[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

  *) Output TLS supported curves in preference order instead of numerical
     order. This is currently hardcoded for the highest order curves first.
     This should be configurable so applications can judge speed vs strength.
     [Steve Henson]

  *) Add protection against ECDSA timing attacks as mentioned in the paper
     by Billy Bob Brumley and Nicola Tuveri, see:

	http://eprint.iacr.org/2011/232.pdf

     [Billy Bob Brumley and Nicola Tuveri]

  *) Add TLS v1.2 server support for client authentication. 
     [Steve Henson]

  *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
     and enable MD5.
     [Steve Henson]

  *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
     FIPS modules versions.
     [Steve Henson]

  *) Add TLS v1.2 client side support for client authentication. Keep cache
     of handshake records longer as we don't know the hash algorithm to use
     until after the certificate request message is received.
     [Steve Henson]

  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
     outside the validated module in the FIPS capable OpenSSL.
     [Steve Henson]

  *) Initial TLS v1.2 client support. Add a default signature algorithms
     extension including all the algorithms we support. Parse new signature
     format in client key exchange. Relax some ECC signing restrictions for
     TLS v1.2 as indicated in RFC5246.
     [Steve Henson]

  *) Add server support for TLS v1.2 signature algorithms extension. Switch
     to new signature format when needed using client digest preference.
     All server ciphersuites should now work correctly in TLS v1.2. No client
     support yet and no support for client certificates.
     [Steve Henson]

  *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
     to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
     ciphersuites. At present only RSA key exchange ciphersuites work with
     TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
     SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
     and version checking.
     [Steve Henson]

  *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
     with this defined it will not be affected by any changes to ssl internal
     structures. Add several utility functions to allow openssl application
     to work with OPENSSL_NO_SSL_INTERN defined.
     [Steve Henson]

  *) Minor change to DRBG entropy callback semantics. In some cases
     there is no mutiple of the block length between min_len and
     max_len. Allow the callback to return more than max_len bytes
     of entropy but discard any extra: it is the callback's responsibility
     to ensure that the extra data discarded does not impact the
     requested amount of entropy.
     [Steve Henson]

  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
     information in FIPS186-3, SP800-57 and SP800-131A.
     [Steve Henson]

  *) CCM support via EVP. Interface is very similar to GCM case except we
     must supply all data in one chunk (i.e. no update, final) and the
     message length must be supplied if AAD is used. Add algorithm test
     support.
     [Steve Henson]

  *) Initial version of POST overhaul. Add POST callback to allow the status
     of POST to be monitored and/or failures induced. Modify fips_test_suite
     to use callback. Always run all selftests even if one fails.
     [Steve Henson]

  *) XTS support including algorithm test driver in the fips_gcmtest program.
     Note: this does increase the maximum key length from 32 to 64 bytes but
     there should be no binary compatibility issues as existing applications
     will never use XTS mode.
     [Steve Henson]

  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
     performs algorithm blocking for unapproved PRNG types. Also do not
     set PRNG type in FIPS_mode_set(): leave this to the application.
     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
     the standard OpenSSL PRNG: set additional data to a date time vector.
     [Steve Henson]

  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
     This shouldn't present any incompatibility problems because applications
     shouldn't be using these directly and any that are will need to rethink
     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
     [Steve Henson]

  *) Extensive self tests and health checking required by SP800-90 DRBG.
     Remove strength parameter from FIPS_drbg_instantiate and always
     instantiate at maximum supported strength.
     [Steve Henson]

  *) Add SRP support.
     [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]

  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
     [Steve Henson]

  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
     [Steve Henson]

  *) New function DH_compute_key_padded() to compute a DH key and pad with
     leading zeroes if needed: this complies with SP800-56A et al.
     [Steve Henson]

  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
     anything, incomplete, subject to change and largely untested at present.
     [Steve Henson]

  *) Modify fipscanisteronly build option to only build the necessary object
     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
     [Steve Henson]

  *) Add experimental option FIPSSYMS to give all symbols in
     fipscanister.o and FIPS or fips prefix. This will avoid
     conflicts with future versions of OpenSSL. Add perl script
     util/fipsas.pl to preprocess assembly language source files
     and rename any affected symbols.
     [Steve Henson]

  *) Add selftest checks and algorithm block of non-fips algorithms in
     FIPS mode. Remove DES2 from selftests.
     [Steve Henson]

  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
     return internal method without any ENGINE dependencies. Add new
     tiny fips sign and verify functions.
     [Steve Henson]

  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) New build option "fipscanisteronly". This only builds fipscanister.o
     and (currently) associated fips utilities. Uses the file Makefile.fips
     instead of Makefile.org as the prototype.
     [Steve Henson]

  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
     Update fips_gcmtest to use IV generator.
     [Steve Henson]

  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
     setting output buffer to NULL. The *Final function must be
     called although it will not retrieve any additional data. The tag
     can be set or retrieved with a ctrl. The IV length is by default 12
     bytes (96 bits) but can be set to an alternative value. If the IV
     length exceeds the maximum IV length (currently 16 bytes) it cannot be
     set before the key. 
     [Steve Henson]

  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
     underlying do_cipher function handles all cipher semantics itself
     including padding and finalisation. This is useful if (for example)
     an ENGINE cipher handles block padding itself. The behaviour of
     do_cipher is subtly changed if this flag is set: the return value
     is the number of characters written to the output buffer (zero is
     no longer an error code) or a negative error code. Also if the
     input buffer is NULL and length 0 finalisation should be performed.
     [Steve Henson]

  *) If a candidate issuer certificate is already part of the constructed
     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
     [Steve Henson]

  *) Improve forward-security support: add functions

       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

     for use by SSL/TLS servers; the callback function will be called whenever a
     new session is created, and gets to decide whether the session may be
     cached to make it resumable (return 0) or not (return 1).  (As by the
     SSL/TLS protocol specifications, the session_id sent by the server will be
     empty to indicate that the session is not resumable; also, the server will
     not generate RFC 4507 (RFC 5077) session tickets.)

     A simple reasonable callback implementation is to return is_forward_secure.
     This parameter will be set to 1 or 0 depending on the ciphersuite selected
     by the SSL/TLS server library, indicating whether it can provide forward
     security.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
7b3a9b00	5	Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
aaf35f11	6
eda3766b DSH	7	*) Output TLS supported curves in preference order instead of numerical
	8	order. This is currently hardcoded for the highest order curves first.
	9	This should be configurable so applications can judge speed vs strength.
	10	[Steve Henson]
	11
992bdde6 DSH	12	*) Add protection against ECDSA timing attacks as mentioned in the paper
	13	by Billy Bob Brumley and Nicola Tuveri, see:
	14
	15	http://eprint.iacr.org/2011/232.pdf
	16
	17	[Billy Bob Brumley and Nicola Tuveri]
	18
f37f20ff DSH	19	*) Add TLS v1.2 server support for client authentication.
	20	[Steve Henson]
	21
101e6e19 DSH	22	*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
	23	and enable MD5.
	24	[Steve Henson]
	25
086e32a6 DSH	26	*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
	27	FIPS modules versions.
	28	[Steve Henson]
	29
855a54a9 DSH	30	*) Add TLS v1.2 client side support for client authentication. Keep cache
	31	of handshake records longer as we don't know the hash algorithm to use
	32	until after the certificate request message is received.
	33	[Steve Henson]
	34
c2fd5989 DSH	35	*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
	36	FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
	37	outside the validated module in the FIPS capable OpenSSL.
	38	[Steve Henson]
	39
a2f9200f DSH	40	*) Initial TLS v1.2 client support. Add a default signature algorithms
	41	extension including all the algorithms we support. Parse new signature
	42	format in client key exchange. Relax some ECC signing restrictions for
	43	TLS v1.2 as indicated in RFC5246.
	44	[Steve Henson]
	45
6b7be581 DSH	46	*) Add server support for TLS v1.2 signature algorithms extension. Switch
	47	to new signature format when needed using client digest preference.
	48	All server ciphersuites should now work correctly in TLS v1.2. No client
	49	support yet and no support for client certificates.
	50	[Steve Henson]
	51
7409d7ad DSH	52	*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
	53	to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
	54	ciphersuites. At present only RSA key exchange ciphersuites work with
	55	TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
	56	SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
	57	and version checking.
	58	[Steve Henson]
	59
08557cf2 DSH	60	*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
	61	with this defined it will not be affected by any changes to ssl internal
	62	structures. Add several utility functions to allow openssl application
	63	to work with OPENSSL_NO_SSL_INTERN defined.
	64	[Steve Henson]
	65
e0d1a2f8 DSH	66	*) Minor change to DRBG entropy callback semantics. In some cases
	67	there is no mutiple of the block length between min_len and
	68	max_len. Allow the callback to return more than max_len bytes
	69	of entropy but discard any extra: it is the callback's responsibility
	70	to ensure that the extra data discarded does not impact the
	71	requested amount of entropy.
	72	[Steve Henson]
	73
cac4fb58 DSH	74	*) Add PRNG security strength checks to RSA, DSA and ECDSA using
	75	information in FIPS186-3, SP800-57 and SP800-131A.
	76	[Steve Henson]
	77
b5dd1787 DSH	78	*) CCM support via EVP. Interface is very similar to GCM case except we
	79	must supply all data in one chunk (i.e. no update, final) and the
	80	message length must be supplied if AAD is used. Add algorithm test
	81	support.
23916810 DSH	82	[Steve Henson]
23916810 DSH	83
ac892b7a DSH	84	*) Initial version of POST overhaul. Add POST callback to allow the status
	85	of POST to be monitored and/or failures induced. Modify fips_test_suite
	86	to use callback. Always run all selftests even if one fails.
	87	[Steve Henson]
	88
06b7e5a0 DSH	89	*) XTS support including algorithm test driver in the fips_gcmtest program.
	90	Note: this does increase the maximum key length from 32 to 64 bytes but
	91	there should be no binary compatibility issues as existing applications
	92	will never use XTS mode.
32a2d8dd DSH	93	[Steve Henson]
32a2d8dd DSH	94
05e24c87 DSH	95	*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
	96	to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
	97	performs algorithm blocking for unapproved PRNG types. Also do not
	98	set PRNG type in FIPS_mode_set(): leave this to the application.
	99	Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
d7a3ce98	100	the standard OpenSSL PRNG: set additional data to a date time vector.
05e24c87 DSH	101	[Steve Henson]
05e24c87 DSH	102
cab0595c DSH	103	) Rename old X9.31 PRNG functions of the form FIPS_rand to FIPS_x931*.
	104	This shouldn't present any incompatibility problems because applications
	105	shouldn't be using these directly and any that are will need to rethink
	106	anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
	107	[Steve Henson]
	108
96ec46f7 DSH	109	*) Extensive self tests and health checking required by SP800-90 DRBG.
	110	Remove strength parameter from FIPS_drbg_instantiate and always
	111	instantiate at maximum supported strength.
	112	[Steve Henson]
	113
0deea0e0	114	*) Add SRP support.
d4f3dd5f	115	[Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
0deea0e0	116
8857b380 DSH	117	*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
	118	[Steve Henson]
	119
11e80de3 DSH	120	*) New algorithm test program fips_dhvs to handle DH primitives only testing.
	121	[Steve Henson]
	122
	123	*) New function DH_compute_key_padded() to compute a DH key and pad with
	124	leading zeroes if needed: this complies with SP800-56A et al.
	125	[Steve Henson]
	126
591cbfae DSH	127	*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
	128	anything, incomplete, subject to change and largely untested at present.
	129	[Steve Henson]
	130
eead69f5 DSH	131	*) Modify fipscanisteronly build option to only build the necessary object
	132	files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
	133	[Steve Henson]
	134
017bc57b DSH	135	*) Add experimental option FIPSSYMS to give all symbols in
017bc57b DSH	136	fipscanister.o and FIPS or fips prefix. This will avoid
5d439d69 DSH	137	conflicts with future versions of OpenSSL. Add perl script
	138	util/fipsas.pl to preprocess assembly language source files
	139	and rename any affected symbols.
017bc57b DSH	140	[Steve Henson]
017bc57b DSH	141
25c65429 DSH	142	*) Add selftest checks and algorithm block of non-fips algorithms in
	143	FIPS mode. Remove DES2 from selftests.
	144	[Steve Henson]
	145
fe26d066 DSH	146	*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
fe26d066 DSH	147	return internal method without any ENGINE dependencies. Add new
25c65429	148	tiny fips sign and verify functions.
fe26d066 DSH	149	[Steve Henson]
fe26d066 DSH	150
b3310161 DSH	151	*) New build option no-ec2m to disable characteristic 2 code.
	152	[Steve Henson]
	153
30b56225 DSH	154	*) New build option "fipscanisteronly". This only builds fipscanister.o
	155	and (currently) associated fips utilities. Uses the file Makefile.fips
	156	instead of Makefile.org as the prototype.
	157	[Steve Henson]
	158
b3d8022e DSH	159	*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
	160	Update fips_gcmtest to use IV generator.
	161	[Steve Henson]
	162
bdaa5415 DSH	163	*) Initial, experimental EVP support for AES-GCM. AAD can be input by
	164	setting output buffer to NULL. The *Final function must be
	165	called although it will not retrieve any additional data. The tag
	166	can be set or retrieved with a ctrl. The IV length is by default 12
	167	bytes (96 bits) but can be set to an alternative value. If the IV
	168	length exceeds the maximum IV length (currently 16 bytes) it cannot be
	169	set before the key.
	170	[Steve Henson]
	171
3da0ca79 DSH	172	*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
	173	underlying do_cipher function handles all cipher semantics itself
	174	including padding and finalisation. This is useful if (for example)
	175	an ENGINE cipher handles block padding itself. The behaviour of
	176	do_cipher is subtly changed if this flag is set: the return value
	177	is the number of characters written to the output buffer (zero is
	178	no longer an error code) or a negative error code. Also if the
d45087c6	179	input buffer is NULL and length 0 finalisation should be performed.
3da0ca79 DSH	180	[Steve Henson]
3da0ca79 DSH	181
2b3936e8 DSH	182	*) If a candidate issuer certificate is already part of the constructed
	183	path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
	184	[Steve Henson]
	185
7c2d4fee BM	186	*) Improve forward-security support: add functions
	187
	188	void SSL_CTX_set_not_resumable_session_callback(SSL_CTX ctx, int (cb)(SSL *ssl, int is_forward_secure))
	189	void SSL_set_not_resumable_session_callback(SSL ssl, int (cb)(SSL *ssl, int is_forward_secure))
	190
	191	for use by SSL/TLS servers; the callback function will be called whenever a
	192	new session is created, and gets to decide whether the session may be
	193	cached to make it resumable (return 0) or not (return 1). (As by the
	194	SSL/TLS protocol specifications, the session_id sent by the server will be
	195	empty to indicate that the session is not resumable; also, the server will
	196	not generate RFC 4507 (RFC 5077) session tickets.)
	197
	198	A simple reasonable callback implementation is to return is_forward_secure.
	199	This parameter will be set to 1 or 0 depending on the ciphersuite selected
	200	by the SSL/TLS server library, indicating whether it can provide forward
	201	security.
	202