[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.2 and 1.1.0  [xx XXX xxxx]

  *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
     Access to deprecated functions can be re-enabled by running config with
     "enable-deprecated". In addition applications wishing to use deprecated
     functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
     will, by default, disable some transitive includes that previously existed
     in the header files (e.g. ec.h will no longer, by default, include bn.h)
     [Matt Caswell]

  *) Added support for OCB mode. OpenSSL has been granted a patent license
     compatible with the OpenSSL license for use of OCB. Details are available
     at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
     for OCB can be removed by calling config with no-ocb.
     [Matt Caswell]

  *) SSLv2 support has been removed.  It still supports receiving a SSLv2
     compatible client hello.
     [Kurt Roeckx]

  *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
     done while fixing the error code for the key-too-small case.
     [Annie Yousar <a.yousar@informatik.hu-berlin.de>]

  *) Remove various unsupported platforms:
	Sony NEWS4
	BEOS and BEOS_R5
	NeXT
	SUNOS
	MPE/iX
	Sinix/ReliantUNIX RM400
	DGUX
     [Rich Salz]

  *) Experimental support for a new, fast, unbiased prime candidate generator,
     bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
     [Felix Laurie von Massenbach <felix@erbridge.co.uk>]

  *) New output format NSS in the sess_id command line tool. This allows
     exporting the session id and the master key in NSS keylog format.
     [Martin Kaiser <martin@kaiser.cx>]

  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
     [mancha <mancha1@zoho.com>]

  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.
     [mancha <mancha1@zoho.com>]

  *) Fix some double frees. These are not thought to be exploitable.
     [mancha <mancha1@zoho.com>]

  *) A missing bounds check in the handling of the TLS heartbeat extension
     can be used to reveal up to 64k of memory to a connected client or
     server.

     Thanks for Neel Mehta of Google Security for discovering this bug and to
     Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
     preparing the fix (CVE-2014-0160)
     [Adam Langley, Bodo Moeller]

  *) Fix for the attack described in the paper "Recovering OpenSSL
     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
     by Yuval Yarom and Naomi Benger. Details can be obtained from:
     http://eprint.iacr.org/2014/140

     Thanks to Yuval Yarom and Naomi Benger for discovering this
     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
     [Yuval Yarom and Naomi Benger]

  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limitation in previous versions of OpenSSL.
     [Steve Henson]

  *) Experimental encrypt-then-mac support.
    
     Experimental support for encrypt then mac from
     draft-gutmann-tls-encrypt-then-mac-02.txt

     To enable it set the appropriate extension number (0x42 for the test
     server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
 
     For non-compliant peers (i.e. just about everything) this should have no
     effect.

     WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.

     [Steve Henson]

  *) Add EVP support for key wrapping algorithms, to avoid problems with
     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
     algorithms and include tests cases.
     [Steve Henson]

  *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
     enveloped data.
     [Steve Henson]

  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
     MGF1 digest and OAEP label.
     [Steve Henson]

  *) Make openssl verify return errors.
     [Chris Palmer <palmer@google.com> and Ben Laurie]

  *) New function ASN1_TIME_diff to calculate the difference between two
     ASN1_TIME structures or one structure and the current time.
     [Steve Henson]

  *) Update fips_test_suite to support multiple command line options. New
     test to induce all self test errors in sequence and check expected
     failures.
     [Steve Henson]

  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
     sign or verify all in one operation.
     [Steve Henson]

  *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
     test programs and fips_test_suite. Includes functionality to parse
     the minimal script output of fipsalgest.pl directly.
     [Steve Henson]

  *) Add authorisation parameter to FIPS_module_mode_set().
     [Steve Henson]

  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
     [Steve Henson]

  *) Use separate DRBG fields for internal and external flags. New function
     FIPS_drbg_health_check() to perform on demand health checking. Add
     generation tests to fips_test_suite with reduced health check interval to 
     demonstrate periodic health checking. Add "nodh" option to
     fips_test_suite to skip very slow DH test.
     [Steve Henson]

  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
     based on NID.
     [Steve Henson]

  *) More extensive health check for DRBG checking many more failure modes.
     New function FIPS_selftest_drbg_all() to handle every possible DRBG
     combination: call this in fips_test_suite.
     [Steve Henson]

  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
     and POST to handle Dual EC cases.
     [Steve Henson]

  *) Add support for canonical generation of DSA parameter 'g'. See 
     FIPS 186-3 A.2.3.

  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
     POST to handle HMAC cases.
     [Steve Henson]

  *) Add functions FIPS_module_version() and FIPS_module_version_text()
     to return numerical and string versions of the FIPS module number.
     [Steve Henson]

  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
     outside the validated module in the FIPS capable OpenSSL.
     [Steve Henson]

  *) Minor change to DRBG entropy callback semantics. In some cases
     there is no multiple of the block length between min_len and
     max_len. Allow the callback to return more than max_len bytes
     of entropy but discard any extra: it is the callback's responsibility
     to ensure that the extra data discarded does not impact the
     requested amount of entropy.
     [Steve Henson]

  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
     information in FIPS186-3, SP800-57 and SP800-131A.
     [Steve Henson]

  *) CCM support via EVP. Interface is very similar to GCM case except we
     must supply all data in one chunk (i.e. no update, final) and the
     message length must be supplied if AAD is used. Add algorithm test
     support.
     [Steve Henson]

  *) Initial version of POST overhaul. Add POST callback to allow the status
     of POST to be monitored and/or failures induced. Modify fips_test_suite
     to use callback. Always run all selftests even if one fails.
     [Steve Henson]

  *) XTS support including algorithm test driver in the fips_gcmtest program.
     Note: this does increase the maximum key length from 32 to 64 bytes but
     there should be no binary compatibility issues as existing applications
     will never use XTS mode.
     [Steve Henson]

  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
     performs algorithm blocking for unapproved PRNG types. Also do not
     set PRNG type in FIPS_mode_set(): leave this to the application.
     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
     the standard OpenSSL PRNG: set additional data to a date time vector.
     [Steve Henson]

  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
     This shouldn't present any incompatibility problems because applications
     shouldn't be using these directly and any that are will need to rethink
     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
     [Steve Henson]

  *) Extensive self tests and health checking required by SP800-90 DRBG.
     Remove strength parameter from FIPS_drbg_instantiate and always
     instantiate at maximum supported strength.
     [Steve Henson]

  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
     [Steve Henson]

  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
     [Steve Henson]

  *) New function DH_compute_key_padded() to compute a DH key and pad with
     leading zeroes if needed: this complies with SP800-56A et al.
     [Steve Henson]

  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
     anything, incomplete, subject to change and largely untested at present.
     [Steve Henson]

  *) Modify fipscanisteronly build option to only build the necessary object
     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
     [Steve Henson]

  *) Add experimental option FIPSSYMS to give all symbols in
     fipscanister.o and FIPS or fips prefix. This will avoid
     conflicts with future versions of OpenSSL. Add perl script
     util/fipsas.pl to preprocess assembly language source files
     and rename any affected symbols.
     [Steve Henson]

  *) Add selftest checks and algorithm block of non-fips algorithms in
     FIPS mode. Remove DES2 from selftests.
     [Steve Henson]

  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
     return internal method without any ENGINE dependencies. Add new
     tiny fips sign and verify functions.
     [Steve Henson]

  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) New build option "fipscanisteronly". This only builds fipscanister.o
     and (currently) associated fips utilities. Uses the file Makefile.fips
     instead of Makefile.org as the prototype.
     [Steve Henson]

  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
     Update fips_gcmtest to use IV generator.
     [Steve Henson]

  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
     setting output buffer to NULL. The *Final function must be
     called although it will not retrieve any additional data. The tag
     can be set or retrieved with a ctrl. The IV length is by default 12
     bytes (96 bits) but can be set to an alternative value. If the IV
     length exceeds the maximum IV length (currently 16 bytes) it cannot be
     set before the key. 
     [Steve Henson]

  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
     underlying do_cipher function handles all cipher semantics itself
     including padding and finalisation. This is useful if (for example)
     an ENGINE cipher handles block padding itself. The behaviour of
     do_cipher is subtly changed if this flag is set: the return value
     is the number of characters written to the output buffer (zero is
     no longer an error code) or a negative error code. Also if the
     input buffer is NULL and length 0 finalisation should be performed.
     [Steve Henson]

  *) If a candidate issuer certificate is already part of the constructed
     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
     [Steve Henson]

  *) Improve forward-security support: add functions

       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

     for use by SSL/TLS servers; the callback function will be called whenever a
     new session is created, and gets to decide whether the session may be
     cached to make it resumable (return 0) or not (return 1).  (As by the
     SSL/TLS protocol specifications, the session_id sent by the server will be
     empty to indicate that the session is not resumable; also, the server will
     not generate RFC 4507 (RFC 5077) session tickets.)

     A simple reasonable callback implementation is to return is_forward_secure.
     This parameter will be set to 1 or 0 depending on the ciphersuite selected
     by the SSL/TLS server library, indicating whether it can provide forward
     security.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
7d3ba88a	5	Changes between 1.0.2 and 1.1.0 [xx XXX xxxx]
785da0e6	6
bd2bd374 MC	7	*) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
	8	Access to deprecated functions can be re-enabled by running config with
	9	"enable-deprecated". In addition applications wishing to use deprecated
	10	functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
	11	will, by default, disable some transitive includes that previously existed
	12	in the header files (e.g. ec.h will no longer, by default, include bn.h)
	13	[Matt Caswell]
	14
0c1bd7f0 MC	15	*) Added support for OCB mode. OpenSSL has been granted a patent license
	16	compatible with the OpenSSL license for use of OCB. Details are available
	17	at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
	18	for OCB can be removed by calling config with no-ocb.
bd2bd374	19	[Matt Caswell]
0c1bd7f0	20
12478cc4 KR	21	*) SSLv2 support has been removed. It still supports receiving a SSLv2
	22	compatible client hello.
	23	[Kurt Roeckx]
	24
c56a50b2 AY	25	*) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
	26	done while fixing the error code for the key-too-small case.
	27	[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
	28
59ff1ce0 RS	29	*) Remove various unsupported platforms:
59ff1ce0 RS	30	Sony NEWS4
e03b2987 RS	31	BEOS and BEOS_R5
e03b2987 RS	32	NeXT
f2319414	33	SUNOS
5ad4fdce	34	MPE/iX
6c23ca0c	35	Sinix/ReliantUNIX RM400
32dfde10	36	DGUX
b317819b RS	37	[Rich Salz]
b317819b RS	38
5fc3a5fe BL	39	*) Experimental support for a new, fast, unbiased prime candidate generator,
	40	bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
	41	[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
	42
189ae368 MK	43	*) New output format NSS in the sess_id command line tool. This allows
	44	exporting the session id and the master key in NSS keylog format.
	45	[Martin Kaiser <martin@kaiser.cx>]
	46
8acb9538	47	*) Harmonize version and its documentation. -f flag is used to display
	48	compilation flags.
	49	[mancha <mancha1@zoho.com>]
	50
e14f14d3	51	*) Fix eckey_priv_encode so it immediately returns an error upon a failure
	52	in i2d_ECPrivateKey.
	53	[mancha <mancha1@zoho.com>]
	54
4ba5e63b BL	55	*) Fix some double frees. These are not thought to be exploitable.
	56	[mancha <mancha1@zoho.com>]
	57
731f4314 DSH	58	*) A missing bounds check in the handling of the TLS heartbeat extension
	59	can be used to reveal up to 64k of memory to a connected client or
	60	server.
	61
	62	Thanks for Neel Mehta of Google Security for discovering this bug and to
	63	Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
	64	preparing the fix (CVE-2014-0160)
	65	[Adam Langley, Bodo Moeller]
	66
f9b6c0ba DSH	67	*) Fix for the attack described in the paper "Recovering OpenSSL
	68	ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
	69	by Yuval Yarom and Naomi Benger. Details can be obtained from:
	70	http://eprint.iacr.org/2014/140
	71
	72	Thanks to Yuval Yarom and Naomi Benger for discovering this
	73	flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
	74	[Yuval Yarom and Naomi Benger]
	75
a4339ea3	76	*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
14e96192	77	this fixes a limitation in previous versions of OpenSSL.
a4339ea3 DSH	78	[Steve Henson]
a4339ea3 DSH	79
5e3ff62c DSH	80	*) Experimental encrypt-then-mac support.
	81
	82	Experimental support for encrypt then mac from
	83	draft-gutmann-tls-encrypt-then-mac-02.txt
a6e7d1c0	84
5fdeb58c DSH	85	To enable it set the appropriate extension number (0x42 for the test
5fdeb58c DSH	86	server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
a6e7d1c0	87
5e3ff62c DSH	88	For non-compliant peers (i.e. just about everything) this should have no
	89	effect.
	90
	91	WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
a6e7d1c0	92
5e3ff62c DSH	93	[Steve Henson]
5e3ff62c DSH	94
97cf1f6c DSH	95	*) Add EVP support for key wrapping algorithms, to avoid problems with
	96	existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
	97	the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
	98	algorithms and include tests cases.
	99	[Steve Henson]
	100
5c84d2f5 DSH	101	*) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
	102	enveloped data.
	103	[Steve Henson]
	104
271fef0e DSH	105	*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
	106	MGF1 digest and OAEP label.
	107	[Steve Henson]
	108
fefc111a BL	109	*) Make openssl verify return errors.
	110	[Chris Palmer <palmer@google.com> and Ben Laurie]
	111
1c455bc0 DSH	112	*) New function ASN1_TIME_diff to calculate the difference between two
	113	ASN1_TIME structures or one structure and the current time.
	114	[Steve Henson]
	115
a98b8ce6 DSH	116	*) Update fips_test_suite to support multiple command line options. New
	117	test to induce all self test errors in sequence and check expected
	118	failures.
	119	[Steve Henson]
	120
f4324e51 DSH	121	*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
	122	sign or verify all in one operation.
	123	[Steve Henson]
	124
14e96192	125	*) Add fips_algvs: a multicall fips utility incorporating all the algorithm
3ec9dceb DSH	126	test programs and fips_test_suite. Includes functionality to parse
3ec9dceb DSH	127	the minimal script output of fipsalgest.pl directly.
f4324e51	128	[Steve Henson]
3ec9dceb	129
5e4eb995 DSH	130	*) Add authorisation parameter to FIPS_module_mode_set().
	131	[Steve Henson]
	132
2bfeb7dc DSH	133	*) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
	134	[Steve Henson]
	135
4420b3b1	136	*) Use separate DRBG fields for internal and external flags. New function
cb71870d DSH	137	FIPS_drbg_health_check() to perform on demand health checking. Add
cb71870d DSH	138	generation tests to fips_test_suite with reduced health check interval to
4420b3b1 DSH	139	demonstrate periodic health checking. Add "nodh" option to
	140	fips_test_suite to skip very slow DH test.
	141	[Steve Henson]
	142
15094852 DSH	143	*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
	144	based on NID.
	145	[Steve Henson]
	146
a11f06b2 DSH	147	*) More extensive health check for DRBG checking many more failure modes.
	148	New function FIPS_selftest_drbg_all() to handle every possible DRBG
	149	combination: call this in fips_test_suite.
	150	[Steve Henson]
	151
7fdcb457 DSH	152	*) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
	153	and POST to handle Dual EC cases.
	154	[Steve Henson]
	155
f55f5f77 DSH	156	*) Add support for canonical generation of DSA parameter 'g'. See
	157	FIPS 186-3 A.2.3.
	158
7fdcb457 DSH	159	*) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
7fdcb457 DSH	160	POST to handle HMAC cases.
20f12e63 DSH	161	[Steve Henson]
20f12e63 DSH	162
01a9a759	163	*) Add functions FIPS_module_version() and FIPS_module_version_text()
3d7bf77f	164	to return numerical and string versions of the FIPS module number.
01a9a759 DSH	165	[Steve Henson]
01a9a759 DSH	166
c2fd5989	167	*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
3d7bf77f	168	FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
c2fd5989 DSH	169	outside the validated module in the FIPS capable OpenSSL.
	170	[Steve Henson]
	171
e0d1a2f8	172	*) Minor change to DRBG entropy callback semantics. In some cases
3d7bf77f	173	there is no multiple of the block length between min_len and
e0d1a2f8 DSH	174	max_len. Allow the callback to return more than max_len bytes
	175	of entropy but discard any extra: it is the callback's responsibility
	176	to ensure that the extra data discarded does not impact the
	177	requested amount of entropy.
	178	[Steve Henson]
	179
cac4fb58 DSH	180	*) Add PRNG security strength checks to RSA, DSA and ECDSA using
	181	information in FIPS186-3, SP800-57 and SP800-131A.
	182	[Steve Henson]
	183
b5dd1787 DSH	184	*) CCM support via EVP. Interface is very similar to GCM case except we
	185	must supply all data in one chunk (i.e. no update, final) and the
	186	message length must be supplied if AAD is used. Add algorithm test
	187	support.
23916810 DSH	188	[Steve Henson]
23916810 DSH	189
ac892b7a DSH	190	*) Initial version of POST overhaul. Add POST callback to allow the status
	191	of POST to be monitored and/or failures induced. Modify fips_test_suite
	192	to use callback. Always run all selftests even if one fails.
	193	[Steve Henson]
	194
06b7e5a0 DSH	195	*) XTS support including algorithm test driver in the fips_gcmtest program.
	196	Note: this does increase the maximum key length from 32 to 64 bytes but
	197	there should be no binary compatibility issues as existing applications
	198	will never use XTS mode.
32a2d8dd DSH	199	[Steve Henson]
32a2d8dd DSH	200
05e24c87 DSH	201	*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
	202	to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
	203	performs algorithm blocking for unapproved PRNG types. Also do not
	204	set PRNG type in FIPS_mode_set(): leave this to the application.
	205	Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
d7a3ce98	206	the standard OpenSSL PRNG: set additional data to a date time vector.
05e24c87 DSH	207	[Steve Henson]
05e24c87 DSH	208
cab0595c DSH	209	) Rename old X9.31 PRNG functions of the form FIPS_rand to FIPS_x931*.
	210	This shouldn't present any incompatibility problems because applications
	211	shouldn't be using these directly and any that are will need to rethink
	212	anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
	213	[Steve Henson]
	214
96ec46f7 DSH	215	*) Extensive self tests and health checking required by SP800-90 DRBG.
	216	Remove strength parameter from FIPS_drbg_instantiate and always
	217	instantiate at maximum supported strength.
	218	[Steve Henson]
	219
8857b380 DSH	220	*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
	221	[Steve Henson]
	222
11e80de3 DSH	223	*) New algorithm test program fips_dhvs to handle DH primitives only testing.
	224	[Steve Henson]
	225
	226	*) New function DH_compute_key_padded() to compute a DH key and pad with
	227	leading zeroes if needed: this complies with SP800-56A et al.
	228	[Steve Henson]
	229
591cbfae DSH	230	*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
	231	anything, incomplete, subject to change and largely untested at present.
	232	[Steve Henson]
	233
eead69f5 DSH	234	*) Modify fipscanisteronly build option to only build the necessary object
	235	files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
	236	[Steve Henson]
	237
017bc57b DSH	238	*) Add experimental option FIPSSYMS to give all symbols in
017bc57b DSH	239	fipscanister.o and FIPS or fips prefix. This will avoid
5d439d69 DSH	240	conflicts with future versions of OpenSSL. Add perl script
	241	util/fipsas.pl to preprocess assembly language source files
	242	and rename any affected symbols.
017bc57b DSH	243	[Steve Henson]
017bc57b DSH	244
25c65429 DSH	245	*) Add selftest checks and algorithm block of non-fips algorithms in
	246	FIPS mode. Remove DES2 from selftests.
	247	[Steve Henson]
	248
fe26d066 DSH	249	*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
fe26d066 DSH	250	return internal method without any ENGINE dependencies. Add new
25c65429	251	tiny fips sign and verify functions.
fe26d066 DSH	252	[Steve Henson]
fe26d066 DSH	253
b3310161 DSH	254	*) New build option no-ec2m to disable characteristic 2 code.
	255	[Steve Henson]
	256
30b56225 DSH	257	*) New build option "fipscanisteronly". This only builds fipscanister.o
	258	and (currently) associated fips utilities. Uses the file Makefile.fips
	259	instead of Makefile.org as the prototype.
	260	[Steve Henson]
	261
b3d8022e DSH	262	*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
	263	Update fips_gcmtest to use IV generator.
	264	[Steve Henson]
	265
bdaa5415 DSH	266	*) Initial, experimental EVP support for AES-GCM. AAD can be input by
	267	setting output buffer to NULL. The *Final function must be
	268	called although it will not retrieve any additional data. The tag
	269	can be set or retrieved with a ctrl. The IV length is by default 12
	270	bytes (96 bits) but can be set to an alternative value. If the IV
	271	length exceeds the maximum IV length (currently 16 bytes) it cannot be
	272	set before the key.
	273	[Steve Henson]
	274
3da0ca79 DSH	275	*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
	276	underlying do_cipher function handles all cipher semantics itself
	277	including padding and finalisation. This is useful if (for example)
	278	an ENGINE cipher handles block padding itself. The behaviour of
	279	do_cipher is subtly changed if this flag is set: the return value
	280	is the number of characters written to the output buffer (zero is
	281	no longer an error code) or a negative error code. Also if the
d45087c6	282	input buffer is NULL and length 0 finalisation should be performed.
3da0ca79 DSH	283	[Steve Henson]
3da0ca79 DSH	284
2b3936e8 DSH	285	*) If a candidate issuer certificate is already part of the constructed
	286	path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
	287	[Steve Henson]
	288
7c2d4fee BM	289	*) Improve forward-security support: add functions
	290
	291	void SSL_CTX_set_not_resumable_session_callback(SSL_CTX ctx, int (cb)(SSL *ssl, int is_forward_secure))
	292	void SSL_set_not_resumable_session_callback(SSL ssl, int (cb)(SSL *ssl, int is_forward_secure))
	293
	294	for use by SSL/TLS servers; the callback function will be called whenever a
	295	new session is created, and gets to decide whether the session may be
	296	cached to make it resumable (return 0) or not (return 1). (As by the
	297	SSL/TLS protocol specifications, the session_id sent by the server will be
	298	empty to indicate that the session is not resumable; also, the server will
	299	not generate RFC 4507 (RFC 5077) session tickets.)
	300
	301	A simple reasonable callback implementation is to return is_forward_secure.
	302	This parameter will be set to 1 or 0 depending on the ciphersuite selected
	303	by the SSL/TLS server library, indicating whether it can provide forward
	304	security.
	305