27 | [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] | |
aaf35f11 | 28 | |
0090a686 DSH |
29 | *) New option -crl_download in several openssl utilities to download CRLs |
30 | from CRLDP extension in certificates. | |
31 | [Steve Henson] | |
32 | ||
3bf15e29 DSH |
33 | *) Integrate hostname, email address and IP address checking with certificate |
34 | verification. New verify options supporting checking in opensl utility. | |
35 | [Steve Henson] | |
36 | ||
2e8cb108 DSH |
37 | *) New function X509_CRL_diff to generate a delta CRL from the difference |
38 | of two full CRLs. Add support to "crl" utility. | |
39 | [Steve Henson] | |
40 | ||
fdb78f3d DSH |
41 | *) New options -CRL and -CRLform for s_client and s_server for CRLs. |
42 | [Steve Henson] | |
43 | ||
6f9076ff DSH |
44 | *) Extend OCSP I/O functions so they can be used for simple general purpose |
45 | HTTP as well as OCSP. New wrapper function which can be used to download | |
46 | CRLs using the OCSP API. | |
47 | [Steve Henson] | |
48 | ||
49 | *) New functions to set lookup_crls callback and to retrieve | |
2c340864 DSH |
50 | X509_STORE from X509_STORE_CTX. |
51 | [Steve Henson] | |
52 | ||
20b431e3 | 53 | *) New ctrl and macro to retrieve supported points extensions. |
2c340864 | 54 | Print out extension in s_server and s_client. |
20b431e3 DSH |
55 | [Steve Henson] |
56 | ||
1c455bc0 DSH |
57 | *) New function ASN1_TIME_diff to calculate the difference between two |
58 | ASN1_TIME structures or one structure and the current time. | |
59 | [Steve Henson] | |
60 | ||
d88926f1 DSH |
61 | *) Fixes and wildcard matching support to hostname and email checking |
62 | functions. Add manual page. | |
63 | [Florian Weimer (Red Hat Product Security Team)] | |
64 | ||
3db935a9 DSH |
65 | *) New experimental SSL_CONF* functions. These provide a common framework |
66 | for application configuration using configuration files or command lines. | |
67 | [Steve Henson] | |
68 | ||
a70da5b3 | 69 | *) New functions to check a hostname email or IP address against a |
b7d1a1af DSH |
70 | certificate. Add options x509 utility to print results of checks against |
71 | a certificate. | |
a70da5b3 DSH |
72 | [Steve Henson] |
73 | ||
4f3df8be DSH |
74 | *) Add -rev test option to s_server to just reverse order of characters |
75 | received by client and send back to server. Also prints an abbreviated | |
76 | summary of the connection parameters. | |
77 | [Steve Henson] | |
78 | ||
2a7cbe77 DSH |
79 | *) New option -brief for s_client and s_server to print out a brief summary |
80 | of connection parameters. | |
81 | [Steve Henson] | |
82 | ||
94a209d8 DSH |
83 | *) Add functions to retrieve and manipulate the raw cipherlist sent by a |
84 | client to OpenSSL. | |
85 | [Steve Henson] | |
86 | ||
2ea80354 DSH |
87 | *) New Suite B modes for TLS code. These use and enforce the requirements |
88 | of RFC6460: restrict ciphersuites, only permit Suite B algorithms and | |
89 | only use Suite B curves. The Suite B modes can be set by using the | |
90 | strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. | |
91 | [Steve Henson] | |
92 | ||
3ad344a5 DSH |
93 | *) New chain verification flags for Suite B levels of security. Check |
94 | algorithms are acceptable when flags are set in X509_verify_cert. | |
95 | [Steve Henson] | |
96 | ||
6dbb6219 DSH |
97 | *) Make tls1_check_chain return a set of flags indicating checks passed |
98 | by a certificate chain. Add additional tests to handle client | |
99 | certificates: checks for matching certificate type and issuer name | |
100 | comparison. | |
101 | [Steve Henson] | |
102 | ||
ec4a50b3 DSH |
103 | *) If an attempt is made to use a signature algorithm not in the peer |
104 | preference list abort the handshake. If client has no suitable | |
105 | signature algorithms in response to a certificate request do not | |
106 | use the certificate. | |
107 | [Steve Henson] | |
108 | ||
d18b716d DSH |
109 | *) If server EC tmp key is not in client preference list abort handshake. |
110 | [Steve Henson] | |
111 | ||
74ecfab4 DSH |
112 | *) Add support for certificate stores in CERT structure. This makes it |
113 | possible to have different stores per SSL structure or one store in | |
114 | the parent SSL_CTX. Include distint stores for certificate chain | |
115 | verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN | |
116 | to build and store a certificate chain in CERT structure: returing | |
117 | an error if the chain cannot be built: this will allow applications | |
118 | to test if a chain is correctly configured. | |
119 | ||
120 | Note: if the CERT based stores are not set then the parent SSL_CTX | |
121 | store is used to retain compatibility with existing behaviour. | |
122 | ||
123 | [Steve Henson] | |
124 | ||
b7bfe69b DSH |
125 | *) New function ssl_set_client_disabled to set a ciphersuite disabled |
126 | mask based on the current session, check mask when sending client | |
127 | hello and checking the requested ciphersuite. | |
128 | [Steve Henson] | |
129 | ||
9f27b1ee DSH |
130 | *) New ctrls to retrieve and set certificate types in a certificate |
131 | request message. Print out received values in s_client. If certificate | |
132 | types is not set with custom values set sensible values based on | |
133 | supported signature algorithms. | |
134 | [Steve Henson] | |
135 | ||
3dbc46df DSH |
136 | *) Support for distinct client and server supported signature algorithms. |
137 | [Steve Henson] | |
138 | ||
18d71588 DSH |
139 | *) Add certificate callback. If set this is called whenever a certificate |
140 | is required by client or server. An application can decide which | |
141 | certificate chain to present based on arbitrary criteria: for example | |
142 | supported signature algorithms. Add very simple example to s_server. | |
143 | This fixes many of the problems and restrictions of the existing client | |
144 | certificate callback: for example you can now clear an existing | |
145 | certificate and specify the whole chain. | |
146 | [Steve Henson] | |
147 | ||
d61ff83b DSH |
148 | *) Add new "valid_flags" field to CERT_PKEY structure which determines what |
149 | the certificate can be used for (if anything). Set valid_flags field | |
150 | in new tls1_check_chain function. Simplify ssl_set_cert_masks which used | |
151 | to have similar checks in it. | |
152 | ||
153 | Add new "cert_flags" field to CERT structure and include a "strict mode". | |
154 | This enforces some TLS certificate requirements (such as only permitting | |
155 | certificate signature algorithms contained in the supported algorithms | |
156 | extension) which some implementations ignore: this option should be used | |
157 | with caution as it could cause interoperability issues. | |
158 | [Steve Henson] | |
159 | ||
4453cd8c DSH |
160 | *) Update and tidy signature algorithm extension processing. Work out |
161 | shared signature algorithms based on preferences and peer algorithms | |
162 | and print them out in s_client and s_server. Abort handshake if no | |
163 | shared signature algorithms. | |
164 | [Steve Henson] | |
165 | ||
0f229cce DSH |
166 | *) Add new functions to allow customised supported signature algorithms |
167 | for SSL and SSL_CTX structures. Add options to s_client and s_server | |
168 | to support them. | |
169 | [Steve Henson] | |
170 | ||
a5ee80b9 DSH |
171 | *) New function SSL_certs_clear() to delete all references to certificates |
172 | from an SSL structure. Before this once a certificate had been added | |
173 | it couldn't be removed. | |
174 | [Steve Henson] | |
175 | ||
93ab9e42 DSH |
176 | *) Initial SSL tracing code. This parses out SSL/TLS records using the |
177 | message callback and prints the results. Needs compile time option | |
178 | "enable-ssl-trace". New options to s_client and s_server to enable | |
179 | tracing. | |
180 | [Steve Henson] | |
181 | ||
dfcf48f4 DSH |
182 | *) New functions to retrieve certificate signature and signature |
183 | OID NID. | |
184 | [Steve Henson] | |
185 | ||
4b9e0b5f DSH |
186 | *) Print out deprecated issuer and subject unique ID fields in |
187 | certificates. | |
188 | [Steve Henson] | |
189 | ||
a98b8ce6 DSH |
190 | *) Update fips_test_suite to support multiple command line options. New |
191 | test to induce all self test errors in sequence and check expected | |
192 | failures. | |
193 | [Steve Henson] | |
194 | ||
f4324e51 DSH |
195 | *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and |
196 | sign or verify all in one operation. | |
197 | [Steve Henson] | |
198 | ||
3ec9dceb DSH |
199 | *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm |
200 | test programs and fips_test_suite. Includes functionality to parse | |
201 | the minimal script output of fipsalgest.pl directly. | |
f4324e51 | 202 | [Steve Henson] |
3ec9dceb | 203 | |
5e4eb995 DSH |
204 | *) Add authorisation parameter to FIPS_module_mode_set(). |
205 | [Steve Henson] | |
206 | ||
2bfeb7dc DSH |
207 | *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. |
208 | [Steve Henson] | |
209 | ||
4420b3b1 | 210 | *) Use separate DRBG fields for internal and external flags. New function |
cb71870d DSH |
211 | FIPS_drbg_health_check() to perform on demand health checking. Add |
212 | generation tests to fips_test_suite with reduced health check interval to | |
4420b3b1 DSH |
213 | demonstrate periodic health checking. Add "nodh" option to |
214 | fips_test_suite to skip very slow DH test. | |
215 | [Steve Henson] | |
216 | ||
15094852 DSH |
217 | *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers |
218 | based on NID. | |
219 | [Steve Henson] | |
220 | ||
a11f06b2 DSH |
221 | *) More extensive health check for DRBG checking many more failure modes. |
222 | New function FIPS_selftest_drbg_all() to handle every possible DRBG | |
223 | combination: call this in fips_test_suite. | |
224 | [Steve Henson] | |
225 | ||
7fdcb457 DSH |
226 | *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test |
227 | and POST to handle Dual EC cases. | |
228 | [Steve Henson] | |
229 | ||
f55f5f77 DSH |
230 | *) Add support for canonical generation of DSA parameter 'g'. See |
231 | FIPS 186-3 A.2.3. | |
232 | ||
7fdcb457 DSH |
233 | *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and |
234 | POST to handle HMAC cases. | |
20f12e63 DSH |
235 | [Steve Henson] |
236 | ||
01a9a759 DSH |
237 | *) Add functions FIPS_module_version() and FIPS_module_version_text() |
238 | to return numberical and string versions of the FIPS module number. | |
239 | [Steve Henson] | |
240 | ||
c2fd5989 DSH |
241 | *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and |
242 | FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted | |
243 | outside the validated module in the FIPS capable OpenSSL. | |
244 | [Steve Henson] | |
245 | ||
e0d1a2f8 DSH |
246 | *) Minor change to DRBG entropy callback semantics. In some cases |
247 | there is no mutiple of the block length between min_len and | |
248 | max_len. Allow the callback to return more than max_len bytes | |
249 | of entropy but discard any extra: it is the callback's responsibility | |
250 | to ensure that the extra data discarded does not impact the | |
251 | requested amount of entropy. | |
252 | [Steve Henson] | |
253 | ||
cac4fb58 DSH |
254 | *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
255 | information in FIPS186-3, SP800-57 and SP800-131A. | |
256 | [Steve Henson] | |
257 | ||
b5dd1787 DSH |
258 | *) CCM support via EVP. Interface is very similar to GCM case except we |
259 | must supply all data in one chunk (i.e. no update, final) and the | |
260 | message length must be supplied if AAD is used. Add algorithm test | |
261 | support. | |
23916810 DSH |
262 | [Steve Henson] |
263 | ||
ac892b7a DSH |
264 | *) Initial version of POST overhaul. Add POST callback to allow the status |
265 | of POST to be monitored and/or failures induced. Modify fips_test_suite | |
266 | to use callback. Always run all selftests even if one fails. | |
267 | [Steve Henson] | |
268 | ||
06b7e5a0 DSH |
269 | *) XTS support including algorithm test driver in the fips_gcmtest program. |
270 | Note: this does increase the maximum key length from 32 to 64 bytes but | |
271 | there should be no binary compatibility issues as existing applications | |
272 | will never use XTS mode. | |
32a2d8dd DSH |
273 | [Steve Henson] |
274 | ||
05e24c87 DSH |
275 | *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies |
276 | to OpenSSL RAND code and replace with a tiny FIPS RAND API which also | |
277 | performs algorithm blocking for unapproved PRNG types. Also do not | |
278 | set PRNG type in FIPS_mode_set(): leave this to the application. | |
279 | Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with | |
d7a3ce98 | 280 | the standard OpenSSL PRNG: set additional data to a date time vector. |
05e24c87 DSH |
281 | [Steve Henson] |
282 | ||
cab0595c DSH |
283 | *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. |
284 | This shouldn't present any incompatibility problems because applications | |
285 | shouldn't be using these directly and any that are will need to rethink | |
286 | anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 | |
287 | [Steve Henson] | |
288 | ||
96ec46f7 DSH |
289 | *) Extensive self tests and health checking required by SP800-90 DRBG. |
290 | Remove strength parameter from FIPS_drbg_instantiate and always | |
291 | instantiate at maximum supported strength. | |
292 | [Steve Henson] | |
293 | ||
8857b380 DSH |
294 | *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. |
295 | [Steve Henson] | |
296 | ||
11e80de3 DSH |
297 | *) New algorithm test program fips_dhvs to handle DH primitives only testing. |
298 | [Steve Henson] | |
299 | ||
300 | *) New function DH_compute_key_padded() to compute a DH key and pad with | |
301 | leading zeroes if needed: this complies with SP800-56A et al. | |
302 | [Steve Henson] | |
303 | ||
591cbfae DSH |
304 | *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by |
305 | anything, incomplete, subject to change and largely untested at present. | |
306 | [Steve Henson] | |
307 | ||
eead69f5 DSH |
308 | *) Modify fipscanisteronly build option to only build the necessary object |
309 | files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. | |
310 | [Steve Henson] | |
311 | ||
017bc57b DSH |
312 | *) Add experimental option FIPSSYMS to give all symbols in |
313 | fipscanister.o and FIPS or fips prefix. This will avoid | |
5d439d69 DSH |
314 | conflicts with future versions of OpenSSL. Add perl script |
315 | util/fipsas.pl to preprocess assembly language source files | |
316 | and rename any affected symbols. | |
017bc57b DSH |
317 | [Steve Henson] |
318 | ||
25c65429 DSH |
319 | *) Add selftest checks and algorithm block of non-fips algorithms in |
320 | FIPS mode. Remove DES2 from selftests. | |
321 | [Steve Henson] | |
322 | ||
fe26d066 DSH |
323 | *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just |
324 | return internal method without any ENGINE dependencies. Add new | |
25c65429 | 325 | tiny fips sign and verify functions. |
fe26d066 DSH |
326 | [Steve Henson] |
327 | ||
b3310161 DSH |
328 | *) New build option no-ec2m to disable characteristic 2 code. |
329 | [Steve Henson] | |
330 | ||
30b56225 DSH |
331 | *) New build option "fipscanisteronly". This only builds fipscanister.o |
332 | and (currently) associated fips utilities. Uses the file Makefile.fips | |
333 | instead of Makefile.org as the prototype. | |
334 | [Steve Henson] | |
335 | ||
b3d8022e DSH |
336 | *) Add some FIPS mode restrictions to GCM. Add internal IV generator. |
337 | Update fips_gcmtest to use IV generator. | |
338 | [Steve Henson] | |
339 | ||
bdaa5415 DSH |
340 | *) Initial, experimental EVP support for AES-GCM. AAD can be input by |
341 | setting output buffer to NULL. The *Final function must be | |
342 | called although it will not retrieve any additional data. The tag | |
343 | can be set or retrieved with a ctrl. The IV length is by default 12 | |
344 | bytes (96 bits) but can be set to an alternative value. If the IV | |
345 | length exceeds the maximum IV length (currently 16 bytes) it cannot be | |
346 | set before the key. | |
347 | [Steve Henson] | |
348 | ||
3da0ca79 DSH |
349 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
350 | underlying do_cipher function handles all cipher semantics itself | |
351 | including padding and finalisation. This is useful if (for example) | |
352 | an ENGINE cipher handles block padding itself. The behaviour of | |
353 | do_cipher is subtly changed if this flag is set: the return value | |
354 | is the number of characters written to the output buffer (zero is | |
355 | no longer an error code) or a negative error code. Also if the | |
d45087c6 | 356 | input buffer is NULL and length 0 finalisation should be performed. |
3da0ca79 DSH |
357 | [Steve Henson] |
358 | ||
2b3936e8 DSH |
359 | *) If a candidate issuer certificate is already part of the constructed |
360 | path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. | |
361 | [Steve Henson] | |
362 | ||
7c2d4fee BM |
363 | *) Improve forward-security support: add functions |
364 | ||
365 | void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) | |
366 | void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) | |
367 | ||
368 | for use by SSL/TLS servers; the callback function will be called whenever a | |
369 | new session is created, and gets to decide whether the session may be | |
370 | cached to make it resumable (return 0) or not (return 1). (As by the | |
371 | SSL/TLS protocol specifications, the session_id sent by the server will be | |
372 | empty to indicate that the session is not resumable; also, the server will | |
373 | not generate RFC 4507 (RFC 5077) session tickets.) | |
374 | ||
375 | A simple reasonable callback implementation is to return is_forward_secure. | |
376 | This parameter will be set to 1 or 0 depending on the ciphersuite selected | |
377 | by the SSL/TLS server library, indicating whether it can provide forward | |
378 | security. | |
379 |