[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]

  *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
     difference in days and seconds between two tm or ASN1_TIME structures.
     [Steve Henson]

  *) Add -rev test option to s_server to just reverse order of characters
     received by client and send back to server. Also prints an abbreviated
     summary of the connection parameters.
     [Steve Henson]

  *) New option -brief for s_client and s_server to print out a brief summary
     of connection parameters.
     [Steve Henson]

  *) Add callbacks for arbitrary TLS extensions.
     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

  *) New option -crl_download in several openssl utilities to download CRLs
     from CRLDP extension in certificates.
     [Steve Henson]

  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
     [Steve Henson]

  *) New function X509_CRL_diff to generate a delta CRL from the difference
     of two full CRLs. Add support to "crl" utility.
     [Steve Henson]

  *) New functions to set lookup_crls function and to retrieve
     X509_STORE from X509_STORE_CTX.
     [Steve Henson]

  *) Print out deprecated issuer and subject unique ID fields in
     certificates.
     [Steve Henson]

  *) Extend OCSP I/O functions so they can be used for simple general purpose
     HTTP as well as OCSP. New wrapper function which can be used to download
     CRLs using the OCSP API.
     [Steve Henson]

  *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
     [Steve Henson]

  *) SSL_CONF* functions. These provide a common framework for application
     configuration using configuration files or command lines.
     [Steve Henson]

  *) SSL/TLS tracing code. This parses out SSL/TLS records using the
     message callback and prints the results. Needs compile time option
     "enable-ssl-trace". New options to s_client and s_server to enable
     tracing.
     [Steve Henson]

  *) New ctrl and macro to retrieve supported points extensions.
     Print out extension in s_server and s_client.
     [Steve Henson]

  *) New functions to retrieve certificate signature and signature
     OID NID.
     [Steve Henson]

  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
     client to OpenSSL.
     [Steve Henson]

  *) New Suite B modes for TLS code. These use and enforce the requirements
     of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
     only use Suite B curves. The Suite B modes can be set by using the
     strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
     [Steve Henson]

  *) New chain verification flags for Suite B levels of security. Check
     algorithms are acceptable when flags are set in X509_verify_cert.
     [Steve Henson]

  *) Make tls1_check_chain return a set of flags indicating checks passed
     by a certificate chain. Add additional tests to handle client
     certificates: checks for matching certificate type and issuer name
     comparison.
     [Steve Henson]

  *) If an attempt is made to use a signature algorithm not in the peer
     preference list abort the handshake. If client has no suitable
     signature algorithms in response to a certificate request do not
     use the certificate.
     [Steve Henson]

  *) If server EC tmp key is not in client preference list abort handshake.
     [Steve Henson]

  *) Add support for certificate stores in CERT structure. This makes it
     possible to have different stores per SSL structure or one store in
     the parent SSL_CTX. Include distint stores for certificate chain
     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
     to build and store a certificate chain in CERT structure: returing
     an error if the chain cannot be built: this will allow applications
     to test if a chain is correctly configured.

     Note: if the CERT based stores are not set then the parent SSL_CTX
     store is used to retain compatibility with existing behaviour.

     [Steve Henson]

  *) New function ssl_set_client_disabled to set a ciphersuite disabled
     mask based on the current session, check mask when sending client
     hello and checking the requested ciphersuite.
     [Steve Henson]

  *) New ctrls to retrieve and set certificate types in a certificate
     request message. Print out received values in s_client. If certificate
     types is not set with custom values set sensible values based on
     supported signature algorithms.
     [Steve Henson]

  *) Support for distinct client and server supported signature algorithms.
     [Steve Henson]

  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example
     supported signature algorithms. Add very simple example to s_server.
     This fixes many of the problems and restrictions of the existing client
     certificate callback: for example you can now clear an existing
     certificate and specify the whole chain.
     [Steve Henson]

  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
     the certificate can be used for (if anything). Set valid_flags field 
     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
     to have similar checks in it.

     Add new "cert_flags" field to CERT structure and include a "strict mode".
     This enforces some TLS certificate requirements (such as only permitting
     certificate signature algorithms contained in the supported algorithms
     extension) which some implementations ignore: this option should be used
     with caution as it could cause interoperability issues.
     [Steve Henson]

  *) Update and tidy signature algorithm extension processing. Work out
     shared signature algorithms based on preferences and peer algorithms
     and print them out in s_client and s_server. Abort handshake if no
     shared signature algorithms.
     [Steve Henson]

  *) Add new functions to allow customised supported signature algorithms
     for SSL and SSL_CTX structures. Add options to s_client and s_server
     to support them.
     [Steve Henson]

  *) New function SSL_certs_clear() to delete all references to certificates
     from an SSL structure. Before this once a certificate had been added
     it couldn't be removed.
     [Steve Henson]

  *) Integrate hostname, email address and IP address checking with certificate
     verification. New verify options supporting checking in opensl utility.
     [Steve Henson]

  *) Fixes and wildcard matching support to hostname and email checking
     functions. Add manual page.
     [Florian Weimer (Red Hat Product Security Team)]

  *) New functions to check a hostname email or IP address against a
     certificate. Add options x509 utility to print results of checks against
     a certificate.
     [Steve Henson]

  *) Fix OCSP checking.
     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]

  *) Backport support for partial chain verification: if an intermediate
     certificate is explicitly trusted (using -addtrust option to x509
     utility for example) the verification is sucessful even if the chain
     is not complete.
     The OCSP checking fix depends on this backport.
     [Steve Henson and Rob Stradling <rob.stradling@comodo.com>]

  *) Add -trusted_first option which attempts to find certificates in the
     trusted store even if an untrusted chain is also supplied.
     [Steve Henson]

  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
     platform support for Linux and Android.
     [Andy Polyakov]

  *) Support for linux-x32, ILP32 environment in x86_64 framework.
     [Andy Polyakov]

  *) RFC 5878 (TLS Authorization Extensions) support.
     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]

  *) Experimental multi-implementation support for FIPS capable OpenSSL.
     When in FIPS mode the approved implementations are used as normal,
     when not in FIPS mode the internal unapproved versions are used instead.
     This means that the FIPS capable OpenSSL isn't forced to use the
     (often lower perfomance) FIPS implementations outside FIPS mode.
     [Steve Henson]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

 Changes between 1.0.1d and 1.0.1e [11 Feb 2013]

  *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
     supporting platforms or when small records were transferred.
     [Andy Polyakov, Steve Henson]

 Changes between 1.0.1c and 1.0.1d [5 Feb 2013]

  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
1b9a59c3	5	Changes between 1.0.1e and 1.0.2 [xx XXX xxxx]
b9115239	6
904348a4 DSH	7	*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
	8	difference in days and seconds between two tm or ASN1_TIME structures.
	9	[Steve Henson]
	10
171c4da5 DSH	11	*) Add -rev test option to s_server to just reverse order of characters
	12	received by client and send back to server. Also prints an abbreviated
	13	summary of the connection parameters.
	14	[Steve Henson]
	15
04611fb0 DSH	16	*) New option -brief for s_client and s_server to print out a brief summary
	17	of connection parameters.
	18	[Steve Henson]
	19
e27711cf T	20	*) Add callbacks for arbitrary TLS extensions.
	21	[Trevor Perrin <trevp@trevp.net> and Ben Laurie]
	22
57912ed3 DSH	23	*) New option -crl_download in several openssl utilities to download CRLs
	24	from CRLDP extension in certificates.
	25	[Steve Henson]
	26
e318431e DSH	27	*) New options -CRL and -CRLform for s_client and s_server for CRLs.
	28	[Steve Henson]
	29
6a10f38d DSH	30	*) New function X509_CRL_diff to generate a delta CRL from the difference
	31	of two full CRLs. Add support to "crl" utility.
	32	[Steve Henson]
	33
75f53531 DSH	34	*) New functions to set lookup_crls function and to retrieve
	35	X509_STORE from X509_STORE_CTX.
	36	[Steve Henson]
	37
2aa3ef78 DSH	38	*) Print out deprecated issuer and subject unique ID fields in
	39	certificates.
	40	[Steve Henson]
	41
5c8d41be DSH	42	*) Extend OCSP I/O functions so they can be used for simple general purpose
	43	HTTP as well as OCSP. New wrapper function which can be used to download
	44	CRLs using the OCSP API.
	45	[Steve Henson]
	46
15387e4c DSH	47	*) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
	48	[Steve Henson]
	49
49ef33fa DSH	50	) SSL_CONF functions. These provide a common framework for application
	51	configuration using configuration files or command lines.
	52	[Steve Henson]
	53
bc200e69 DSH	54	*) SSL/TLS tracing code. This parses out SSL/TLS records using the
	55	message callback and prints the results. Needs compile time option
	56	"enable-ssl-trace". New options to s_client and s_server to enable
	57	tracing.
	58	[Steve Henson]
	59
78b5d89d	60	*) New ctrl and macro to retrieve supported points extensions.
1b9a59c3	61	Print out extension in s_server and s_client.
78b5d89d DSH	62	[Steve Henson]
78b5d89d DSH	63
bd9fc1d6 DSH	64	*) New functions to retrieve certificate signature and signature
	65	OID NID.
	66	[Steve Henson]
	67
1520e6c0 DSH	68	*) Add functions to retrieve and manipulate the raw cipherlist sent by a
	69	client to OpenSSL.
	70	[Steve Henson]
	71
ccf6a19e DSH	72	*) New Suite B modes for TLS code. These use and enforce the requirements
	73	of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
	74	only use Suite B curves. The Suite B modes can be set by using the
	75	strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
	76	[Steve Henson]
	77
ba8bdea7 DSH	78	*) New chain verification flags for Suite B levels of security. Check
	79	algorithms are acceptable when flags are set in X509_verify_cert.
	80	[Steve Henson]
	81
6660baee DSH	82	*) Make tls1_check_chain return a set of flags indicating checks passed
	83	by a certificate chain. Add additional tests to handle client
	84	certificates: checks for matching certificate type and issuer name
	85	comparison.
	86	[Steve Henson]
	87
25d4c925 DSH	88	*) If an attempt is made to use a signature algorithm not in the peer
	89	preference list abort the handshake. If client has no suitable
	90	signature algorithms in response to a certificate request do not
	91	use the certificate.
	92	[Steve Henson]
	93
44adfeb6 DSH	94	*) If server EC tmp key is not in client preference list abort handshake.
	95	[Steve Henson]
	96
b762acad DSH	97	*) Add support for certificate stores in CERT structure. This makes it
	98	possible to have different stores per SSL structure or one store in
	99	the parent SSL_CTX. Include distint stores for certificate chain
	100	verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
	101	to build and store a certificate chain in CERT structure: returing
	102	an error if the chain cannot be built: this will allow applications
	103	to test if a chain is correctly configured.
	104
	105	Note: if the CERT based stores are not set then the parent SSL_CTX
	106	store is used to retain compatibility with existing behaviour.
	107
	108	[Steve Henson]
	109
b28fbdfa DSH	110	*) New function ssl_set_client_disabled to set a ciphersuite disabled
	111	mask based on the current session, check mask when sending client
	112	hello and checking the requested ciphersuite.
	113	[Steve Henson]
	114
a897502c DSH	115	*) New ctrls to retrieve and set certificate types in a certificate
	116	request message. Print out received values in s_client. If certificate
	117	types is not set with custom values set sensible values based on
	118	supported signature algorithms.
	119	[Steve Henson]
	120
04c32cdd DSH	121	*) Support for distinct client and server supported signature algorithms.
	122	[Steve Henson]
	123
623a5e24 DSH	124	*) Add certificate callback. If set this is called whenever a certificate
	125	is required by client or server. An application can decide which
	126	certificate chain to present based on arbitrary criteria: for example
	127	supported signature algorithms. Add very simple example to s_server.
	128	This fixes many of the problems and restrictions of the existing client
	129	certificate callback: for example you can now clear an existing
	130	certificate and specify the whole chain.
	131	[Steve Henson]
	132
484f8762 DSH	133	*) Add new "valid_flags" field to CERT_PKEY structure which determines what
	134	the certificate can be used for (if anything). Set valid_flags field
	135	in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
	136	to have similar checks in it.
	137
	138	Add new "cert_flags" field to CERT structure and include a "strict mode".
	139	This enforces some TLS certificate requirements (such as only permitting
	140	certificate signature algorithms contained in the supported algorithms
	141	extension) which some implementations ignore: this option should be used
	142	with caution as it could cause interoperability issues.
	143	[Steve Henson]
	144
c70a1fee DSH	145	*) Update and tidy signature algorithm extension processing. Work out
	146	shared signature algorithms based on preferences and peer algorithms
	147	and print them out in s_client and s_server. Abort handshake if no
	148	shared signature algorithms.
	149	[Steve Henson]
	150
0b362de5 DSH	151	*) Add new functions to allow customised supported signature algorithms
	152	for SSL and SSL_CTX structures. Add options to s_client and s_server
	153	to support them.
	154	[Steve Henson]
	155
d312f7be DSH	156	*) New function SSL_certs_clear() to delete all references to certificates
	157	from an SSL structure. Before this once a certificate had been added
	158	it couldn't be removed.
	159	[Steve Henson]
	160
70cd3c6b DSH	161	*) Integrate hostname, email address and IP address checking with certificate
	162	verification. New verify options supporting checking in opensl utility.
	163	[Steve Henson]
	164
45da1efc DSH	165	*) Fixes and wildcard matching support to hostname and email checking
	166	functions. Add manual page.
	167	[Florian Weimer (Red Hat Product Security Team)]
	168
	169	*) New functions to check a hostname email or IP address against a
	170	certificate. Add options x509 utility to print results of checks against
	171	a certificate.
	172	[Steve Henson]
	173
d65b8b21 BL	174	*) Fix OCSP checking.
	175	[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
	176
	177	*) Backport support for partial chain verification: if an intermediate
	178	certificate is explicitly trusted (using -addtrust option to x509
	179	utility for example) the verification is sucessful even if the chain
	180	is not complete.
	181	The OCSP checking fix depends on this backport.
	182	[Steve Henson and Rob Stradling <rob.stradling@comodo.com>]
	183
9d2006d8 DSH	184	*) Add -trusted_first option which attempts to find certificates in the
	185	trusted store even if an untrusted chain is also supplied.
	186	[Steve Henson]
	187
988037fe AP	188	*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
	189	platform support for Linux and Android.
	190	[Andy Polyakov]
	191
0e05b51f AP	192	*) Support for linux-x32, ILP32 environment in x86_64 framework.
	193	[Andy Polyakov]
	194
1b9a59c3	195	*) RFC 5878 (TLS Authorization Extensions) support.
4e14996e BL	196	[Emilia Kasper, Adam Langley, Ben Laurie (Google)]
4e14996e BL	197
1dded7f7 DSH	198	*) Experimental multi-implementation support for FIPS capable OpenSSL.
	199	When in FIPS mode the approved implementations are used as normal,
	200	when not in FIPS mode the internal unapproved versions are used instead.
	201	This means that the FIPS capable OpenSSL isn't forced to use the
	202	(often lower perfomance) FIPS implementations outside FIPS mode.
	203	[Steve Henson]
	204
c3cb0691 DSH	205	*) Transparently support X9.42 DH parameters when calling
	206	PEM_read_bio_DHparameters. This means existing applications can handle
	207	the new parameter format automatically.
	208	[Steve Henson]
	209
491734eb DSH	210	*) Initial experimental support for X9.42 DH parameter format: mainly
	211	to support use of 'q' parameter for RFC5114 parameters.
	212	[Steve Henson]
	213
e811eff5 DSH	214	*) Add DH parameters from RFC5114 including test data to dhtest.
	215	[Steve Henson]
	216
e46c807e DSH	217	*) Support for automatic EC temporary key parameter selection. If enabled
	218	the most preferred EC parameters are automatically used instead of
	219	hardcoded fixed parameters. Now a server just has to call:
	220	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	221	support ECDH and use the most appropriate parameters.
	222	[Steve Henson]
	223
6b870763 DSH	224	*) Enhance and tidy EC curve and point format TLS extension code. Use
	225	static structures instead of allocation if default values are used.
	226	New ctrls to set curves we wish to support and to retrieve shared curves.
	227	Print out shared curves in s_server. New options to s_server and s_client
	228	to set list of supported curves.
	229	[Steve Henson]
	230
55058181 DSH	231	*) New ctrls to retrieve supported signature algorithms and
	232	supported curve values as an array of NIDs. Extend openssl utility
	233	to print out received values.
	234	[Steve Henson]
	235
a068a1d0 DSH	236	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	237	between NIDs and the more common NIST names such as "P-256". Enhance
	238	ecparam utility and ECC method to recognise the NIST names for curves.
	239	[Steve Henson]
	240
37b16c84 DSH	241	*) Enhance SSL/TLS certificate chain handling to support different
	242	chains for each certificate instead of one chain in the parent SSL_CTX.
	243	[Steve Henson]
	244
c523eb98 DSH	245	*) Support for fixed DH ciphersuite client authentication: where both
	246	server and client use DH certificates with common parameters.
	247	[Steve Henson]
	248
0ffa4997 DSH	249	*) Support for fixed DH ciphersuites: those requiring DH server
	250	certificates.
	251	[Steve Henson]
b9115239	252
1b9a59c3 BM	253	Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
	254
	255	*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
	256	supporting platforms or when small records were transferred.
	257	[Andy Polyakov, Steve Henson]
	258
	259	Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
	260
	261	*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
	262
	263	This addresses the flaw in CBC record processing discovered by
	264	Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
	265	at: http://www.isg.rhul.ac.uk/tls/
	266
	267	Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
	268	Security Group at Royal Holloway, University of London
	269	(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
	270