]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
399a6f0b DSH |
5 | Changes between 0.9.8b and 0.9.9 [xx XXX xxxx] |
6 | ||
48fc582f BM |
7 | *) In addition to the numerical (unsigned long) thread ID, provide |
8 | for a pointer (void *) thread ID. This helps accomodate systems | |
9 | that do not provide an unsigned long thread ID. OpenSSL assumes | |
10 | it is in the same thread iff both the numerical and the pointer | |
11 | thread ID agree; so applications are just required to define one | |
12 | of them appropriately (e.g., by using a pointer to a per-thread | |
13 | memory object malloc()ed by the application for the pointer-type | |
14 | thread ID). Exactly analoguous to the existing functions | |
15 | ||
16 | void CRYPTO_set_id_callback(unsigned long (*func)(void)); | |
17 | unsigned long (*CRYPTO_get_id_callback(void))(void); | |
18 | unsigned long CRYPTO_thread_id(void); | |
19 | ||
20 | we now have additional functions | |
21 | ||
22 | void CRYPTO_set_idptr_callback(void *(*func)(void)); | |
23 | void *(*CRYPTO_get_idptr_callback(void))(void); | |
24 | void *CRYPTO_thread_idptr(void); | |
25 | ||
26 | also in <openssl/crypto.h>. The default value for | |
27 | CRYPTO_thread_idptr() if the application has not provided its own | |
28 | callback is &errno. | |
29 | [Bodo Moeller] | |
30 | ||
c4e7870a BM |
31 | *) Change the array representation of binary polynomials: the list |
32 | of degrees of non-zero coefficients is now terminated with -1. | |
33 | Previously it was terminated with 0, which was also part of the | |
34 | value; thus, the array representation was not applicable to | |
35 | polynomials where t^0 has coefficient zero. This change makes | |
36 | the array representation useful in a more general context. | |
37 | [Douglas Stebila] | |
38 | ||
89bbe14c BM |
39 | *) Various modifications and fixes to SSL/TLS cipher string |
40 | handling. For ECC, the code now distinguishes between fixed ECDH | |
41 | with RSA certificates on the one hand and with ECDSA certificates | |
42 | on the other hand, since these are separate ciphersuites. The | |
43 | unused code for Fortezza ciphersuites has been removed. | |
44 | ||
45 | For consistency with EDH, ephemeral ECDH is now called "EECDH" | |
46 | (not "ECDHE"). For consistency with the code for DH | |
47 | certificates, use of ECDH certificates is now considered ECDH | |
48 | authentication, not RSA or ECDSA authentication (the latter is | |
49 | merely the CA's signing algorithm and not actively used in the | |
50 | protocol). | |
51 | ||
52 | The temporary ciphersuite alias "ECCdraft" is no longer | |
53 | available, and ECC ciphersuites are no longer excluded from "ALL" | |
54 | and "DEFAULT". The following aliases now exist for RFC 4492 | |
55 | ciphersuites, most of these by analogy with the DH case: | |
56 | ||
57 | kECDHr - ECDH cert, signed with RSA | |
58 | kECDHe - ECDH cert, signed with ECDSA | |
59 | kECDH - ECDH cert (signed with either RSA or ECDSA) | |
60 | kEECDH - ephemeral ECDH | |
61 | ECDH - ECDH cert or ephemeral ECDH | |
62 | ||
63 | aECDH - ECDH cert | |
64 | aECDSA - ECDSA cert | |
65 | ECDSA - ECDSA cert | |
66 | ||
67 | AECDH - anonymous ECDH | |
68 | EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") | |
69 | ||
70 | [Bodo Moeller] | |
71 | ||
fb7b3932 DSH |
72 | *) Add additional S/MIME capabilities for AES and GOST ciphers if supported. |
73 | Use correct micalg parameters depending on digest(s) in signed message. | |
74 | [Steve Henson] | |
75 | ||
01b8b3c7 DSH |
76 | *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process |
77 | an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. | |
78 | [Steve Henson] | |
de9fcfe3 | 79 | |
58aa573a | 80 | *) Initial engine support for EVP_PKEY_METHOD. New functions to permit |
c9777d26 DSH |
81 | an engine to register a method. Add ENGINE lookups for methods and |
82 | functional reference processing. | |
58aa573a DSH |
83 | [Steve Henson] |
84 | ||
91c9e621 DSH |
85 | *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of |
86 | EVP_{Sign,Verify}* which allow an application to customise the signature | |
87 | process. | |
88 | [Steve Henson] | |
89 | ||
55311921 DSH |
90 | *) New -resign option to smime utility. This adds one or more signers |
91 | to an existing PKCS#7 signedData structure. Also -md option to use an | |
92 | alternative message digest algorithm for signing. | |
93 | [Steve Henson] | |
94 | ||
a6e7fcd1 DSH |
95 | *) Tidy up PKCS#7 routines and add new functions to make it easier to |
96 | create PKCS7 structures containing multiple signers. Update smime | |
97 | application to support multiple signers. | |
98 | [Steve Henson] | |
99 | ||
121dd39f DSH |
100 | *) New -macalg option to pkcs12 utility to allow setting of an alternative |
101 | digest MAC. | |
102 | [Steve Henson] | |
103 | ||
856640b5 | 104 | *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. |
b8f702a0 | 105 | Reorganize PBE internals to lookup from a static table using NIDs, |
6d3a1eac DSH |
106 | add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: |
107 | EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative | |
108 | PRF which will be automatically used with PBES2. | |
856640b5 DSH |
109 | [Steve Henson] |
110 | ||
34b3c72e | 111 | *) Replace the algorithm specific calls to generate keys in "req" with the |
959e8dfe DSH |
112 | new API. |
113 | [Steve Henson] | |
114 | ||
399a6f0b DSH |
115 | *) Update PKCS#7 enveloped data routines to use new API. This is now |
116 | supported by any public key method supporting the encrypt operation. A | |
117 | ctrl is added to allow the public key algorithm to examine or modify | |
118 | the PKCS#7 RecipientInfo structure if it needs to: for RSA this is | |
119 | a no op. | |
120 | [Steve Henson] | |
28e4fe34 | 121 | |
03919683 DSH |
122 | *) Add a ctrl to asn1 method to allow a public key algorithm to express |
123 | a default digest type to use. In most cases this will be SHA1 but some | |
124 | algorithms (such as GOST) need to specify an alternative digest. The | |
125 | return value indicates how strong the prefernce is 1 means optional and | |
126 | 2 is mandatory (that is it is the only supported type). Modify | |
127 | ASN1_item_sign() to accept a NULL digest argument to indicate it should | |
128 | use the default md. Update openssl utilities to use the default digest | |
129 | type for signing if it is not explicitly indicated. | |
130 | [Steve Henson] | |
131 | ||
ee1d9ec0 DSH |
132 | *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New |
133 | EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant | |
134 | signing method from the key type. This effectively removes the link | |
135 | between digests and public key types. | |
136 | [Steve Henson] | |
137 | ||
d2027098 DSH |
138 | *) Add an OID cross reference table and utility functions. Its purpose is to |
139 | translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, | |
140 | rsaEncryption. This will allow some of the algorithm specific hackery | |
141 | needed to use the correct OID to be removed. | |
142 | [Steve Henson] | |
143 | ||
492a9e24 DSH |
144 | *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO |
145 | structures for PKCS7_sign(). They are now set up by the relevant public | |
146 | key ASN1 method. | |
147 | [Steve Henson] | |
148 | ||
9ca7047d DSH |
149 | *) Add provisional EC pkey method with support for ECDSA and ECDH. |
150 | [Steve Henson] | |
151 | ||
ffb1ac67 DSH |
152 | *) Add support for key derivation (agreement) in the API, DH method and |
153 | pkeyutl. | |
154 | [Steve Henson] | |
155 | ||
3ba0885a DSH |
156 | *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support |
157 | public and private key formats. As a side effect these add additional | |
158 | command line functionality not previously available: DSA signatures can be | |
159 | generated and verified using pkeyutl and DH key support and generation in | |
160 | pkey, genpkey. | |
161 | [Steve Henson] | |
162 | ||
4700aea9 UM |
163 | *) BeOS support. |
164 | [Oliver Tappe <zooey@hirschkaefer.de>] | |
165 | ||
166 | *) New make target "install_html_docs" installs HTML renditions of the | |
167 | manual pages. | |
168 | [Oliver Tappe <zooey@hirschkaefer.de>] | |
169 | ||
f5cda4cb DSH |
170 | *) New utility "genpkey" this is analagous to "genrsa" etc except it can |
171 | generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to | |
172 | support key and parameter generation and add initial key generation | |
173 | functionality for RSA. | |
174 | [Steve Henson] | |
175 | ||
f733a5ef DSH |
176 | *) Add functions for main EVP_PKEY_method operations. The undocumented |
177 | functions EVP_PKEY_{encrypt,decrypt} have been renamed to | |
178 | EVP_PKEY_{encrypt,decrypt}_old. | |
179 | [Steve Henson] | |
180 | ||
0b6f3c66 DSH |
181 | *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public |
182 | key API, doesn't do much yet. | |
183 | [Steve Henson] | |
184 | ||
0b33dac3 DSH |
185 | *) New function EVP_PKEY_asn1_get0_info() to retrieve information about |
186 | public key algorithms. New option to openssl utility: | |
187 | "list-public-key-algorithms" to print out info. | |
188 | [Steve Henson] | |
189 | ||
33273721 BM |
190 | *) Implement the Supported Elliptic Curves Extension for |
191 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
192 | [Douglas Stebila] | |
193 | ||
246e0931 DSH |
194 | *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or |
195 | EVP_CIPHER structures to avoid later problems in EVP_cleanup(). | |
196 | [Steve Henson] | |
197 | ||
3e4585c8 | 198 | *) New utilities pkey and pkeyparam. These are similar to algorithm specific |
f5cda4cb | 199 | utilities such as rsa, dsa, dsaparam etc except they process any key |
3e4585c8 | 200 | type. |
3e84b6e1 DSH |
201 | [Steve Henson] |
202 | ||
35208f36 DSH |
203 | *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New |
204 | functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), | |
205 | EVP_PKEY_print_param() to print public key data from an EVP_PKEY | |
206 | structure. | |
207 | [Steve Henson] | |
208 | ||
448be743 DSH |
209 | *) Initial support for pluggable public key ASN1. |
210 | De-spaghettify the public key ASN1 handling. Move public and private | |
211 | key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate | |
212 | algorithm specific handling to a single module within the relevant | |
213 | algorithm directory. Add functions to allow (near) opaque processing | |
214 | of public and private key structures. | |
215 | [Steve Henson] | |
216 | ||
36ca4ba6 BM |
217 | *) Implement the Supported Point Formats Extension for |
218 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
219 | [Douglas Stebila] | |
220 | ||
ddac1974 NL |
221 | *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members |
222 | for the psk identity [hint] and the psk callback functions to the | |
223 | SSL_SESSION, SSL and SSL_CTX structure. | |
224 | ||
225 | New ciphersuites: | |
226 | PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, | |
227 | PSK-AES256-CBC-SHA | |
228 | ||
229 | New functions: | |
230 | SSL_CTX_use_psk_identity_hint | |
231 | SSL_get_psk_identity_hint | |
232 | SSL_get_psk_identity | |
233 | SSL_use_psk_identity_hint | |
234 | ||
235 | [Mika Kousa and Pasi Eronen of Nokia Corporation] | |
236 | ||
c7235be6 UM |
237 | *) Add RFC 3161 compliant time stamp request creation, response generation |
238 | and response verification functionality. | |
239 |