[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

  *) Initial version of POST overhaul. Add POST callback to allow the status
     of POST to be monitored and/or failures induced. Modify fips_test_suite
     to use callback. Always run all selftests even if one fails.
     [Steve Henson]

  *) XTS support including algorithm test driver in the fips_gcmtest program.
     Note: this does increase the maximum key length from 32 to 64 bytes but
     there should be no binary compatibility issues as existing applications
     will never use XTS mode.
     [Steve Henson]

  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
     performs algorithm blocking for unapproved PRNG types. Also do not
     set PRNG type in FIPS_mode_set(): leave this to the application.
     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
     the standard OpenSSL PRNG: set additional data to a date time vector.
     [Steve Henson]

  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
     This shouldn't present any incompatibility problems because applications
     shouldn't be using these directly and any that are will need to rethink
     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
     [Steve Henson]

  *) Extensive self tests and health checking required by SP800-90 DRBG.
     Remove strength parameter from FIPS_drbg_instantiate and always
     instantiate at maximum supported strength.
     [Steve Henson]

  *) Add SRP support.
     [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]

  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
     [Steve Henson]

  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
     [Steve Henson]

  *) New function DH_compute_key_padded() to compute a DH key and pad with
     leading zeroes if needed: this complies with SP800-56A et al.
     [Steve Henson]

  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
     anything, incomplete, subject to change and largely untested at present.
     [Steve Henson]

  *) Modify fipscanisteronly build option to only build the necessary object
     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
     [Steve Henson]

  *) Add experimental option FIPSSYMS to give all symbols in
     fipscanister.o and FIPS or fips prefix. This will avoid
     conflicts with future versions of OpenSSL. Add perl script
     util/fipsas.pl to preprocess assembly language source files
     and rename any affected symbols.
     [Steve Henson]

  *) Add selftest checks and algorithm block of non-fips algorithms in
     FIPS mode. Remove DES2 from selftests.
     [Steve Henson]

  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
     return internal method without any ENGINE dependencies. Add new
     tiny fips sign and verify functions.
     [Steve Henson]

  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) New build option "fipscanisteronly". This only builds fipscanister.o
     and (currently) associated fips utilities. Uses the file Makefile.fips
     instead of Makefile.org as the prototype.
     [Steve Henson]

  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
     Update fips_gcmtest to use IV generator.
     [Steve Henson]

  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
     setting output buffer to NULL. The *Final function must be
     called although it will not retrieve any additional data. The tag
     can be set or retrieved with a ctrl. The IV length is by default 12
     bytes (96 bits) but can be set to an alternative value. If the IV
     length exceeds the maximum IV length (currently 16 bytes) it cannot be
     set before the key. 
     [Steve Henson]

  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
     underlying do_cipher function handles all cipher semantics itself
     including padding and finalisation. This is useful if (for example)
     an ENGINE cipher handles block padding itself. The behaviour of
     do_cipher is subtly changed if this flag is set: the return value
     is the number of characters written to the output buffer (zero is
     no longer an error code) or a negative error code. Also if the
     input buffer is NULL and length 0 finalisation should be performed.
     [Steve Henson]

  *) If a candidate issuer certificate is already part of the constructed
     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
     [Steve Henson]

  *) Improve forward-security support: add functions

       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

     for use by SSL/TLS servers; the callback function will be called whenever a
     new session is created, and gets to decide whether the session may be
     cached to make it resumable (return 0) or not (return 1).  (As by the
     SSL/TLS protocol specifications, the session_id sent by the server will be
     empty to indicate that the session is not resumable; also, the server will
     not generate RFC 4507 (RFC 5077) session tickets.)

     A simple reasonable callback implementation is to return is_forward_secure.
     This parameter will be set to 1 or 0 depending on the ciphersuite selected
     by the SSL/TLS server library, indicating whether it can provide forward
     security.
Commit	Line	Data
	1
	2	OpenSSL CHANGES
	3	_______________
	4
	5	Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
	6
	7	*) Initial version of POST overhaul. Add POST callback to allow the status
	8	of POST to be monitored and/or failures induced. Modify fips_test_suite
	9	to use callback. Always run all selftests even if one fails.
	10	[Steve Henson]
	11
	12	*) XTS support including algorithm test driver in the fips_gcmtest program.
	13	Note: this does increase the maximum key length from 32 to 64 bytes but
	14	there should be no binary compatibility issues as existing applications
	15	will never use XTS mode.
	16	[Steve Henson]
	17
	18	*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
	19	to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
	20	performs algorithm blocking for unapproved PRNG types. Also do not
	21	set PRNG type in FIPS_mode_set(): leave this to the application.
	22	Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
	23	the standard OpenSSL PRNG: set additional data to a date time vector.
	24	[Steve Henson]
	25
	26	) Rename old X9.31 PRNG functions of the form FIPS_rand to FIPS_x931*.
	27	This shouldn't present any incompatibility problems because applications
	28	shouldn't be using these directly and any that are will need to rethink
	29	anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
	30	[Steve Henson]
	31
	32	*) Extensive self tests and health checking required by SP800-90 DRBG.
	33	Remove strength parameter from FIPS_drbg_instantiate and always
	34	instantiate at maximum supported strength.
	35	[Steve Henson]
	36
	37	*) Add SRP support.
	38	[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
	39
	40	*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
	41	[Steve Henson]
	42
	43	*) New algorithm test program fips_dhvs to handle DH primitives only testing.
	44	[Steve Henson]
	45
	46	*) New function DH_compute_key_padded() to compute a DH key and pad with
	47	leading zeroes if needed: this complies with SP800-56A et al.
	48	[Steve Henson]
	49
	50	*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
	51	anything, incomplete, subject to change and largely untested at present.
	52	[Steve Henson]
	53
	54	*) Modify fipscanisteronly build option to only build the necessary object
	55	files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
	56	[Steve Henson]
	57
	58	*) Add experimental option FIPSSYMS to give all symbols in
	59	fipscanister.o and FIPS or fips prefix. This will avoid
	60	conflicts with future versions of OpenSSL. Add perl script
	61	util/fipsas.pl to preprocess assembly language source files
	62	and rename any affected symbols.
	63	[Steve Henson]
	64
	65	*) Add selftest checks and algorithm block of non-fips algorithms in
	66	FIPS mode. Remove DES2 from selftests.
	67	[Steve Henson]
	68
	69	*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
	70	return internal method without any ENGINE dependencies. Add new
	71	tiny fips sign and verify functions.
	72	[Steve Henson]
	73
	74	*) New build option no-ec2m to disable characteristic 2 code.
	75	[Steve Henson]
	76
	77	*) New build option "fipscanisteronly". This only builds fipscanister.o
	78	and (currently) associated fips utilities. Uses the file Makefile.fips
	79	instead of Makefile.org as the prototype.
	80	[Steve Henson]
	81
	82	*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
	83	Update fips_gcmtest to use IV generator.
	84	[Steve Henson]
	85
	86	*) Initial, experimental EVP support for AES-GCM. AAD can be input by
	87	setting output buffer to NULL. The *Final function must be
	88	called although it will not retrieve any additional data. The tag
	89	can be set or retrieved with a ctrl. The IV length is by default 12
	90	bytes (96 bits) but can be set to an alternative value. If the IV
	91	length exceeds the maximum IV length (currently 16 bytes) it cannot be
	92	set before the key.
	93	[Steve Henson]
	94
	95	*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
	96	underlying do_cipher function handles all cipher semantics itself
	97	including padding and finalisation. This is useful if (for example)
	98	an ENGINE cipher handles block padding itself. The behaviour of
	99	do_cipher is subtly changed if this flag is set: the return value
	100	is the number of characters written to the output buffer (zero is
	101	no longer an error code) or a negative error code. Also if the
	102	input buffer is NULL and length 0 finalisation should be performed.
	103	[Steve Henson]
	104
	105	*) If a candidate issuer certificate is already part of the constructed
	106	path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
	107	[Steve Henson]
	108
	109	*) Improve forward-security support: add functions
	110
	111	void SSL_CTX_set_not_resumable_session_callback(SSL_CTX ctx, int (cb)(SSL *ssl, int is_forward_secure))
	112	void SSL_set_not_resumable_session_callback(SSL ssl, int (cb)(SSL *ssl, int is_forward_secure))
	113
	114	for use by SSL/TLS servers; the callback function will be called whenever a
	115	new session is created, and gets to decide whether the session may be
	116	cached to make it resumable (return 0) or not (return 1). (As by the
	117	SSL/TLS protocol specifications, the session_id sent by the server will be
	118	empty to indicate that the session is not resumable; also, the server will
	119	not generate RFC 4507 (RFC 5077) session tickets.)
	120
	121	A simple reasonable callback implementation is to return is_forward_secure.
	122	This parameter will be set to 1 or 0 depending on the ciphersuite selected
	123	by the SSL/TLS server library, indicating whether it can provide forward
	124	security.
	125