[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.0e and 1.0.1  [xx XXX xxxx]

  *) Add GCM support to TLS library. Some custom code is needed to split
     the IV between the fixed (from PRF) and explicit (from TLS record)
     portions. This adds all GCM ciphersuites supported by RFC5288 and 
     RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
     add a special AESGCM string for GCM only.
     [Steve Henson]

  *) Expand range of ctrls for AES GCM. Permit setting invocation
     field on decrypt and retrieval of invocation field only on encrypt.
     [Steve Henson]

  *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
     As required by RFC5289 these ciphersuites cannot be used if for
     versions of TLS earlier than 1.2.
     [Steve Henson]

  *) For FIPS capable OpenSSL interpret a NULL default public key method
     as unset and return the appopriate default but do *not* set the default.
     This means we can return the appopriate method in applications that
     swicth between FIPS and non-FIPS modes.
     [Steve Henson]

  *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
     ENGINE is used then we cannot handle that in the FIPS module so we
     keep original code iff non-FIPS operations are allowed.
     [Steve Henson]

  *) Add -attime option to openssl verify.
     [Peter Eckersley <pde@eff.org> and Ben Laurie]

  *) Redirect DSA and DH operations to FIPS module in FIPS mode.
     [Steve Henson]

  *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
     FIPS EC methods unconditionally for now.
     [Steve Henson]

  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
     all cases can be covered as some introduce binary incompatibilities.
     [Steve Henson]

  *) Redirect RSA operations to FIPS module including keygen,
     encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
     [Steve Henson]

  *) Add similar low level API blocking to ciphers.
     [Steve Henson]

  *) Low level digest APIs are not approved in FIPS mode: any attempt
     to use these will cause a fatal error. Applications that *really* want
     to use them can use the private_* version instead.
     [Steve Henson]

  *) Redirect cipher operations to FIPS module for FIPS builds. 
     [Steve Henson]

  *) Redirect digest operations to FIPS module for FIPS builds. 
     [Steve Henson]

  *) Update build system to add "fips" flag which will link in fipscanister.o
     for static and shared library builds embedding a signature if needed.
     [Steve Henson]

  *) Output TLS supported curves in preference order instead of numerical
     order. This is currently hardcoded for the highest order curves first.
     This should be configurable so applications can judge speed vs strength.
     [Steve Henson]

  *) Add TLS v1.2 server support for client authentication. 
     [Steve Henson]

  *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
     and enable MD5.
     [Steve Henson]

  *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
     FIPS modules versions.
     [Steve Henson]

  *) Add TLS v1.2 client side support for client authentication. Keep cache
     of handshake records longer as we don't know the hash algorithm to use
     until after the certificate request message is received.
     [Steve Henson]

  *) Initial TLS v1.2 client support. Add a default signature algorithms
     extension including all the algorithms we support. Parse new signature
     format in client key exchange. Relax some ECC signing restrictions for
     TLS v1.2 as indicated in RFC5246.
     [Steve Henson]

  *) Add server support for TLS v1.2 signature algorithms extension. Switch
     to new signature format when needed using client digest preference.
     All server ciphersuites should now work correctly in TLS v1.2. No client
     support yet and no support for client certificates.
     [Steve Henson]

  *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
     to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
     ciphersuites. At present only RSA key exchange ciphersuites work with
     TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
     SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
     and version checking.
     [Steve Henson]

  *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
     with this defined it will not be affected by any changes to ssl internal
     structures. Add several utility functions to allow openssl application
     to work with OPENSSL_NO_SSL_INTERN defined.
     [Steve Henson]

  *) Add SRP support.
     [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]

  *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
     [Steve Henson]

  *) Add EC_GFp_nistp224_method(), a 64-bit optimized implementation for
     elliptic curve NIST-P224 with constant-time single point multiplication on
     typical inputs.  EC_GROUP_new_by_curve_name() will automatically use this
     (while EC_GROUP_new_curve_GFp() currently won't and prefers the more
     flexible implementations).

     The implementation requires support for the nonstandard type __uint128_t,
     and so is disabled by default.  To include this in your build of OpenSSL,
     use -DEC_NISTP224_64_GCC_128 on the Configure (or config) command line,
     and run "make depend" (or "make update").
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
5cacc82f	5	Changes between 1.0.0e and 1.0.1 [xx XXX xxxx]
9472baae	6
aed53d6c DSH	7	*) Add GCM support to TLS library. Some custom code is needed to split
	8	the IV between the fixed (from PRF) and explicit (from TLS record)
	9	portions. This adds all GCM ciphersuites supported by RFC5288 and
	10	RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
	11	add a special AESGCM string for GCM only.
	12	[Steve Henson]
	13
	14	*) Expand range of ctrls for AES GCM. Permit setting invocation
	15	field on decrypt and retrieval of invocation field only on encrypt.
	16	[Steve Henson]
	17
c8c6e9ec DSH	18	*) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
	19	As required by RFC5289 these ciphersuites cannot be used if for
	20	versions of TLS earlier than 1.2.
	21	[Steve Henson]
	22
3a5b97b7 DSH	23	*) For FIPS capable OpenSSL interpret a NULL default public key method
	24	as unset and return the appopriate default but do not set the default.
	25	This means we can return the appopriate method in applications that
	26	swicth between FIPS and non-FIPS modes.
	27	[Steve Henson]
	28
e8d23f78 DSH	29	*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
	30	ENGINE is used then we cannot handle that in the FIPS module so we
	31	keep original code iff non-FIPS operations are allowed.
	32	[Steve Henson]
	33
be23b71e BL	34	*) Add -attime option to openssl verify.
	35	[Peter Eckersley <pde@eff.org> and Ben Laurie]
	36
752c1a0c DSH	37	*) Redirect DSA and DH operations to FIPS module in FIPS mode.
	38	[Steve Henson]
	39
6342b6e3 DSH	40	*) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
	41	FIPS EC methods unconditionally for now.
	42	[Steve Henson]
	43
f610a516 DSH	44	*) New build option no-ec2m to disable characteristic 2 code.
	45	[Steve Henson]
	46
5cacc82f	47	*) Backport libcrypto audit of return value checking from 1.1.0-dev; not
24d7159a DSH	48	all cases can be covered as some introduce binary incompatibilities.
	49	[Steve Henson]
	50
53dd05d8 DSH	51	*) Redirect RSA operations to FIPS module including keygen,
53dd05d8 DSH	52	encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
fbe70553 DSH	53	[Steve Henson]
fbe70553 DSH	54
916bcab2 DSH	55	*) Add similar low level API blocking to ciphers.
	56	[Steve Henson]
	57
65300dcf DSH	58	*) Low level digest APIs are not approved in FIPS mode: any attempt
	59	to use these will cause a fatal error. Applications that really want
	60	to use them can use the private_* version instead.
	61	[Steve Henson]
	62
5792219d DSH	63	*) Redirect cipher operations to FIPS module for FIPS builds.
	64	[Steve Henson]
	65
04dc5a9c DSH	66	*) Redirect digest operations to FIPS module for FIPS builds.
	67	[Steve Henson]
	68
	69	*) Update build system to add "fips" flag which will link in fipscanister.o
	70	for static and shared library builds embedding a signature if needed.
	71	[Steve Henson]
	72
55a47cd3 DSH	73	*) Output TLS supported curves in preference order instead of numerical
	74	order. This is currently hardcoded for the highest order curves first.
	75	This should be configurable so applications can judge speed vs strength.
	76	[Steve Henson]
	77
b81fde02 DSH	78	*) Add TLS v1.2 server support for client authentication.
	79	[Steve Henson]
	80
7043fa70 DSH	81	*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
	82	and enable MD5.
	83	[Steve Henson]
	84
f98d2e5c DSH	85	*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
	86	FIPS modules versions.
	87	[Steve Henson]
	88
4fe4c00e DSH	89	*) Add TLS v1.2 client side support for client authentication. Keep cache
	90	of handshake records longer as we don't know the hash algorithm to use
	91	until after the certificate request message is received.
	92	[Steve Henson]
	93
9472baae DSH	94	*) Initial TLS v1.2 client support. Add a default signature algorithms
	95	extension including all the algorithms we support. Parse new signature
	96	format in client key exchange. Relax some ECC signing restrictions for
	97	TLS v1.2 as indicated in RFC5246.
	98	[Steve Henson]
	99
	100	*) Add server support for TLS v1.2 signature algorithms extension. Switch
	101	to new signature format when needed using client digest preference.
	102	All server ciphersuites should now work correctly in TLS v1.2. No client
	103	support yet and no support for client certificates.
	104	[Steve Henson]
	105
	106	*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
	107	to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
	108	ciphersuites. At present only RSA key exchange ciphersuites work with
	109	TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
	110	SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
	111	and version checking.
	112	[Steve Henson]
5cacc82f	113
74096890 DSH	114	*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
	115	with this defined it will not be affected by any changes to ssl internal
	116	structures. Add several utility functions to allow openssl application
	117	to work with OPENSSL_NO_SSL_INTERN defined.
	118	[Steve Henson]
c549810d	119
a149b246 BL	120	*) Add SRP support.
	121	[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
	122
a618011c DSH	123	*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
	124	[Steve Henson]
	125
48ce525d BM	126	*) Add EC_GFp_nistp224_method(), a 64-bit optimized implementation for
	127	elliptic curve NIST-P224 with constant-time single point multiplication on
	128	typical inputs. EC_GROUP_new_by_curve_name() will automatically use this
	129	(while EC_GROUP_new_curve_GFp() currently won't and prefers the more
	130	flexible implementations).
	131
	132	The implementation requires support for the nonstandard type __uint128_t,
	133	and so is disabled by default. To include this in your build of OpenSSL,
	134	use -DEC_NISTP224_64_GCC_128 on the Configure (or config) command line,
	135	and run "make depend" (or "make update").
	136