]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
7d3ba88a | 5 | Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] |
b8b12aad MC |
6 | *) The return type of BIO_number_read() and BIO_number_written() as well as |
7 | the corresponding num_read and num_write members in the BIO structure has | |
8 | changed from unsigned long to uint64_t. On platforms where an unsigned | |
9 | long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is | |
10 | transferred. | |
11 | [Matt Caswell] | |
12 | ||
2c55a0bc MC |
13 | *) Given the pervasive nature of TLS extensions it is inadvisable to run |
14 | OpenSSL without support for them. It also means that maintaining | |
15 | the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably | |
16 | not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. | |
17 | [Matt Caswell] | |
a27e81ee | 18 | |
13f8eb47 MC |
19 | *) Removed support for the two export grade static DH ciphersuites |
20 | EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites | |
21 | were newly added (along with a number of other static DH ciphersuites) to | |
22 | 1.0.2. However the two export ones have *never* worked since they were | |
23 | introduced. It seems strange in any case to be adding new export | |
24 | ciphersuites, and given "logjam" it also does not seem correct to fix them. | |
25 | [Matt Caswell] | |
26 | ||
a27e81ee MC |
27 | *) Version negotiation has been rewritten. In particular SSLv23_method(), |
28 | SSLv23_client_method() and SSLv23_server_method() have been deprecated, | |
29 | and turned into macros which simply call the new preferred function names | |
30 | TLS_method(), TLS_client_method() and TLS_server_method(). All new code | |
31 | should use the new names instead. Also as part of this change the ssl23.h | |
32 | header file has been removed. | |
33 | [Matt Caswell] | |
34 | ||
c3d73470 MC |
35 | *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This |
36 | code and the associated standard is no longer considered fit-for-purpose. | |
37 | [Matt Caswell] | |
6668b6b8 | 38 | |
995101d6 RS |
39 | *) Added HTTP GET support to the ocsp command. |
40 | [Rich Salz] | |
41 | ||
c3d73470 MC |
42 | *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. |
43 | [Matt Caswell] | |
302d38e3 | 44 | |
6668b6b8 DSH |
45 | *) Added support for TLS extended master secret from |
46 | draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an | |
47 | initial patch which was a great help during development. | |
48 | [Steve Henson] | |
49 | ||
78cc1f03 MC |
50 | *) All libssl internal structures have been removed from the public header |
51 | files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is | |
52 | now redundant). Users should not attempt to access internal structures | |
53 | directly. Instead they should use the provided API functions. | |
54 | [Matt Caswell] | |
785da0e6 | 55 | |
bd2bd374 MC |
56 | *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used. |
57 | Access to deprecated functions can be re-enabled by running config with | |
58 | "enable-deprecated". In addition applications wishing to use deprecated | |
59 | functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour | |
60 | will, by default, disable some transitive includes that previously existed | |
61 | in the header files (e.g. ec.h will no longer, by default, include bn.h) | |
62 | [Matt Caswell] | |
63 | ||
0c1bd7f0 MC |
64 | *) Added support for OCB mode. OpenSSL has been granted a patent license |
65 | compatible with the OpenSSL license for use of OCB. Details are available | |
66 | at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support | |
67 | for OCB can be removed by calling config with no-ocb. | |
bd2bd374 | 68 | [Matt Caswell] |
0c1bd7f0 | 69 | |
12478cc4 KR |
70 | *) SSLv2 support has been removed. It still supports receiving a SSLv2 |
71 | compatible client hello. | |
72 | [Kurt Roeckx] | |
73 | ||
c56a50b2 AY |
74 | *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], |
75 | done while fixing the error code for the key-too-small case. | |
76 | [Annie Yousar <a.yousar@informatik.hu-berlin.de>] | |
77 | ||
be739b0c RS |
78 | *) CA.sh has been removmed; use CA.pl instead. |
79 | [Rich Salz] | |
80 | ||
24956ca0 RS |
81 | *) Removed old DES API. |
82 | [Rich Salz] | |
83 | ||
59ff1ce0 | 84 | *) Remove various unsupported platforms: |
10bf4fc2 RS |
85 | Sony NEWS4 |
86 | BEOS and BEOS_R5 | |
87 | NeXT | |
88 | SUNOS | |
89 | MPE/iX | |
90 | Sinix/ReliantUNIX RM400 | |
91 | DGUX | |
92 | NCR | |
93 | Tandem | |
94 | Cray | |
95 | 16-bit platforms such as WIN16 | |
b317819b RS |
96 | [Rich Salz] |
97 | ||
10bf4fc2 RS |
98 | *) Clean up OPENSSL_NO_xxx #define's |
99 | Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF | |
68b00c23 | 100 | Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx |
10bf4fc2 RS |
101 | OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC |
102 | OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 | |
103 | OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO | |
104 | Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY | |
105 | OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP | |
106 | OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK | |
107 | OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY | |
68b00c23 | 108 | Remove MS_STATIC; it's a relic from platforms <32 bits. |
4b618848 RS |
109 | [Rich Salz] |
110 | ||
10bf4fc2 | 111 | *) Cleaned up dead code |
a2b18e65 RS |
112 | Remove all but one '#ifdef undef' which is to be looked at. |
113 | [Rich Salz] | |
114 | ||
0dfb9398 RS |
115 | *) Clean up calling of xxx_free routines. |
116 | Just like free(), fix most of the xxx_free routines to accept | |
117 | NULL. Remove the non-null checks from callers. Save much code. | |
118 | [Rich Salz] | |
119 | ||
5fc3a5fe BL |
120 | *) Experimental support for a new, fast, unbiased prime candidate generator, |
121 | bn_probable_prime_dh_coprime(). Not currently used by any prime generator. | |
122 | [Felix Laurie von Massenbach <felix@erbridge.co.uk>] | |
123 | ||
189ae368 MK |
124 | *) New output format NSS in the sess_id command line tool. This allows |
125 | exporting the session id and the master key in NSS keylog format. | |
126 | [Martin Kaiser <martin@kaiser.cx>] | |
127 | ||
8acb9538 | 128 | *) Harmonize version and its documentation. -f flag is used to display |
129 | compilation flags. | |
130 | [mancha <mancha1@zoho.com>] | |
131 | ||
e14f14d3 | 132 | *) Fix eckey_priv_encode so it immediately returns an error upon a failure |
133 | in i2d_ECPrivateKey. | |
134 | [mancha <mancha1@zoho.com>] | |
135 | ||
4ba5e63b BL |
136 | *) Fix some double frees. These are not thought to be exploitable. |
137 | [mancha <mancha1@zoho.com>] | |
138 | ||
731f4314 DSH |
139 | *) A missing bounds check in the handling of the TLS heartbeat extension |
140 | can be used to reveal up to 64k of memory to a connected client or | |
141 | server. | |
142 | ||
143 | Thanks for Neel Mehta of Google Security for discovering this bug and to | |
144 | Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for | |
145 | preparing the fix (CVE-2014-0160) | |
146 | [Adam Langley, Bodo Moeller] | |
147 | ||
f9b6c0ba DSH |
148 | *) Fix for the attack described in the paper "Recovering OpenSSL |
149 | ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" | |
150 | by Yuval Yarom and Naomi Benger. Details can be obtained from: | |
151 | http://eprint.iacr.org/2014/140 | |
152 | ||
153 | Thanks to Yuval Yarom and Naomi Benger for discovering this | |
154 | flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) | |
155 | [Yuval Yarom and Naomi Benger] | |
156 | ||
a4339ea3 | 157 | *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): |
14e96192 | 158 | this fixes a limitation in previous versions of OpenSSL. |
a4339ea3 DSH |
159 | [Steve Henson] |
160 | ||
5e3ff62c DSH |
161 | *) Experimental encrypt-then-mac support. |
162 | ||
163 | Experimental support for encrypt then mac from | |
164 | draft-gutmann-tls-encrypt-then-mac-02.txt | |
a6e7d1c0 | 165 | |
5fdeb58c DSH |
166 | To enable it set the appropriate extension number (0x42 for the test |
167 | server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 | |
a6e7d1c0 | 168 | |
5e3ff62c DSH |
169 | For non-compliant peers (i.e. just about everything) this should have no |
170 | effect. | |
171 | ||
172 | WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. | |
a6e7d1c0 | 173 | |
5e3ff62c DSH |
174 | [Steve Henson] |
175 | ||
97cf1f6c DSH |
176 | *) Add EVP support for key wrapping algorithms, to avoid problems with |
177 | existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in | |
178 | the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap | |
179 | algorithms and include tests cases. | |
180 | [Steve Henson] | |
181 | ||
5c84d2f5 DSH |
182 | *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for |
183 | enveloped data. | |
184 | [Steve Henson] | |
185 | ||
271fef0e DSH |
186 | *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, |
187 | MGF1 digest and OAEP label. | |
188 | [Steve Henson] | |
189 | ||
fefc111a BL |
190 | *) Make openssl verify return errors. |
191 | [Chris Palmer <palmer@google.com> and Ben Laurie] | |
192 | ||
1c455bc0 DSH |
193 | *) New function ASN1_TIME_diff to calculate the difference between two |
194 | ASN1_TIME structures or one structure and the current time. | |
195 | [Steve Henson] | |
196 | ||
a98b8ce6 DSH |
197 | *) Update fips_test_suite to support multiple command line options. New |
198 | test to induce all self test errors in sequence and check expected | |
199 | failures. | |
200 | [Steve Henson] | |
201 | ||
f4324e51 DSH |
202 | *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and |
203 | sign or verify all in one operation. | |
204 | [Steve Henson] | |
205 | ||
14e96192 | 206 | *) Add fips_algvs: a multicall fips utility incorporating all the algorithm |
3ec9dceb DSH |
207 | test programs and fips_test_suite. Includes functionality to parse |
208 | the minimal script output of fipsalgest.pl directly. | |
f4324e51 | 209 | [Steve Henson] |
3ec9dceb | 210 | |
5e4eb995 DSH |
211 | *) Add authorisation parameter to FIPS_module_mode_set(). |
212 | [Steve Henson] | |
213 | ||
2bfeb7dc DSH |
214 | *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. |
215 | [Steve Henson] | |
216 | ||
4420b3b1 | 217 | *) Use separate DRBG fields for internal and external flags. New function |
cb71870d DSH |
218 | FIPS_drbg_health_check() to perform on demand health checking. Add |
219 | generation tests to fips_test_suite with reduced health check interval to | |
4420b3b1 DSH |
220 | demonstrate periodic health checking. Add "nodh" option to |
221 | fips_test_suite to skip very slow DH test. | |
222 | [Steve Henson] | |
223 | ||
15094852 DSH |
224 | *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers |
225 | based on NID. | |
226 | [Steve Henson] | |
227 | ||
a11f06b2 DSH |
228 | *) More extensive health check for DRBG checking many more failure modes. |
229 | New function FIPS_selftest_drbg_all() to handle every possible DRBG | |
230 | combination: call this in fips_test_suite. | |
231 | [Steve Henson] | |
232 | ||
7fdcb457 DSH |
233 | *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test |
234 | and POST to handle Dual EC cases. | |
235 | [Steve Henson] | |
236 | ||
f55f5f77 DSH |
237 | *) Add support for canonical generation of DSA parameter 'g'. See |
238 | FIPS 186-3 A.2.3. | |
239 | ||
7fdcb457 DSH |
240 | *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and |
241 | POST to handle HMAC cases. | |
20f12e63 DSH |
242 | [Steve Henson] |
243 | ||
01a9a759 | 244 | *) Add functions FIPS_module_version() and FIPS_module_version_text() |
3d7bf77f | 245 | to return numerical and string versions of the FIPS module number. |
01a9a759 DSH |
246 | [Steve Henson] |
247 | ||
c2fd5989 | 248 | *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and |
3d7bf77f | 249 | FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented |
c2fd5989 DSH |
250 | outside the validated module in the FIPS capable OpenSSL. |
251 | [Steve Henson] | |
252 | ||
e0d1a2f8 | 253 | *) Minor change to DRBG entropy callback semantics. In some cases |
3d7bf77f | 254 | there is no multiple of the block length between min_len and |
e0d1a2f8 DSH |
255 | max_len. Allow the callback to return more than max_len bytes |
256 | of entropy but discard any extra: it is the callback's responsibility | |
257 | to ensure that the extra data discarded does not impact the | |
258 | requested amount of entropy. | |
259 | [Steve Henson] | |
260 | ||
cac4fb58 DSH |
261 | *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
262 | information in FIPS186-3, SP800-57 and SP800-131A. | |
263 | [Steve Henson] | |
264 | ||
b5dd1787 DSH |
265 | *) CCM support via EVP. Interface is very similar to GCM case except we |
266 | must supply all data in one chunk (i.e. no update, final) and the | |
267 | message length must be supplied if AAD is used. Add algorithm test | |
268 | support. | |
23916810 DSH |
269 | [Steve Henson] |
270 | ||
ac892b7a DSH |
271 | *) Initial version of POST overhaul. Add POST callback to allow the status |
272 | of POST to be monitored and/or failures induced. Modify fips_test_suite | |
273 | to use callback. Always run all selftests even if one fails. | |
274 | [Steve Henson] | |
275 | ||
06b7e5a0 DSH |
276 | *) XTS support including algorithm test driver in the fips_gcmtest program. |
277 | Note: this does increase the maximum key length from 32 to 64 bytes but | |
278 | there should be no binary compatibility issues as existing applications | |
279 | will never use XTS mode. | |
32a2d8dd DSH |
280 | [Steve Henson] |
281 | ||
05e24c87 DSH |
282 | *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies |
283 | to OpenSSL RAND code and replace with a tiny FIPS RAND API which also | |
284 | performs algorithm blocking for unapproved PRNG types. Also do not | |
285 | set PRNG type in FIPS_mode_set(): leave this to the application. | |
286 | Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with | |
d7a3ce98 | 287 | the standard OpenSSL PRNG: set additional data to a date time vector. |
05e24c87 DSH |
288 | [Steve Henson] |
289 | ||
cab0595c DSH |
290 | *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. |
291 | This shouldn't present any incompatibility problems because applications | |
292 | shouldn't be using these directly and any that are will need to rethink | |
293 | anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 | |
294 | [Steve Henson] | |
295 | ||
96ec46f7 DSH |
296 | *) Extensive self tests and health checking required by SP800-90 DRBG. |
297 | Remove strength parameter from FIPS_drbg_instantiate and always | |
298 | instantiate at maximum supported strength. | |
299 | [Steve Henson] | |
300 | ||
8857b380 DSH |
301 | *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. |
302 | [Steve Henson] | |
303 | ||
11e80de3 DSH |
304 | *) New algorithm test program fips_dhvs to handle DH primitives only testing. |
305 | [Steve Henson] | |
306 | ||
307 | *) New function DH_compute_key_padded() to compute a DH key and pad with | |
308 | leading zeroes if needed: this complies with SP800-56A et al. | |
309 | [Steve Henson] | |
310 | ||
591cbfae DSH |
311 | *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by |
312 | anything, incomplete, subject to change and largely untested at present. | |
313 | [Steve Henson] | |
314 | ||
eead69f5 DSH |
315 | *) Modify fipscanisteronly build option to only build the necessary object |
316 | files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. | |
317 | [Steve Henson] | |
318 | ||
017bc57b DSH |
319 | *) Add experimental option FIPSSYMS to give all symbols in |
320 | fipscanister.o and FIPS or fips prefix. This will avoid | |
5d439d69 DSH |
321 | conflicts with future versions of OpenSSL. Add perl script |
322 | util/fipsas.pl to preprocess assembly language source files | |
323 | and rename any affected symbols. | |
017bc57b DSH |
324 | [Steve Henson] |
325 | ||
25c65429 DSH |
326 | *) Add selftest checks and algorithm block of non-fips algorithms in |
327 | FIPS mode. Remove DES2 from selftests. | |
328 | [Steve Henson] | |
329 | ||
fe26d066 DSH |
330 | *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just |
331 | return internal method without any ENGINE dependencies. Add new | |
25c65429 | 332 | tiny fips sign and verify functions. |
fe26d066 DSH |
333 | [Steve Henson] |
334 | ||
b3310161 DSH |
335 | *) New build option no-ec2m to disable characteristic 2 code. |
336 | [Steve Henson] | |
337 | ||
30b56225 DSH |
338 | *) New build option "fipscanisteronly". This only builds fipscanister.o |
339 | and (currently) associated fips utilities. Uses the file Makefile.fips | |
340 | instead of Makefile.org as the prototype. | |
341 | [Steve Henson] | |
342 | ||
b3d8022e DSH |
343 | *) Add some FIPS mode restrictions to GCM. Add internal IV generator. |
344 | Update fips_gcmtest to use IV generator. | |
345 | [Steve Henson] | |
346 | ||
bdaa5415 DSH |
347 | *) Initial, experimental EVP support for AES-GCM. AAD can be input by |
348 | setting output buffer to NULL. The *Final function must be | |
349 | called although it will not retrieve any additional data. The tag | |
350 | can be set or retrieved with a ctrl. The IV length is by default 12 | |
351 | bytes (96 bits) but can be set to an alternative value. If the IV | |
352 | length exceeds the maximum IV length (currently 16 bytes) it cannot be | |
353 | set before the key. | |
354 | [Steve Henson] | |
355 | ||
3da0ca79 DSH |
356 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
357 | underlying do_cipher function handles all cipher semantics itself | |
358 | including padding and finalisation. This is useful if (for example) | |
359 | an ENGINE cipher handles block padding itself. The behaviour of | |
360 | do_cipher is subtly changed if this flag is set: the return value | |
361 | is the number of characters written to the output buffer (zero is | |
362 | no longer an error code) or a negative error code. Also if the | |
d45087c6 | 363 | input buffer is NULL and length 0 finalisation should be performed. |
3da0ca79 DSH |
364 | [Steve Henson] |
365 | ||
2b3936e8 DSH |
366 | *) If a candidate issuer certificate is already part of the constructed |
367 | path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. | |
368 | [Steve Henson] | |
369 | ||
7c2d4fee BM |
370 | *) Improve forward-security support: add functions |
371 | ||
372 | void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) | |
373 | void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) | |
374 | ||
375 | for use by SSL/TLS servers; the callback function will be called whenever a | |
376 | new session is created, and gets to decide whether the session may be | |
377 | cached to make it resumable (return 0) or not (return 1). (As by the | |
378 | SSL/TLS protocol specifications, the session_id sent by the server will be | |
379 | empty to indicate that the session is not resumable; also, the server will | |
380 | not generate RFC 4507 (RFC 5077) session tickets.) | |
381 | ||
382 | A simple reasonable callback implementation is to return is_forward_secure. | |
383 | This parameter will be set to 1 or 0 depending on the ciphersuite selected | |
384 | by the SSL/TLS server library, indicating whether it can provide forward | |
385 | security. | |
386 |