]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
480af99e | 5 | Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] |
aaf35f11 | 6 | |
ee2ffc27 BL |
7 | *) Add Next Protocol Negotiation, |
8 | http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be | |
9 | disabled with a no-npn flag to config or Configure. Code donated | |
10 | by Google. | |
11 | [Adam Langley <agl@google.com> and Ben Laurie] | |
12 | ||
eb1c48be DSH |
13 | *) Use type ossl_ssize_t instad of ssize_t which isn't available on |
14 | all platforms. Move ssize_t definition from e_os.h to the public | |
15 | header file e_os2.h as it now appears in public header file cms.h | |
16 | [Steve Henson] | |
17 | ||
1bf508c9 DSH |
18 | *) New function OPENSSL_gmtime_diff to find the difference in days |
19 | and seconds between two tm structures. This will be used to provide | |
20 | additional functionality for ASN1_TIME. | |
21 | [Steve Henson] | |
22 | ||
be449448 | 23 | *) New -sigopt option to the ca, req and x509 utilities. Additional |
4c623cdd | 24 | signature parameters can be passed using this option and in |
be449448 | 25 | particular PSS. |
4c623cdd DSH |
26 | [Steve Henson] |
27 | ||
f26cf995 | 28 | *) Add RSA PSS signing function. This will generate and set the |
17c63d1c DSH |
29 | appropriate AlgorithmIdentifiers for PSS based on those in the |
30 | corresponding EVP_MD_CTX structure. No application support yet. | |
31 | [Steve Henson] | |
32 | ||
85522a07 DSH |
33 | *) Support for companion algorithm specific ASN1 signing routines. |
34 | New function ASN1_item_sign_ctx() signs a pre-initialised | |
35 | EVP_MD_CTX structure and sets AlgorithmIdentifiers based on | |
36 | the appropriate parameters. | |
37 | [Steve Henson] | |
38 | ||
31904ecd DSH |
39 | *) Add new algorithm specific ASN1 verification initialisation function |
40 | to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 | |
41 | handling will be the same no matter what EVP_PKEY_METHOD is used. | |
42 | Add a PSS handler to support verification of PSS signatures: checked | |
43 | against a number of sample certificates. | |
44 | [Steve Henson] | |
45 | ||
46 | *) Add signature printing for PSS. Add PSS OIDs. | |
ff04bbe3 | 47 | [Steve Henson, Martin Kaiser <lists@kaiser.cx>] |
fa1ba589 | 48 | |
ff04bbe3 DSH |
49 | *) Add algorithm specific signature printing. An individual ASN1 method |
50 | can now print out signatures instead of the standard hex dump. | |
51 | ||
52 | More complex signatures (e.g. PSS) can print out more meaningful | |
53 | information. Include DSA version that prints out the signature | |
54 | parameters r, s. | |
fa1ba589 DSH |
55 | [Steve Henson] |
56 | ||
db28aa86 DSH |
57 | *) Add -trusted_first option which attempts to find certificates in the |
58 | trusted store even if an untrusted chain is also supplied. | |
59 | [Steve Henson] | |
60 | ||
fbd21640 DSH |
61 | *) Initial experimental support for explicitly trusted non-root CAs. |
62 | OpenSSL still tries to build a complete chain to a root but if an | |
63 | intermediate CA has a trust setting included that is used. The first | |
64 | setting is used: whether to trust or reject. | |
65 | [Steve Henson] | |
66 | ||
67 | *) New -verify_name option in command line utilities to set verification | |
68 | parameters by name. | |
69 | [Steve Henson] | |
70 | ||
8c968e03 | 71 | *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. |
c8ef656d | 72 | Add CMAC pkey methods. |
8c968e03 DSH |
73 | [Steve Henson] |
74 | ||
08c23970 | 75 | *) Experiemental regnegotiation in s_server -www mode. If the client |
c2bf7208 | 76 | browses /reneg connection is renegotiated. If /renegcert it is |
da454e4c | 77 | renegotiated requesting a certificate. |
08c23970 DSH |
78 | [Steve Henson] |
79 | ||
5e631217 DSH |
80 | *) Add an "external" session cache for debugging purposes to s_server. This |
81 | should help trace issues which normally are only apparent in deployed | |
82 | multi-process servers. | |
83 | [Steve Henson] | |
84 | ||
d2a53c22 DSH |
85 | *) Experiemental password based recipient info support for CMS library: |
86 | implementing RFC3211. | |
87 | [Steve Henson] | |
88 | ||
3d63b396 DSH |
89 | *) Split password based encryption into PBES2 and PBKDF2 functions. This |
90 | neatly separates the code into cipher and PBE sections and is required | |
91 | for some algorithms that split PBES2 into separate pieces (such as | |
92 | password based CMS). | |
18e503f3 DSH |
93 | [Steve Henson] |
94 | ||
b6dcdbfc DSH |
95 | *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where |
96 | return value is ignored. NB. The functions RAND_add(), RAND_seed(), | |
97 | BIO_set_cipher() and some obscure PEM functions were changed so they | |
98 | can now return an error. The RAND changes required a change to the | |
99 | RAND_METHOD structure. | |
100 | [Steve Henson] | |
101 | ||
acf20c7d DSH |
102 | *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of |
103 | a gcc attribute to warn if the result of a function is ignored. This | |
104 | is enable if DEBUG_UNUSED is set. Add to several functions in evp.h | |
105 | whose return value is often ignored. | |
106 | [Steve Henson] | |
3cbb15ee | 107 | |
f96ccf36 DSH |
108 | Changes between 1.0.0 and 1.0.1 [xx XXX xxxx] |
109 | ||
7bbd0de8 DSH |
110 | *) Add call to ENGINE_register_all_complete() to |
111 | ENGINE_load_builtin_engines(), so some implementations get used | |
112 | automatically instead of needing explicit application support. | |
113 | [Steve Henson] | |
114 | ||
f96ccf36 DSH |
115 | *) Add support for TLS key exporter as described in RFC5705. |
116 | [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] | |
117 | ||
118 | *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only | |
119 | a few changes are required: | |
120 | ||
121 | Add SSL_OP_NO_TLSv1_1 flag. | |
122 | Add TLSv1_1 methods. | |
123 | Update version checking logic to handle version 1.1. | |
124 | Add explicit IV handling (ported from DTLS code). | |
125 | Add command line options to s_client/s_server. | |
126 | [Steve Henson] | |
127 | ||
223c59ea DSH |
128 | Changes between 1.0.0a and 1.0.0b [xx XXX xxxx] |
129 | ||
130 | ||
131 | *) Fix WIN32 build system to correctly link an ENGINE directory into | |
132 | a DLL. | |
133 | [Steve Henson] | |
134 | ||
3cbb15ee DSH |
135 | Changes between 1.0.0 and 1.0.0a [xx XXX xxxx] |
136 | ||
137 | *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover | |
138 | (CVE-2010-1633) | |
139 | [Steve Henson, Peter-Michael Hager <hager@dortmund.net>] | |
acf20c7d | 140 | |
3e8b6485 | 141 | Changes between 0.9.8n and 1.0.0 [xx XXX xxxx] |
3d63b396 | 142 | |
c2bf7208 DSH |
143 | *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher |
144 | context. The operation can be customised via the ctrl mechanism in | |
145 | case ENGINEs want to include additional functionality. | |
146 | [Steve Henson] | |
147 | ||
ba64ae6c DSH |
148 | *) Tolerate yet another broken PKCS#8 key format: private key value negative. |
149 | [Steve Henson] | |
150 | ||
0e0c6821 DSH |
151 | *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to |
152 | output hashes compatible with older versions of OpenSSL. | |
153 | [Willy Weisz <weisz@vcpc.univie.ac.at>] | |
154 | ||
e6f418bc DSH |
155 | *) Fix compression algorithm handling: if resuming a session use the |
156 | compression algorithm of the resumed session instead of determining | |
157 | it from client hello again. Don't allow server to change algorithm. | |
158 | [Steve Henson] | |
159 | ||
3d63b396 DSH |
160 | *) Add load_crls() function to apps tidying load_certs() too. Add option |
161 | to verify utility to allow additional CRLs to be included. | |
162 | [Steve Henson] | |
163 | ||
164 | *) Update OCSP request code to permit adding custom headers to the request: | |
165 | some responders need this. | |
166 | [Steve Henson] | |
167 | ||
a25f33d2 DSH |
168 | *) The function EVP_PKEY_sign() returns <=0 on error: check return code |
169 | correctly. | |
170 | [Julia Lawall <julia@diku.dk>] | |
171 | ||
17716680 DSH |
172 | *) Update verify callback code in apps/s_cb.c and apps/verify.c, it |
173 | needlessly dereferenced structures, used obsolete functions and | |
174 | didn't handle all updated verify codes correctly. | |
175 | [Steve Henson] | |
176 | ||
480af99e | 177 | *) Disable MD2 in the default configuration. |
0e4bc563 DSH |
178 | [Steve Henson] |
179 | ||
e30dd20c DSH |
180 | *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to |
181 | indicate the initial BIO being pushed or popped. This makes it possible | |
182 | to determine whether the BIO is the one explicitly called or as a result | |
183 | of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so | |
184 | it handles reference counts correctly and doesn't zero out the I/O bio | |
185 | when it is not being explicitly popped. WARNING: applications which | |
186 | included workarounds for the old buggy behaviour will need to be modified | |
187 | or they could free up already freed BIOs. | |
188 | [Steve Henson] | |
189 | ||
480af99e BM |
190 | *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni |
191 | renaming to all platforms (within the 0.9.8 branch, this was | |
192 | done conditionally on Netware platforms to avoid a name clash). | |
c05353c5 DSH |
193 | [Guenter <lists@gknw.net>] |
194 | ||
d741ccad DSH |
195 | *) Add ECDHE and PSK support to DTLS. |
196 | [Michael Tuexen <tuexen@fh-muenster.de>] | |
197 | ||
5f8f94a6 DSH |
198 | *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't |
199 | be used on C++. | |
200 | [Steve Henson] | |
201 | ||
e5fa864f DSH |
202 | *) Add "missing" function EVP_MD_flags() (without this the only way to |
203 | retrieve a digest flags is by accessing the structure directly. Update | |
204 | EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest | |
205 | or cipher is registered as in the "from" argument. Print out all | |
206 | registered digests in the dgst usage message instead of manually | |
207 | attempting to work them out. | |
208 | [Steve Henson] | |
209 | ||
22c98d4a DSH |
210 | *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: |
211 | this allows the use of compression and extensions. Change default cipher | |
212 | string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 | |
213 | by default unless an application cipher string requests it. | |
214 | [Steve Henson] | |
215 | ||
14023fe3 DSH |
216 | *) Alter match criteria in PKCS12_parse(). It used to try to use local |
217 | key ids to find matching certificates and keys but some PKCS#12 files | |
218 | don't follow the (somewhat unwritten) rules and this strategy fails. | |
219 | Now just gather all certificates together and the first private key | |
220 | then look for the first certificate that matches the key. | |
221 | [Steve Henson] | |
222 | ||
aaf35f11 DSH |
223 | *) Support use of registered digest and cipher names for dgst and cipher |
224 | commands instead of having to add each one as a special case. So now | |
225 | you can do: | |
226 | ||
227 | openssl sha256 foo | |
228 | ||
229 | as well as: | |
230 | ||
231 | openssl dgst -sha256 foo | |
232 | ||
233 | and this works for ENGINE based algorithms too. | |
234 | ||
235 | [Steve Henson] | |
3ff55e96 | 236 | |
b6af2c7e DSH |
237 | *) Update Gost ENGINE to support parameter files. |
238 | [Victor B. Wagner <vitus@cryptocom.ru>] | |
239 | ||
33ab2e31 DSH |
240 | *) Support GeneralizedTime in ca utility. |
241 | [Oliver Martin <oliver@volatilevoid.net>, Steve Henson] | |
242 | ||
c2c99e28 DSH |
243 | *) Enhance the hash format used for certificate directory links. The new |
244 | form uses the canonical encoding (meaning equivalent names will work | |
245 | even if they aren't identical) and uses SHA1 instead of MD5. This form | |
246 | is incompatible with the older format and as a result c_rehash should | |
247 | be used to rebuild symbolic links. | |
248 | [Steve Henson] | |
249 | ||
8125d9f9 DSH |
250 | *) Make PKCS#8 the default write format for private keys, replacing the |
251 | traditional format. This form is standardised, more secure and doesn't | |
252 | include an implicit MD5 dependency. | |
253 | [Steve Henson] | |
254 | ||
363bd0b4 DSH |
255 | *) Add a $gcc_devteam_warn option to Configure. The idea is that any code |
256 | committed to OpenSSL should pass this lot as a minimum. | |
257 | [Steve Henson] | |
258 | ||
12bf56c0 DSH |
259 | *) Add session ticket override functionality for use by EAP-FAST. |
260 | [Jouni Malinen <j@w1.fi>] | |
261 | ||
87d52468 DSH |
262 | *) Modify HMAC functions to return a value. Since these can be implemented |
263 | in an ENGINE errors can occur. | |
264 | [Steve Henson] | |
265 | ||
1ea6472e BL |
266 | *) Type-checked OBJ_bsearch_ex. |
267 | [Ben Laurie] | |
268 | ||
babb3798 BL |
269 | *) Type-checked OBJ_bsearch. Also some constification necessitated |
270 | by type-checking. Still to come: TXT_DB, bsearch(?), | |
271 | OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, | |
1ea6472e BL |
272 | CONF_VALUE. |
273 | [Ben Laurie] | |
babb3798 | 274 | |
87d3a0cd DSH |
275 | *) New function OPENSSL_gmtime_adj() to add a specific number of days and |
276 | seconds to a tm structure directly, instead of going through OS | |
277 | specific date routines. This avoids any issues with OS routines such | |
278 | as the year 2038 bug. New *_adj() functions for ASN1 time structures | |
279 | and X509_time_adj_ex() to cover the extended range. The existing | |
280 | X509_time_adj() is still usable and will no longer have any date issues. | |
281 | [Steve Henson] | |
282 | ||
d43c4497 DSH |
283 | *) Delta CRL support. New use deltas option which will attempt to locate |
284 | and search any appropriate delta CRLs available. | |
285 | ||
286 | This work was sponsored by Google. | |
287 | [Steve Henson] | |
288 | ||
4b96839f DSH |
289 | *) Support for CRLs partitioned by reason code. Reorganise CRL processing |
290 | code and add additional score elements. Validate alternate CRL paths | |
291 | as part of the CRL checking and indicate a new error "CRL path validation | |
292 | error" in this case. Applications wanting additional details can use | |
293 | the verify callback and check the new "parent" field. If this is not | |
294 | NULL CRL path validation is taking place. Existing applications wont | |
295 | see this because it requires extended CRL support which is off by | |
296 | default. | |
297 | ||
298 | This work was sponsored by Google. | |
299 | [Steve Henson] | |
300 | ||
249a77f5 DSH |
301 | *) Support for freshest CRL extension. |
302 | ||
303 | This work was sponsored by Google. | |
304 | [Steve Henson] | |
305 | ||
d0fff69d DSH |
306 | *) Initial indirect CRL support. Currently only supported in the CRLs |
307 | passed directly and not via lookup. Process certificate issuer | |
308 | CRL entry extension and lookup CRL entries by bother issuer name | |
4b96839f | 309 | and serial number. Check and process CRL issuer entry in IDP extension. |
d0fff69d DSH |
310 | |
311 | This work was sponsored by Google. | |
312 | [Steve Henson] | |
313 | ||
9d84d4ed DSH |
314 | *) Add support for distinct certificate and CRL paths. The CRL issuer |
315 | certificate is validated separately in this case. Only enabled if | |
316 | an extended CRL support flag is set: this flag will enable additional | |
317 | CRL functionality in future. | |
318 | ||
319 | This work was sponsored by Google. | |
320 | [Steve Henson] | |
9d84d4ed | 321 | |
002e66c0 DSH |
322 | *) Add support for policy mappings extension. |
323 | ||
324 | This work was sponsored by Google. | |
325 | [Steve Henson] | |
326 | ||
e9746e03 DSH |
327 | *) Fixes to pathlength constraint, self issued certificate handling, |
328 | policy processing to align with RFC3280 and PKITS tests. | |
329 | ||
330 | This work was sponsored by Google. | |
331 | [Steve Henson] | |
332 | ||
333 | *) Support for name constraints certificate extension. DN, email, DNS | |
334 | and URI types are currently supported. | |
335 | ||
336 | This work was sponsored by Google. | |
337 | [Steve Henson] | |
338 | ||
4c329696 GT |
339 | *) To cater for systems that provide a pointer-based thread ID rather |
340 | than numeric, deprecate the current numeric thread ID mechanism and | |
341 | replace it with a structure and associated callback type. This | |
342 | mechanism allows a numeric "hash" to be extracted from a thread ID in | |
343 | either case, and on platforms where pointers are larger than 'long', | |
344 | mixing is done to help ensure the numeric 'hash' is usable even if it | |
345 | can't be guaranteed unique. The default mechanism is to use "&errno" | |
346 | as a pointer-based thread ID to distinguish between threads. | |
347 | ||
348 | Applications that want to provide their own thread IDs should now use | |
349 | CRYPTO_THREADID_set_callback() to register a callback that will call | |
350 | either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). | |
351 | ||
2ecd2ede BM |
352 | Note that ERR_remove_state() is now deprecated, because it is tied |
353 | to the assumption that thread IDs are numeric. ERR_remove_state(0) | |
354 | to free the current thread's error state should be replaced by | |
355 | ERR_remove_thread_state(NULL). | |
356 | ||
4c329696 GT |
357 | (This new approach replaces the functions CRYPTO_set_idptr_callback(), |
358 | CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in | |
359 | OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an | |
360 | application was previously providing a numeric thread callback that | |
361 | was inappropriate for distinguishing threads, then uniqueness might | |
362 | have been obtained with &errno that happened immediately in the | |
363 | intermediate development versions of OpenSSL; this is no longer the | |
364 | case, the numeric thread callback will now override the automatic use | |
365 | of &errno.) | |
366 | [Geoff Thorpe, with help from Bodo Moeller] | |
367 | ||
5cbd2033 DSH |
368 | *) Initial support for different CRL issuing certificates. This covers a |
369 | simple case where the self issued certificates in the chain exist and | |
370 | the real CRL issuer is higher in the existing chain. | |
e9746e03 DSH |
371 | |
372 | This work was sponsored by Google. | |
5cbd2033 DSH |
373 | [Steve Henson] |
374 | ||
5ce278a7 BL |
375 | *) Removed effectively defunct crypto/store from the build. |
376 | [Ben Laurie] | |
377 | ||
378 | *) Revamp of STACK to provide stronger type-checking. Still to come: | |
379 | TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, | |
380 | ASN1_STRING, CONF_VALUE. | |
381 | [Ben Laurie] | |
382 | ||
8671b898 BL |
383 | *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer |
384 | RAM on SSL connections. This option can save about 34k per idle SSL. | |
385 | [Nick Mathewson] | |
386 | ||
3c1d6bbc BL |
387 | *) Revamp of LHASH to provide stronger type-checking. Still to come: |
388 | STACK, TXT_DB, bsearch, qsort. | |
389 | [Ben Laurie] | |
390 | ||
8931b30d DSH |
391 | *) Initial support for Cryptographic Message Syntax (aka CMS) based |
392 | on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, | |
fd47c361 | 393 | support for data, signedData, compressedData, digestedData and |
eb9d8d8c DSH |
394 | encryptedData, envelopedData types included. Scripts to check against |
395 | RFC4134 examples draft and interop and consistency checks of many | |
396 | content types and variants. | |
8931b30d DSH |
397 | [Steve Henson] |
398 | ||
3df93571 | 399 | *) Add options to enc utility to support use of zlib compression BIO. |
8931b30d DSH |
400 | [Steve Henson] |
401 | ||
73980531 DSH |
402 | *) Extend mk1mf to support importing of options and assembly language |
403 | files from Configure script, currently only included in VC-WIN32. | |
404 | The assembly language rules can now optionally generate the source | |
405 | files from the associated perl scripts. | |
406 | [Steve Henson] | |
407 | ||
0e1dba93 DSH |
408 | *) Implement remaining functionality needed to support GOST ciphersuites. |
409 | Interop testing has been performed using CryptoPro implementations. | |
410 | [Victor B. Wagner <vitus@cryptocom.ru>] | |
411 | ||
0023adb4 AP |
412 | *) s390x assembler pack. |
413 | [Andy Polyakov] | |
414 | ||
4c7c5ff6 AP |
415 | *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU |
416 | "family." | |
417 | [Andy Polyakov] | |
418 | ||
761772d7 BM |
419 | *) Implement Opaque PRF Input TLS extension as specified in |
420 | draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an | |
421 | official specification yet and no extension type assignment by | |
422 | IANA exists, this extension (for now) will have to be explicitly | |
423 | enabled when building OpenSSL by providing the extension number | |
424 | to use. For example, specify an option | |
425 | ||
426 | -DTLSEXT_TYPE_opaque_prf_input=0x9527 | |
427 | ||
428 | to the "config" or "Configure" script to enable the extension, | |
429 | assuming extension number 0x9527 (which is a completely arbitrary | |
430 | and unofficial assignment based on the MD5 hash of the Internet | |
431 | Draft). Note that by doing so, you potentially lose | |
432 | interoperability with other TLS implementations since these might | |
433 | be using the same extension number for other purposes. | |
434 | ||
435 | SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the | |
436 | opaque PRF input value to use in the handshake. This will create | |
437 | an interal copy of the length-'len' string at 'src', and will | |
438 | return non-zero for success. | |
439 | ||
440 | To get more control and flexibility, provide a callback function | |
441 | by using | |
442 | ||
443 | SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) | |
444 | SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) | |
445 | ||
446 | where | |
447 | ||
448 | int (*cb)(SSL *, void *peerinput, size_t len, void *arg); | |
449 | void *arg; | |
450 | ||
451 | Callback function 'cb' will be called in handshakes, and is | |
452 | expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. | |
453 | Argument 'arg' is for application purposes (the value as given to | |
454 | SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly | |
455 | be provided to the callback function). The callback function | |
456 | has to return non-zero to report success: usually 1 to use opaque | |
457 | PRF input just if possible, or 2 to enforce use of the opaque PRF | |
458 | input. In the latter case, the library will abort the handshake | |
459 | if opaque PRF input is not successfully negotiated. | |
460 | ||
461 | Arguments 'peerinput' and 'len' given to the callback function | |
462 | will always be NULL and 0 in the case of a client. A server will | |
463 | see the client's opaque PRF input through these variables if | |
464 | available (NULL and 0 otherwise). Note that if the server | |
465 | provides an opaque PRF input, the length must be the same as the | |
466 | length of the client's opaque PRF input. | |
467 | ||
468 | Note that the callback function will only be called when creating | |
469 | a new session (session resumption can resume whatever was | |
470 | previously negotiated), and will not be called in SSL 2.0 | |
471 | handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or | |
472 | SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended | |
473 | for applications that need to enforce opaque PRF input. | |
474 | ||
475 | [Bodo Moeller] | |
476 | ||
81025661 DSH |
477 | *) Update ssl code to support digests other than SHA1+MD5 for handshake |
478 | MAC. | |
479 | ||
480 | [Victor B. Wagner <vitus@cryptocom.ru>] | |
481 | ||
6434abbf DSH |
482 | *) Add RFC4507 support to OpenSSL. This includes the corrections in |
483 | RFC4507bis. The encrypted ticket format is an encrypted encoded | |
484 | SSL_SESSION structure, that way new session features are automatically | |
485 | supported. | |
486 | ||
ba0e826d DSH |
487 | If a client application caches session in an SSL_SESSION structure |
488 | support is transparent because tickets are now stored in the encoded | |
489 | SSL_SESSION. | |
490 | ||
491 | The SSL_CTX structure automatically generates keys for ticket | |
492 | protection in servers so again support should be possible | |
6434abbf DSH |
493 | with no application modification. |
494 | ||
495 | If a client or server wishes to disable RFC4507 support then the option | |
496 | SSL_OP_NO_TICKET can be set. | |
497 | ||
498 | Add a TLS extension debugging callback to allow the contents of any client | |
499 | or server extensions to be examined. | |
ec5d7473 DSH |
500 | |
501 | This work was sponsored by Google. | |
6434abbf DSH |
502 | [Steve Henson] |
503 | ||
3c07d3a3 DSH |
504 | *) Final changes to avoid use of pointer pointer casts in OpenSSL. |
505 | OpenSSL should now compile cleanly on gcc 4.2 | |
506 | [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] | |
507 | ||
b948e2c5 DSH |
508 | *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC |
509 | support including streaming MAC support: this is required for GOST | |
510 | ciphersuite support. | |
511 | [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] | |
512 | ||
9cfc8a9d DSH |
513 | *) Add option -stream to use PKCS#7 streaming in smime utility. New |
514 | function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() | |
515 | to output in BER and PEM format. | |
516 | [Steve Henson] | |
517 | ||
47b71e6e DSH |
518 | *) Experimental support for use of HMAC via EVP_PKEY interface. This |
519 | allows HMAC to be handled via the EVP_DigestSign*() interface. The | |
520 | EVP_PKEY "key" in this case is the HMAC key, potentially allowing | |
2022cfe0 DSH |
521 | ENGINE support for HMAC keys which are unextractable. New -mac and |
522 | -macopt options to dgst utility. | |
47b71e6e DSH |
523 | [Steve Henson] |
524 | ||
d952c79a DSH |
525 | *) New option -sigopt to dgst utility. Update dgst to use |
526 | EVP_Digest{Sign,Verify}*. These two changes make it possible to use | |
527 | alternative signing paramaters such as X9.31 or PSS in the dgst | |
528 | utility. | |
529 | [Steve Henson] | |
530 | ||
fd5bc65c BM |
531 | *) Change ssl_cipher_apply_rule(), the internal function that does |
532 | the work each time a ciphersuite string requests enabling | |
533 | ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or | |
534 | removing ("!foo+bar") a class of ciphersuites: Now it maintains | |
535 | the order of disabled ciphersuites such that those ciphersuites | |
536 | that most recently went from enabled to disabled not only stay | |
537 | in order with respect to each other, but also have higher priority | |
538 | than other disabled ciphersuites the next time ciphersuites are | |
539 | enabled again. | |
540 | ||
541 | This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable | |
542 | the same ciphersuites as with "HIGH" alone, but in a specific | |
543 | order where the PSK ciphersuites come first (since they are the | |
544 | most recently disabled ciphersuites when "HIGH" is parsed). | |
545 | ||
546 | Also, change ssl_create_cipher_list() (using this new | |
547 | funcionality) such that between otherwise identical | |
548 | cihpersuites, ephemeral ECDH is preferred over ephemeral DH in | |
549 | the default order. | |
550 | [Bodo Moeller] | |
551 | ||
0a05123a BM |
552 | *) Change ssl_create_cipher_list() so that it automatically |
553 | arranges the ciphersuites in reasonable order before starting | |
554 | to process the rule string. Thus, the definition for "DEFAULT" | |
555 | (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but | |
556 | remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". | |
557 | This makes it much easier to arrive at a reasonable default order | |
558 | in applications for which anonymous ciphers are OK (meaning | |
559 | that you can't actually use DEFAULT). | |
560 | [Bodo Moeller; suggested by Victor Duchovni] | |
561 | ||
52b8dad8 BM |
562 | *) Split the SSL/TLS algorithm mask (as used for ciphersuite string |
563 | processing) into multiple integers instead of setting | |
564 | "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", | |
565 | "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. | |
566 | (These masks as well as the individual bit definitions are hidden | |
567 | away into the non-exported interface ssl/ssl_locl.h, so this | |
568 | change to the definition of the SSL_CIPHER structure shouldn't | |
569 | affect applications.) This give us more bits for each of these | |
570 | categories, so there is no longer a need to coagulate AES128 and | |
571 | AES256 into a single algorithm bit, and to coagulate Camellia128 | |
572 | and Camellia256 into a single algorithm bit, which has led to all | |
573 | kinds of kludges. | |
574 | ||
575 | Thus, among other things, the kludge introduced in 0.9.7m and | |
576 | 0.9.8e for masking out AES256 independently of AES128 or masking | |
577 | out Camellia256 independently of AES256 is not needed here in 0.9.9. | |
578 | ||
579 | With the change, we also introduce new ciphersuite aliases that | |
580 | so far were missing: "AES128", "AES256", "CAMELLIA128", and | |
581 | "CAMELLIA256". | |
582 | [Bodo Moeller] | |
583 | ||
357d5de5 NL |
584 | *) Add support for dsa-with-SHA224 and dsa-with-SHA256. |
585 | Use the leftmost N bytes of the signature input if the input is | |
586 | larger than the prime q (with N being the size in bytes of q). | |
587 | [Nils Larsch] | |
588 | ||
11d8cdc6 DSH |
589 | *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses |
590 | it yet and it is largely untested. | |
591 | [Steve Henson] | |
592 | ||
06e2dd03 NL |
593 | *) Add support for the ecdsa-with-SHA224/256/384/512 signature types. |
594 | [Nils Larsch] | |
595 | ||
de121164 | 596 | *) Initial incomplete changes to avoid need for function casts in OpenSSL |
297e6f19 | 597 | some compilers (gcc 4.2 and later) reject their use. Safestack is |
a6fbcb42 | 598 | reimplemented. Update ASN1 to avoid use of legacy functions. |
de121164 DSH |
599 | [Steve Henson] |
600 | ||
3189772e AP |
601 | *) Win32/64 targets are linked with Winsock2. |
602 | [Andy Polyakov] | |
603 | ||
010fa0b3 DSH |
604 | *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected |
605 | to external functions. This can be used to increase CRL handling | |
606 | efficiency especially when CRLs are very large by (for example) storing | |
607 | the CRL revoked certificates in a database. | |
608 | [Steve Henson] | |
609 | ||
5d20c4fb DSH |
610 | *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so |
611 | new CRLs added to a directory can be used. New command line option | |
612 | -verify_return_error to s_client and s_server. This causes real errors | |
613 | to be returned by the verify callback instead of carrying on no matter | |
614 | what. This reflects the way a "real world" verify callback would behave. | |
615 | [Steve Henson] | |
616 | ||
617 | *) GOST engine, supporting several GOST algorithms and public key formats. | |
618 | Kindly donated by Cryptocom. | |
619 | [Cryptocom] | |
620 | ||
bc7535bc DSH |
621 | *) Partial support for Issuing Distribution Point CRL extension. CRLs |
622 | partitioned by DP are handled but no indirect CRL or reason partitioning | |
623 | (yet). Complete overhaul of CRL handling: now the most suitable CRL is | |
624 | selected via a scoring technique which handles IDP and AKID in CRLs. | |
625 | [Steve Henson] | |
626 | ||
627 | *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which | |
628 | will ultimately be used for all verify operations: this will remove the | |
629 | X509_STORE dependency on certificate verification and allow alternative | |
630 | lookup methods. X509_STORE based implementations of these two callbacks. | |
631 | [Steve Henson] | |
632 | ||
f6e7d014 DSH |
633 | *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. |
634 | Modify get_crl() to find a valid (unexpired) CRL if possible. | |
635 | [Steve Henson] | |
636 | ||
edc54021 DSH |
637 | *) New function X509_CRL_match() to check if two CRLs are identical. Normally |
638 | this would be called X509_CRL_cmp() but that name is already used by | |
639 | a function that just compares CRL issuer names. Cache several CRL | |
640 | extensions in X509_CRL structure and cache CRLDP in X509. | |
641 | [Steve Henson] | |
642 | ||
450ea834 DSH |
643 | *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) |
644 | this maps equivalent X509_NAME structures into a consistent structure. | |
645 | Name comparison can then be performed rapidly using memcmp(). | |
646 | [Steve Henson] | |
647 | ||
454dbbc5 DSH |
648 | *) Non-blocking OCSP request processing. Add -timeout option to ocsp |
649 | utility. | |
c1c6c0bf DSH |
650 | [Steve Henson] |
651 | ||
b7683e3a DSH |
652 | *) Allow digests to supply their own micalg string for S/MIME type using |
653 | the ctrl EVP_MD_CTRL_MICALG. | |
654 | [Steve Henson] | |
655 | ||
656 | *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the | |
657 | EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN | |
658 | ctrl. It can then customise the structure before and/or after signing | |
659 | if necessary. | |
660 | [Steve Henson] | |
661 | ||
0ee2166c DSH |
662 | *) New function OBJ_add_sigid() to allow application defined signature OIDs |
663 | to be added to OpenSSLs internal tables. New function OBJ_sigid_free() | |
664 | to free up any added signature OIDs. | |
665 | [Steve Henson] | |
666 | ||
5ba4bf35 DSH |
667 | *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), |
668 | EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal | |
669 | digest and cipher tables. New options added to openssl utility: | |
670 | list-message-digest-algorithms and list-cipher-algorithms. | |
671 | [Steve Henson] | |
672 | ||
c4e7870a BM |
673 | *) Change the array representation of binary polynomials: the list |
674 | of degrees of non-zero coefficients is now terminated with -1. | |
675 | Previously it was terminated with 0, which was also part of the | |
676 | value; thus, the array representation was not applicable to | |
677 | polynomials where t^0 has coefficient zero. This change makes | |
678 | the array representation useful in a more general context. | |
679 | [Douglas Stebila] | |
680 | ||
89bbe14c BM |
681 | *) Various modifications and fixes to SSL/TLS cipher string |
682 | handling. For ECC, the code now distinguishes between fixed ECDH | |
683 | with RSA certificates on the one hand and with ECDSA certificates | |
684 | on the other hand, since these are separate ciphersuites. The | |
685 | unused code for Fortezza ciphersuites has been removed. | |
686 | ||
687 | For consistency with EDH, ephemeral ECDH is now called "EECDH" | |
688 | (not "ECDHE"). For consistency with the code for DH | |
689 | certificates, use of ECDH certificates is now considered ECDH | |
690 | authentication, not RSA or ECDSA authentication (the latter is | |
691 | merely the CA's signing algorithm and not actively used in the | |
692 | protocol). | |
693 | ||
694 | The temporary ciphersuite alias "ECCdraft" is no longer | |
695 | available, and ECC ciphersuites are no longer excluded from "ALL" | |
696 | and "DEFAULT". The following aliases now exist for RFC 4492 | |
697 | ciphersuites, most of these by analogy with the DH case: | |
698 | ||
699 | kECDHr - ECDH cert, signed with RSA | |
700 | kECDHe - ECDH cert, signed with ECDSA | |
701 | kECDH - ECDH cert (signed with either RSA or ECDSA) | |
702 | kEECDH - ephemeral ECDH | |
703 | ECDH - ECDH cert or ephemeral ECDH | |
704 | ||
705 | aECDH - ECDH cert | |
706 | aECDSA - ECDSA cert | |
707 | ECDSA - ECDSA cert | |
708 | ||
709 | AECDH - anonymous ECDH | |
710 | EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") | |
711 | ||
712 | [Bodo Moeller] | |
713 | ||
fb7b3932 DSH |
714 | *) Add additional S/MIME capabilities for AES and GOST ciphers if supported. |
715 | Use correct micalg parameters depending on digest(s) in signed message. | |
716 | [Steve Henson] | |
717 | ||
01b8b3c7 DSH |
718 | *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process |
719 | an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. | |
720 | [Steve Henson] | |
de9fcfe3 | 721 | |
58aa573a | 722 | *) Initial engine support for EVP_PKEY_METHOD. New functions to permit |
c9777d26 DSH |
723 | an engine to register a method. Add ENGINE lookups for methods and |
724 | functional reference processing. | |
58aa573a DSH |
725 | [Steve Henson] |
726 | ||
91c9e621 DSH |
727 | *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of |
728 | EVP_{Sign,Verify}* which allow an application to customise the signature | |
729 | process. | |
730 | [Steve Henson] | |
731 | ||
55311921 DSH |
732 | *) New -resign option to smime utility. This adds one or more signers |
733 | to an existing PKCS#7 signedData structure. Also -md option to use an | |
734 | alternative message digest algorithm for signing. | |
735 | [Steve Henson] | |
736 | ||
a6e7fcd1 DSH |
737 | *) Tidy up PKCS#7 routines and add new functions to make it easier to |
738 | create PKCS7 structures containing multiple signers. Update smime | |
739 | application to support multiple signers. | |
740 | [Steve Henson] | |
741 | ||
121dd39f DSH |
742 | *) New -macalg option to pkcs12 utility to allow setting of an alternative |
743 | digest MAC. | |
744 | [Steve Henson] | |
745 | ||
856640b5 | 746 | *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. |
b8f702a0 | 747 | Reorganize PBE internals to lookup from a static table using NIDs, |
6d3a1eac DSH |
748 | add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: |
749 | EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative | |
750 | PRF which will be automatically used with PBES2. | |
856640b5 DSH |
751 | [Steve Henson] |
752 | ||
34b3c72e | 753 | *) Replace the algorithm specific calls to generate keys in "req" with the |
959e8dfe DSH |
754 | new API. |
755 | [Steve Henson] | |
756 | ||
399a6f0b DSH |
757 | *) Update PKCS#7 enveloped data routines to use new API. This is now |
758 | supported by any public key method supporting the encrypt operation. A | |
759 | ctrl is added to allow the public key algorithm to examine or modify | |
760 | the PKCS#7 RecipientInfo structure if it needs to: for RSA this is | |
761 | a no op. | |
762 | [Steve Henson] | |
28e4fe34 | 763 | |
03919683 DSH |
764 | *) Add a ctrl to asn1 method to allow a public key algorithm to express |
765 | a default digest type to use. In most cases this will be SHA1 but some | |
766 | algorithms (such as GOST) need to specify an alternative digest. The | |
767 | return value indicates how strong the prefernce is 1 means optional and | |
768 | 2 is mandatory (that is it is the only supported type). Modify | |
769 | ASN1_item_sign() to accept a NULL digest argument to indicate it should | |
770 | use the default md. Update openssl utilities to use the default digest | |
771 | type for signing if it is not explicitly indicated. | |
772 | [Steve Henson] | |
773 | ||
ee1d9ec0 DSH |
774 | *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New |
775 | EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant | |
776 | signing method from the key type. This effectively removes the link | |
777 | between digests and public key types. | |
778 | [Steve Henson] | |
779 | ||
d2027098 DSH |
780 | *) Add an OID cross reference table and utility functions. Its purpose is to |
781 | translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, | |
782 | rsaEncryption. This will allow some of the algorithm specific hackery | |
783 | needed to use the correct OID to be removed. | |
784 | [Steve Henson] | |
785 | ||
492a9e24 DSH |
786 | *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO |
787 | structures for PKCS7_sign(). They are now set up by the relevant public | |
788 | key ASN1 method. | |
789 | [Steve Henson] | |
790 | ||
9ca7047d DSH |
791 | *) Add provisional EC pkey method with support for ECDSA and ECDH. |
792 | [Steve Henson] | |
793 | ||
ffb1ac67 DSH |
794 | *) Add support for key derivation (agreement) in the API, DH method and |
795 | pkeyutl. | |
796 | [Steve Henson] | |
797 | ||
3ba0885a DSH |
798 | *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support |
799 | public and private key formats. As a side effect these add additional | |
800 | command line functionality not previously available: DSA signatures can be | |
801 | generated and verified using pkeyutl and DH key support and generation in | |
802 | pkey, genpkey. | |
803 | [Steve Henson] | |
804 | ||
4700aea9 UM |
805 | *) BeOS support. |
806 | [Oliver Tappe <zooey@hirschkaefer.de>] | |
807 | ||
808 | *) New make target "install_html_docs" installs HTML renditions of the | |
809 | manual pages. | |
810 | [Oliver Tappe <zooey@hirschkaefer.de>] | |
811 | ||
f5cda4cb DSH |
812 | *) New utility "genpkey" this is analagous to "genrsa" etc except it can |
813 | generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to | |
814 | support key and parameter generation and add initial key generation | |
815 | functionality for RSA. | |
816 | [Steve Henson] | |
817 | ||
f733a5ef DSH |
818 | *) Add functions for main EVP_PKEY_method operations. The undocumented |
819 | functions EVP_PKEY_{encrypt,decrypt} have been renamed to | |
820 | EVP_PKEY_{encrypt,decrypt}_old. | |
821 | [Steve Henson] | |
822 | ||
0b6f3c66 DSH |
823 | *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public |
824 | key API, doesn't do much yet. | |
825 | [Steve Henson] | |
826 | ||
0b33dac3 DSH |
827 | *) New function EVP_PKEY_asn1_get0_info() to retrieve information about |
828 | public key algorithms. New option to openssl utility: | |
829 | "list-public-key-algorithms" to print out info. | |
830 | [Steve Henson] | |
831 | ||
33273721 BM |
832 | *) Implement the Supported Elliptic Curves Extension for |
833 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
834 | [Douglas Stebila] | |
835 | ||
246e0931 DSH |
836 | *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or |
837 | EVP_CIPHER structures to avoid later problems in EVP_cleanup(). | |
838 | [Steve Henson] | |
839 | ||
3e4585c8 | 840 | *) New utilities pkey and pkeyparam. These are similar to algorithm specific |
f5cda4cb | 841 | utilities such as rsa, dsa, dsaparam etc except they process any key |
3e4585c8 | 842 | type. |
3e84b6e1 DSH |
843 | [Steve Henson] |
844 | ||
35208f36 DSH |
845 | *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New |
846 | functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), | |
847 | EVP_PKEY_print_param() to print public key data from an EVP_PKEY | |
848 | structure. | |
849 | [Steve Henson] | |
850 | ||
448be743 DSH |
851 | *) Initial support for pluggable public key ASN1. |
852 | De-spaghettify the public key ASN1 handling. Move public and private | |
853 | key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate | |
854 | algorithm specific handling to a single module within the relevant | |
855 | algorithm directory. Add functions to allow (near) opaque processing | |
856 | of public and private key structures. | |
857 | [Steve Henson] | |
858 | ||
36ca4ba6 BM |
859 | *) Implement the Supported Point Formats Extension for |
860 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. | |
861 | [Douglas Stebila] | |
862 | ||
ddac1974 NL |
863 | *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members |
864 | for the psk identity [hint] and the psk callback functions to the | |
865 | SSL_SESSION, SSL and SSL_CTX structure. | |
866 | ||
867 | New ciphersuites: | |
868 | PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, | |
869 | PSK-AES256-CBC-SHA | |
870 | ||
871 | New functions: | |
872 | SSL_CTX_use_psk_identity_hint | |
873 | SSL_get_psk_identity_hint | |
874 | SSL_get_psk_identity | |
875 | SSL_use_psk_identity_hint | |
876 | ||
877 | [Mika Kousa and Pasi Eronen of Nokia Corporation] | |
878 | ||
c7235be6 UM |
879 | *) Add RFC 3161 compliant time stamp request creation, response generation |
880 | and response verification functionality. | |
881 |