]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
7b3a9b00 | 5 | Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] |
aaf35f11 | 6 | |
eda3766b DSH |
7 | *) Output TLS supported curves in preference order instead of numerical |
8 | order. This is currently hardcoded for the highest order curves first. | |
9 | This should be configurable so applications can judge speed vs strength. | |
10 | [Steve Henson] | |
11 | ||
992bdde6 DSH |
12 | *) Add protection against ECDSA timing attacks as mentioned in the paper |
13 | by Billy Bob Brumley and Nicola Tuveri, see: | |
14 | ||
15 | http://eprint.iacr.org/2011/232.pdf | |
16 | ||
17 | [Billy Bob Brumley and Nicola Tuveri] | |
18 | ||
f37f20ff DSH |
19 | *) Add TLS v1.2 server support for client authentication. |
20 | [Steve Henson] | |
21 | ||
101e6e19 DSH |
22 | *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers |
23 | and enable MD5. | |
24 | [Steve Henson] | |
25 | ||
086e32a6 DSH |
26 | *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying |
27 | FIPS modules versions. | |
28 | [Steve Henson] | |
29 | ||
855a54a9 DSH |
30 | *) Add TLS v1.2 client side support for client authentication. Keep cache |
31 | of handshake records longer as we don't know the hash algorithm to use | |
32 | until after the certificate request message is received. | |
33 | [Steve Henson] | |
34 | ||
c2fd5989 DSH |
35 | *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and |
36 | FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted | |
37 | outside the validated module in the FIPS capable OpenSSL. | |
38 | [Steve Henson] | |
39 | ||
a2f9200f DSH |
40 | *) Initial TLS v1.2 client support. Add a default signature algorithms |
41 | extension including all the algorithms we support. Parse new signature | |
42 | format in client key exchange. Relax some ECC signing restrictions for | |
43 | TLS v1.2 as indicated in RFC5246. | |
44 | [Steve Henson] | |
45 | ||
6b7be581 DSH |
46 | *) Add server support for TLS v1.2 signature algorithms extension. Switch |
47 | to new signature format when needed using client digest preference. | |
48 | All server ciphersuites should now work correctly in TLS v1.2. No client | |
49 | support yet and no support for client certificates. | |
50 | [Steve Henson] | |
51 | ||
7409d7ad DSH |
52 | *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch |
53 | to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based | |
54 | ciphersuites. At present only RSA key exchange ciphersuites work with | |
55 | TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete | |
56 | SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods | |
57 | and version checking. | |
58 | [Steve Henson] | |
59 | ||
08557cf2 DSH |
60 | *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled |
61 | with this defined it will not be affected by any changes to ssl internal | |
62 | structures. Add several utility functions to allow openssl application | |
63 | to work with OPENSSL_NO_SSL_INTERN defined. | |
64 | [Steve Henson] | |
65 | ||
e0d1a2f8 DSH |
66 | *) Minor change to DRBG entropy callback semantics. In some cases |
67 | there is no mutiple of the block length between min_len and | |
68 | max_len. Allow the callback to return more than max_len bytes | |
69 | of entropy but discard any extra: it is the callback's responsibility | |
70 | to ensure that the extra data discarded does not impact the | |
71 | requested amount of entropy. | |
72 | [Steve Henson] | |
73 | ||
cac4fb58 DSH |
74 | *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
75 | information in FIPS186-3, SP800-57 and SP800-131A. | |
76 | [Steve Henson] | |
77 | ||
b5dd1787 DSH |
78 | *) CCM support via EVP. Interface is very similar to GCM case except we |
79 | must supply all data in one chunk (i.e. no update, final) and the | |
80 | message length must be supplied if AAD is used. Add algorithm test | |
81 | support. | |
23916810 DSH |
82 | [Steve Henson] |
83 | ||
ac892b7a DSH |
84 | *) Initial version of POST overhaul. Add POST callback to allow the status |
85 | of POST to be monitored and/or failures induced. Modify fips_test_suite | |
86 | to use callback. Always run all selftests even if one fails. | |
87 | [Steve Henson] | |
88 | ||
06b7e5a0 DSH |
89 | *) XTS support including algorithm test driver in the fips_gcmtest program. |
90 | Note: this does increase the maximum key length from 32 to 64 bytes but | |
91 | there should be no binary compatibility issues as existing applications | |
92 | will never use XTS mode. | |
32a2d8dd DSH |
93 | [Steve Henson] |
94 | ||
05e24c87 DSH |
95 | *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies |
96 | to OpenSSL RAND code and replace with a tiny FIPS RAND API which also | |
97 | performs algorithm blocking for unapproved PRNG types. Also do not | |
98 | set PRNG type in FIPS_mode_set(): leave this to the application. | |
99 | Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with | |
d7a3ce98 | 100 | the standard OpenSSL PRNG: set additional data to a date time vector. |
05e24c87 DSH |
101 | [Steve Henson] |
102 | ||
cab0595c DSH |
103 | *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. |
104 | This shouldn't present any incompatibility problems because applications | |
105 | shouldn't be using these directly and any that are will need to rethink | |
106 | anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 | |
107 | [Steve Henson] | |
108 | ||
96ec46f7 DSH |
109 | *) Extensive self tests and health checking required by SP800-90 DRBG. |
110 | Remove strength parameter from FIPS_drbg_instantiate and always | |
111 | instantiate at maximum supported strength. | |
112 | [Steve Henson] | |
113 | ||
0deea0e0 | 114 | *) Add SRP support. |
d4f3dd5f | 115 | [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie] |
0deea0e0 | 116 | |
8857b380 DSH |
117 | *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. |
118 | [Steve Henson] | |
119 | ||
11e80de3 DSH |
120 | *) New algorithm test program fips_dhvs to handle DH primitives only testing. |
121 | [Steve Henson] | |
122 | ||
123 | *) New function DH_compute_key_padded() to compute a DH key and pad with | |
124 | leading zeroes if needed: this complies with SP800-56A et al. | |
125 | [Steve Henson] | |
126 | ||
591cbfae DSH |
127 | *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by |
128 | anything, incomplete, subject to change and largely untested at present. | |
129 | [Steve Henson] | |
130 | ||
eead69f5 DSH |
131 | *) Modify fipscanisteronly build option to only build the necessary object |
132 | files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. | |
133 | [Steve Henson] | |
134 | ||
017bc57b DSH |
135 | *) Add experimental option FIPSSYMS to give all symbols in |
136 | fipscanister.o and FIPS or fips prefix. This will avoid | |
5d439d69 DSH |
137 | conflicts with future versions of OpenSSL. Add perl script |
138 | util/fipsas.pl to preprocess assembly language source files | |
139 | and rename any affected symbols. | |
017bc57b DSH |
140 | [Steve Henson] |
141 | ||
25c65429 DSH |
142 | *) Add selftest checks and algorithm block of non-fips algorithms in |
143 | FIPS mode. Remove DES2 from selftests. | |
144 | [Steve Henson] | |
145 | ||
fe26d066 DSH |
146 | *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just |
147 | return internal method without any ENGINE dependencies. Add new | |
25c65429 | 148 | tiny fips sign and verify functions. |
fe26d066 DSH |
149 | [Steve Henson] |
150 | ||
b3310161 DSH |
151 | *) New build option no-ec2m to disable characteristic 2 code. |
152 | [Steve Henson] | |
153 | ||
30b56225 DSH |
154 | *) New build option "fipscanisteronly". This only builds fipscanister.o |
155 | and (currently) associated fips utilities. Uses the file Makefile.fips | |
156 | instead of Makefile.org as the prototype. | |
157 | [Steve Henson] | |
158 | ||
b3d8022e DSH |
159 | *) Add some FIPS mode restrictions to GCM. Add internal IV generator. |
160 | Update fips_gcmtest to use IV generator. | |
161 | [Steve Henson] | |
162 | ||
bdaa5415 DSH |
163 | *) Initial, experimental EVP support for AES-GCM. AAD can be input by |
164 | setting output buffer to NULL. The *Final function must be | |
165 | called although it will not retrieve any additional data. The tag | |
166 | can be set or retrieved with a ctrl. The IV length is by default 12 | |
167 | bytes (96 bits) but can be set to an alternative value. If the IV | |
168 | length exceeds the maximum IV length (currently 16 bytes) it cannot be | |
169 | set before the key. | |
170 | [Steve Henson] | |
171 | ||
3da0ca79 DSH |
172 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
173 | underlying do_cipher function handles all cipher semantics itself | |
174 | including padding and finalisation. This is useful if (for example) | |
175 | an ENGINE cipher handles block padding itself. The behaviour of | |
176 | do_cipher is subtly changed if this flag is set: the return value | |
177 | is the number of characters written to the output buffer (zero is | |
178 | no longer an error code) or a negative error code. Also if the | |
d45087c6 | 179 | input buffer is NULL and length 0 finalisation should be performed. |
3da0ca79 DSH |
180 | [Steve Henson] |
181 | ||
2b3936e8 DSH |
182 | *) If a candidate issuer certificate is already part of the constructed |
183 | path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. | |
184 | [Steve Henson] | |
185 | ||
7c2d4fee BM |
186 | *) Improve forward-security support: add functions |
187 | ||
188 | void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) | |
189 | void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) | |
190 | ||
191 | for use by SSL/TLS servers; the callback function will be called whenever a | |
192 | new session is created, and gets to decide whether the session may be | |
193 | cached to make it resumable (return 0) or not (return 1). (As by the | |
194 | SSL/TLS protocol specifications, the session_id sent by the server will be | |
195 | empty to indicate that the session is not resumable; also, the server will | |
196 | not generate RFC 4507 (RFC 5077) session tickets.) | |
197 | ||
198 | A simple reasonable callback implementation is to return is_forward_secure. | |
199 | This parameter will be set to 1 or 0 depending on the ciphersuite selected | |
200 | by the SSL/TLS server library, indicating whether it can provide forward | |
201 | security. | |
202 |