]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
7b3a9b00 | 5 | Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] |
aaf35f11 | 6 | |
a4352630 DSH |
7 | *) Support for automatic EC temporary key parameter selection. If enabled |
8 | the most preferred EC parameters are automatically used instead of | |
9 | hardcoded fixed parameters. Now a server just has to call: | |
10 | SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically | |
11 | support ECDH and use the most appropriate parameters. | |
12 | [Steve Henson] | |
13 | ||
d0595f17 DSH |
14 | *) Enhance and tidy EC curve and point format TLS extension code. Use |
15 | static structures instead of allocation if default values are used. | |
16 | New ctrls to set curves we wish to support and to retrieve shared curves. | |
17 | Print out shared curves in s_server. New options to s_server and s_client | |
18 | to set list of supported curves. | |
19 | [Steve Henson] | |
20 | ||
e7f8ff43 DSH |
21 | *) New ctrls to retrieve supported signature algorithms and |
22 | supported curve values as an array of NIDs. Extend openssl utility | |
23 | to print out received values. | |
24 | [Steve Henson] | |
25 | ||
64095ce9 DSH |
26 | *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert |
27 | between NIDs and the more common NIST names such as "P-256". Enhance | |
28 | ecparam utility and ECC method to recognise the NIST names for curves. | |
29 | [Steve Henson] | |
30 | ||
f71c6e52 DSH |
31 | *) Enhance SSL/TLS certificate chain handling to support different |
32 | chains for each certificate instead of one chain in the parent SSL_CTX. | |
33 | [Steve Henson] | |
34 | ||
0d609395 DSH |
35 | *) Support for fixed DH ciphersuite client authentication: where both |
36 | server and client use DH certificates with common parameters. | |
37 | [Steve Henson] | |
38 | ||
8e1dc4d7 DSH |
39 | *) Support for fixed DH ciphersuites: those requiring DH server |
40 | certificates. | |
41 | [Steve Henson] | |
42 | ||
2ca873e8 DSH |
43 | *) Transparently support X9.42 DH parameters when calling |
44 | PEM_read_bio_DHparameters. This means existing applications can handle | |
45 | the new parameter format automatically. | |
46 | [Steve Henson] | |
47 | ||
afb14cda DSH |
48 | *) Initial experimental support for X9.42 DH parameter format: mainly |
49 | to support use of 'q' parameter for RFC5114 parameters. | |
50 | [Steve Henson] | |
51 | ||
20bee968 DSH |
52 | *) Add DH parameters from RFC5114 including test data to dhtest. |
53 | [Steve Henson] | |
54 | ||
a98b8ce6 DSH |
55 | *) Update fips_test_suite to support multiple command line options. New |
56 | test to induce all self test errors in sequence and check expected | |
57 | failures. | |
58 | [Steve Henson] | |
59 | ||
f4324e51 DSH |
60 | *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and |
61 | sign or verify all in one operation. | |
62 | [Steve Henson] | |
63 | ||
3ec9dceb DSH |
64 | *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm |
65 | test programs and fips_test_suite. Includes functionality to parse | |
66 | the minimal script output of fipsalgest.pl directly. | |
f4324e51 | 67 | [Steve Henson] |
3ec9dceb | 68 | |
5e4eb995 DSH |
69 | *) Add authorisation parameter to FIPS_module_mode_set(). |
70 | [Steve Henson] | |
71 | ||
2bfeb7dc DSH |
72 | *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. |
73 | [Steve Henson] | |
74 | ||
4420b3b1 | 75 | *) Use separate DRBG fields for internal and external flags. New function |
cb71870d DSH |
76 | FIPS_drbg_health_check() to perform on demand health checking. Add |
77 | generation tests to fips_test_suite with reduced health check interval to | |
4420b3b1 DSH |
78 | demonstrate periodic health checking. Add "nodh" option to |
79 | fips_test_suite to skip very slow DH test. | |
80 | [Steve Henson] | |
81 | ||
15094852 DSH |
82 | *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers |
83 | based on NID. | |
84 | [Steve Henson] | |
85 | ||
a11f06b2 DSH |
86 | *) More extensive health check for DRBG checking many more failure modes. |
87 | New function FIPS_selftest_drbg_all() to handle every possible DRBG | |
88 | combination: call this in fips_test_suite. | |
89 | [Steve Henson] | |
90 | ||
7fdcb457 DSH |
91 | *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test |
92 | and POST to handle Dual EC cases. | |
93 | [Steve Henson] | |
94 | ||
f55f5f77 DSH |
95 | *) Add support for canonical generation of DSA parameter 'g'. See |
96 | FIPS 186-3 A.2.3. | |
97 | ||
7fdcb457 DSH |
98 | *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and |
99 | POST to handle HMAC cases. | |
20f12e63 DSH |
100 | [Steve Henson] |
101 | ||
01a9a759 DSH |
102 | *) Add functions FIPS_module_version() and FIPS_module_version_text() |
103 | to return numberical and string versions of the FIPS module number. | |
104 | [Steve Henson] | |
105 | ||
c2fd5989 DSH |
106 | *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and |
107 | FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted | |
108 | outside the validated module in the FIPS capable OpenSSL. | |
109 | [Steve Henson] | |
110 | ||
e0d1a2f8 DSH |
111 | *) Minor change to DRBG entropy callback semantics. In some cases |
112 | there is no mutiple of the block length between min_len and | |
113 | max_len. Allow the callback to return more than max_len bytes | |
114 | of entropy but discard any extra: it is the callback's responsibility | |
115 | to ensure that the extra data discarded does not impact the | |
116 | requested amount of entropy. | |
117 | [Steve Henson] | |
118 | ||
cac4fb58 DSH |
119 | *) Add PRNG security strength checks to RSA, DSA and ECDSA using |
120 | information in FIPS186-3, SP800-57 and SP800-131A. | |
121 | [Steve Henson] | |
122 | ||
b5dd1787 DSH |
123 | *) CCM support via EVP. Interface is very similar to GCM case except we |
124 | must supply all data in one chunk (i.e. no update, final) and the | |
125 | message length must be supplied if AAD is used. Add algorithm test | |
126 | support. | |
23916810 DSH |
127 | [Steve Henson] |
128 | ||
ac892b7a DSH |
129 | *) Initial version of POST overhaul. Add POST callback to allow the status |
130 | of POST to be monitored and/or failures induced. Modify fips_test_suite | |
131 | to use callback. Always run all selftests even if one fails. | |
132 | [Steve Henson] | |
133 | ||
06b7e5a0 DSH |
134 | *) XTS support including algorithm test driver in the fips_gcmtest program. |
135 | Note: this does increase the maximum key length from 32 to 64 bytes but | |
136 | there should be no binary compatibility issues as existing applications | |
137 | will never use XTS mode. | |
32a2d8dd DSH |
138 | [Steve Henson] |
139 | ||
05e24c87 DSH |
140 | *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies |
141 | to OpenSSL RAND code and replace with a tiny FIPS RAND API which also | |
142 | performs algorithm blocking for unapproved PRNG types. Also do not | |
143 | set PRNG type in FIPS_mode_set(): leave this to the application. | |
144 | Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with | |
d7a3ce98 | 145 | the standard OpenSSL PRNG: set additional data to a date time vector. |
05e24c87 DSH |
146 | [Steve Henson] |
147 | ||
cab0595c DSH |
148 | *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. |
149 | This shouldn't present any incompatibility problems because applications | |
150 | shouldn't be using these directly and any that are will need to rethink | |
151 | anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 | |
152 | [Steve Henson] | |
153 | ||
96ec46f7 DSH |
154 | *) Extensive self tests and health checking required by SP800-90 DRBG. |
155 | Remove strength parameter from FIPS_drbg_instantiate and always | |
156 | instantiate at maximum supported strength. | |
157 | [Steve Henson] | |
158 | ||
8857b380 DSH |
159 | *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. |
160 | [Steve Henson] | |
161 | ||
11e80de3 DSH |
162 | *) New algorithm test program fips_dhvs to handle DH primitives only testing. |
163 | [Steve Henson] | |
164 | ||
165 | *) New function DH_compute_key_padded() to compute a DH key and pad with | |
166 | leading zeroes if needed: this complies with SP800-56A et al. | |
167 | [Steve Henson] | |
168 | ||
591cbfae DSH |
169 | *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by |
170 | anything, incomplete, subject to change and largely untested at present. | |
171 | [Steve Henson] | |
172 | ||
eead69f5 DSH |
173 | *) Modify fipscanisteronly build option to only build the necessary object |
174 | files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. | |
175 | [Steve Henson] | |
176 | ||
017bc57b DSH |
177 | *) Add experimental option FIPSSYMS to give all symbols in |
178 | fipscanister.o and FIPS or fips prefix. This will avoid | |
5d439d69 DSH |
179 | conflicts with future versions of OpenSSL. Add perl script |
180 | util/fipsas.pl to preprocess assembly language source files | |
181 | and rename any affected symbols. | |
017bc57b DSH |
182 | [Steve Henson] |
183 | ||
25c65429 DSH |
184 | *) Add selftest checks and algorithm block of non-fips algorithms in |
185 | FIPS mode. Remove DES2 from selftests. | |
186 | [Steve Henson] | |
187 | ||
fe26d066 DSH |
188 | *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just |
189 | return internal method without any ENGINE dependencies. Add new | |
25c65429 | 190 | tiny fips sign and verify functions. |
fe26d066 DSH |
191 | [Steve Henson] |
192 | ||
b3310161 DSH |
193 | *) New build option no-ec2m to disable characteristic 2 code. |
194 | [Steve Henson] | |
195 | ||
30b56225 DSH |
196 | *) New build option "fipscanisteronly". This only builds fipscanister.o |
197 | and (currently) associated fips utilities. Uses the file Makefile.fips | |
198 | instead of Makefile.org as the prototype. | |
199 | [Steve Henson] | |
200 | ||
b3d8022e DSH |
201 | *) Add some FIPS mode restrictions to GCM. Add internal IV generator. |
202 | Update fips_gcmtest to use IV generator. | |
203 | [Steve Henson] | |
204 | ||
bdaa5415 DSH |
205 | *) Initial, experimental EVP support for AES-GCM. AAD can be input by |
206 | setting output buffer to NULL. The *Final function must be | |
207 | called although it will not retrieve any additional data. The tag | |
208 | can be set or retrieved with a ctrl. The IV length is by default 12 | |
209 | bytes (96 bits) but can be set to an alternative value. If the IV | |
210 | length exceeds the maximum IV length (currently 16 bytes) it cannot be | |
211 | set before the key. | |
212 | [Steve Henson] | |
213 | ||
3da0ca79 DSH |
214 | *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the |
215 | underlying do_cipher function handles all cipher semantics itself | |
216 | including padding and finalisation. This is useful if (for example) | |
217 | an ENGINE cipher handles block padding itself. The behaviour of | |
218 | do_cipher is subtly changed if this flag is set: the return value | |
219 | is the number of characters written to the output buffer (zero is | |
220 | no longer an error code) or a negative error code. Also if the | |
d45087c6 | 221 | input buffer is NULL and length 0 finalisation should be performed. |
3da0ca79 DSH |
222 | [Steve Henson] |
223 | ||
2b3936e8 DSH |
224 | *) If a candidate issuer certificate is already part of the constructed |
225 | path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. | |
226 | [Steve Henson] | |
227 | ||
7c2d4fee BM |
228 | *) Improve forward-security support: add functions |
229 | ||
230 | void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) | |
231 | void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) | |
232 | ||
233 | for use by SSL/TLS servers; the callback function will be called whenever a | |
234 | new session is created, and gets to decide whether the session may be | |
235 | cached to make it resumable (return 0) or not (return 1). (As by the | |
236 | SSL/TLS protocol specifications, the session_id sent by the server will be | |
237 | empty to indicate that the session is not resumable; also, the server will | |
238 | not generate RFC 4507 (RFC 5077) session tickets.) | |
239 | ||
240 | A simple reasonable callback implementation is to return is_forward_secure. | |
241 | This parameter will be set to 1 or 0 depending on the ciphersuite selected | |
242 | by the SSL/TLS server library, indicating whether it can provide forward | |
243 | security. | |
244 |