[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

 Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]

  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
     [Andy Polyakov]

 Changes between 1.0.0h and 1.0.1  [14 Mar 2012]

  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
     STRING form instead of a DigestInfo.
     [Steve Henson]

  *) The format used for MDC2 RSA signatures is inconsistent between EVP
     and the RSA_sign/RSA_verify functions. This was made more apparent when
     OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
     those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
     the correct format in RSA_verify so both forms transparently work.
     [Steve Henson]

  *) Some servers which support TLS 1.0 can choke if we initially indicate
     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
     encrypted premaster secret. As a workaround use the maximum pemitted
     client version in client hello, this should keep such servers happy
     and still work with previous versions of OpenSSL.
     [Steve Henson]

  *) Add support for TLS/DTLS heartbeats.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Add support for SCTP.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Improved PRNG seeding for VOS.
     [Paul Green <Paul.Green@stratus.com>]

  *) Extensive assembler packs updates, most notably:

	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
	- x86_64:       bit-sliced AES implementation;
	- ARM:          NEON support, contemporary platforms optimizations;
	- s390x:        z196 support;
	- *:            GHASH and GF(2^m) multiplication implementations;

     [Andy Polyakov]

  *) Make TLS-SRP code conformant with RFC 5054 API cleanup
     (removal of unnecessary code)
     [Peter Sylvester <peter.sylvester@edelweb.fr>]

  *) Add TLS key material exporter from RFC 5705.
     [Eric Rescorla]

  *) Add DTLS-SRTP negotiation from RFC 5764.
     [Eric Rescorla]

  *) Add Next Protocol Negotiation,
     http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
     disabled with a no-npn flag to config or Configure. Code donated
     by Google.
     [Adam Langley <agl@google.com> and Ben Laurie]

  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
     NIST-P256, NIST-P521, with constant-time single point multiplication on
     typical inputs. Compiler support for the nonstandard type __uint128_t is
     required to use this (present in gcc 4.4 and later, for 64-bit builds).
     Code made available under Apache License version 2.0.

     Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
     line to include this in your build of OpenSSL, and run "make depend" (or
     "make update"). This enables the following EC_METHODs:

         EC_GFp_nistp224_method()
         EC_GFp_nistp256_method()
         EC_GFp_nistp521_method()

     EC_GROUP_new_by_curve_name() will automatically use these (while
     EC_GROUP_new_curve_GFp() currently prefers the more flexible
     implementations).
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
b9115239 DSH	5	Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
b9115239 DSH	6
c3cb0691 DSH	7	*) Transparently support X9.42 DH parameters when calling
	8	PEM_read_bio_DHparameters. This means existing applications can handle
	9	the new parameter format automatically.
	10	[Steve Henson]
	11
491734eb DSH	12	*) Initial experimental support for X9.42 DH parameter format: mainly
	13	to support use of 'q' parameter for RFC5114 parameters.
	14	[Steve Henson]
	15
e811eff5 DSH	16	*) Add DH parameters from RFC5114 including test data to dhtest.
	17	[Steve Henson]
	18
e46c807e DSH	19	*) Support for automatic EC temporary key parameter selection. If enabled
	20	the most preferred EC parameters are automatically used instead of
	21	hardcoded fixed parameters. Now a server just has to call:
	22	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	23	support ECDH and use the most appropriate parameters.
	24	[Steve Henson]
	25
6b870763 DSH	26	*) Enhance and tidy EC curve and point format TLS extension code. Use
	27	static structures instead of allocation if default values are used.
	28	New ctrls to set curves we wish to support and to retrieve shared curves.
	29	Print out shared curves in s_server. New options to s_server and s_client
	30	to set list of supported curves.
	31	[Steve Henson]
	32
55058181 DSH	33	*) New ctrls to retrieve supported signature algorithms and
	34	supported curve values as an array of NIDs. Extend openssl utility
	35	to print out received values.
	36	[Steve Henson]
	37
a068a1d0 DSH	38	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	39	between NIDs and the more common NIST names such as "P-256". Enhance
	40	ecparam utility and ECC method to recognise the NIST names for curves.
	41	[Steve Henson]
	42
37b16c84 DSH	43	*) Enhance SSL/TLS certificate chain handling to support different
	44	chains for each certificate instead of one chain in the parent SSL_CTX.
	45	[Steve Henson]
	46
c523eb98 DSH	47	*) Support for fixed DH ciphersuite client authentication: where both
	48	server and client use DH certificates with common parameters.
	49	[Steve Henson]
	50
0ffa4997 DSH	51	*) Support for fixed DH ciphersuites: those requiring DH server
	52	certificates.
	53	[Steve Henson]
b9115239	54
54543b95 AP	55	Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
	56
	57	*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
	58	[Andy Polyakov]
	59
f3dcae15	60	Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
9472baae	61
0cd7a032 DSH	62	*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
	63	STRING form instead of a DigestInfo.
	64	[Steve Henson]
	65
16b7c81d DSH	66	*) The format used for MDC2 RSA signatures is inconsistent between EVP
	67	and the RSA_sign/RSA_verify functions. This was made more apparent when
	68	OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
	69	those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
	70	the correct format in RSA_verify so both forms transparently work.
	71	[Steve Henson]
	72
fc6800d1 DSH	73	*) Some servers which support TLS 1.0 can choke if we initially indicate
	74	support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
	75	encrypted premaster secret. As a workaround use the maximum pemitted
	76	client version in client hello, this should keep such servers happy
	77	and still work with previous versions of OpenSSL.
	78	[Steve Henson]
	79
bd6941cf DSH	80	*) Add support for TLS/DTLS heartbeats.
	81	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	82
6e750fcb DSH	83	*) Add support for SCTP.
	84	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	85
62308f3f DSH	86	*) Improved PRNG seeding for VOS.
	87	[Paul Green <Paul.Green@stratus.com>]
	88
cecafcce AP	89	*) Extensive assembler packs updates, most notably:
	90
	91	- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
	92	- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
	93	- x86_64: bit-sliced AES implementation;
	94	- ARM: NEON support, contemporary platforms optimizations;
	95	- s390x: z196 support;
	96	- *: GHASH and GF(2^m) multiplication implementations;
	97
	98	[Andy Polyakov]
	99
ca0efb75 DSH	100	*) Make TLS-SRP code conformant with RFC 5054 API cleanup
	101	(removal of unnecessary code)
	102	[Peter Sylvester <peter.sylvester@edelweb.fr>]
	103
b1d74291 BL	104	*) Add TLS key material exporter from RFC 5705.
	105	[Eric Rescorla]
	106
060a38a2 BL	107	*) Add DTLS-SRTP negotiation from RFC 5764.
	108	[Eric Rescorla]
	109
e2809bfb BL	110	*) Add Next Protocol Negotiation,
	111	http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
	112	disabled with a no-npn flag to config or Configure. Code donated
	113	by Google.
	114	[Adam Langley <agl@google.com> and Ben Laurie]
	115
9c37519b BM	116	*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
	117	NIST-P256, NIST-P521, with constant-time single point multiplication on
	118	typical inputs. Compiler support for the nonstandard type __uint128_t is
3d520f7c BM	119	required to use this (present in gcc 4.4 and later, for 64-bit builds).
3d520f7c BM	120	Code made available under Apache License version 2.0.
9c37519b	121
3d520f7c BM	122	Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
	123	line to include this in your build of OpenSSL, and run "make depend" (or
	124	"make update"). This enables the following EC_METHODs:
9c37519b BM	125
	126	EC_GFp_nistp224_method()
	127	EC_GFp_nistp256_method()
	128	EC_GFp_nistp521_method()
	129
	130	EC_GROUP_new_by_curve_name() will automatically use these (while
	131	EC_GROUP_new_curve_GFp() currently prefers the more flexible
	132	implementations).
	133