[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.1.0  [xx XXX xxxx]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Update fips_test_suite to support multiple command line options. New
     test to induce all self test errors in sequence and check expected
     failures.
     [Steve Henson]

  *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
     sign or verify all in one operation.
     [Steve Henson]

  *) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
     test programs and fips_test_suite. Includes functionality to parse
     the minimal script output of fipsalgest.pl directly.
     [Steve Henson]

  *) Add authorisation parameter to FIPS_module_mode_set().
     [Steve Henson]

  *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
     [Steve Henson]

  *) Use separate DRBG fields for internal and external flags. New function
     FIPS_drbg_health_check() to perform on demand health checking. Add
     generation tests to fips_test_suite with reduced health check interval to 
     demonstrate periodic health checking. Add "nodh" option to
     fips_test_suite to skip very slow DH test.
     [Steve Henson]

  *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
     based on NID.
     [Steve Henson]

  *) More extensive health check for DRBG checking many more failure modes.
     New function FIPS_selftest_drbg_all() to handle every possible DRBG
     combination: call this in fips_test_suite.
     [Steve Henson]

  *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
     and POST to handle Dual EC cases.
     [Steve Henson]

  *) Add support for canonical generation of DSA parameter 'g'. See 
     FIPS 186-3 A.2.3.

  *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
     POST to handle HMAC cases.
     [Steve Henson]

  *) Add functions FIPS_module_version() and FIPS_module_version_text()
     to return numberical and string versions of the FIPS module number.
     [Steve Henson]

  *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
     FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
     outside the validated module in the FIPS capable OpenSSL.
     [Steve Henson]

  *) Minor change to DRBG entropy callback semantics. In some cases
     there is no mutiple of the block length between min_len and
     max_len. Allow the callback to return more than max_len bytes
     of entropy but discard any extra: it is the callback's responsibility
     to ensure that the extra data discarded does not impact the
     requested amount of entropy.
     [Steve Henson]

  *) Add PRNG security strength checks to RSA, DSA and ECDSA using 
     information in FIPS186-3, SP800-57 and SP800-131A.
     [Steve Henson]

  *) CCM support via EVP. Interface is very similar to GCM case except we
     must supply all data in one chunk (i.e. no update, final) and the
     message length must be supplied if AAD is used. Add algorithm test
     support.
     [Steve Henson]

  *) Initial version of POST overhaul. Add POST callback to allow the status
     of POST to be monitored and/or failures induced. Modify fips_test_suite
     to use callback. Always run all selftests even if one fails.
     [Steve Henson]

  *) XTS support including algorithm test driver in the fips_gcmtest program.
     Note: this does increase the maximum key length from 32 to 64 bytes but
     there should be no binary compatibility issues as existing applications
     will never use XTS mode.
     [Steve Henson]

  *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
     to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
     performs algorithm blocking for unapproved PRNG types. Also do not
     set PRNG type in FIPS_mode_set(): leave this to the application.
     Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
     the standard OpenSSL PRNG: set additional data to a date time vector.
     [Steve Henson]

  *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
     This shouldn't present any incompatibility problems because applications
     shouldn't be using these directly and any that are will need to rethink
     anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
     [Steve Henson]

  *) Extensive self tests and health checking required by SP800-90 DRBG.
     Remove strength parameter from FIPS_drbg_instantiate and always
     instantiate at maximum supported strength.
     [Steve Henson]

  *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
     [Steve Henson]

  *) New algorithm test program fips_dhvs to handle DH primitives only testing.
     [Steve Henson]

  *) New function DH_compute_key_padded() to compute a DH key and pad with
     leading zeroes if needed: this complies with SP800-56A et al.
     [Steve Henson]

  *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
     anything, incomplete, subject to change and largely untested at present.
     [Steve Henson]

  *) Modify fipscanisteronly build option to only build the necessary object
     files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
     [Steve Henson]

  *) Add experimental option FIPSSYMS to give all symbols in
     fipscanister.o and FIPS or fips prefix. This will avoid
     conflicts with future versions of OpenSSL. Add perl script
     util/fipsas.pl to preprocess assembly language source files
     and rename any affected symbols.
     [Steve Henson]

  *) Add selftest checks and algorithm block of non-fips algorithms in
     FIPS mode. Remove DES2 from selftests.
     [Steve Henson]

  *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
     return internal method without any ENGINE dependencies. Add new
     tiny fips sign and verify functions.
     [Steve Henson]

  *) New build option no-ec2m to disable characteristic 2 code.
     [Steve Henson]

  *) New build option "fipscanisteronly". This only builds fipscanister.o
     and (currently) associated fips utilities. Uses the file Makefile.fips
     instead of Makefile.org as the prototype.
     [Steve Henson]

  *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
     Update fips_gcmtest to use IV generator.
     [Steve Henson]

  *) Initial, experimental EVP support for AES-GCM. AAD can be input by
     setting output buffer to NULL. The *Final function must be
     called although it will not retrieve any additional data. The tag
     can be set or retrieved with a ctrl. The IV length is by default 12
     bytes (96 bits) but can be set to an alternative value. If the IV
     length exceeds the maximum IV length (currently 16 bytes) it cannot be
     set before the key. 
     [Steve Henson]

  *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
     underlying do_cipher function handles all cipher semantics itself
     including padding and finalisation. This is useful if (for example)
     an ENGINE cipher handles block padding itself. The behaviour of
     do_cipher is subtly changed if this flag is set: the return value
     is the number of characters written to the output buffer (zero is
     no longer an error code) or a negative error code. Also if the
     input buffer is NULL and length 0 finalisation should be performed.
     [Steve Henson]

  *) If a candidate issuer certificate is already part of the constructed
     path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
     [Steve Henson]

  *) Improve forward-security support: add functions

       void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
       void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))

     for use by SSL/TLS servers; the callback function will be called whenever a
     new session is created, and gets to decide whether the session may be
     cached to make it resumable (return 0) or not (return 1).  (As by the
     SSL/TLS protocol specifications, the session_id sent by the server will be
     empty to indicate that the session is not resumable; also, the server will
     not generate RFC 4507 (RFC 5077) session tickets.)

     A simple reasonable callback implementation is to return is_forward_secure.
     This parameter will be set to 1 or 0 depending on the ciphersuite selected
     by the SSL/TLS server library, indicating whether it can provide forward
     security.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
7b3a9b00	5	Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
aaf35f11	6
a4352630 DSH	7	*) Support for automatic EC temporary key parameter selection. If enabled
	8	the most preferred EC parameters are automatically used instead of
	9	hardcoded fixed parameters. Now a server just has to call:
	10	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	11	support ECDH and use the most appropriate parameters.
	12	[Steve Henson]
	13
d0595f17 DSH	14	*) Enhance and tidy EC curve and point format TLS extension code. Use
	15	static structures instead of allocation if default values are used.
	16	New ctrls to set curves we wish to support and to retrieve shared curves.
	17	Print out shared curves in s_server. New options to s_server and s_client
	18	to set list of supported curves.
	19	[Steve Henson]
	20
e7f8ff43 DSH	21	*) New ctrls to retrieve supported signature algorithms and
	22	supported curve values as an array of NIDs. Extend openssl utility
	23	to print out received values.
	24	[Steve Henson]
	25
64095ce9 DSH	26	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	27	between NIDs and the more common NIST names such as "P-256". Enhance
	28	ecparam utility and ECC method to recognise the NIST names for curves.
	29	[Steve Henson]
	30
f71c6e52 DSH	31	*) Enhance SSL/TLS certificate chain handling to support different
	32	chains for each certificate instead of one chain in the parent SSL_CTX.
	33	[Steve Henson]
	34
0d609395 DSH	35	*) Support for fixed DH ciphersuite client authentication: where both
	36	server and client use DH certificates with common parameters.
	37	[Steve Henson]
	38
8e1dc4d7 DSH	39	*) Support for fixed DH ciphersuites: those requiring DH server
	40	certificates.
	41	[Steve Henson]
	42
2ca873e8 DSH	43	*) Transparently support X9.42 DH parameters when calling
	44	PEM_read_bio_DHparameters. This means existing applications can handle
	45	the new parameter format automatically.
	46	[Steve Henson]
	47
afb14cda DSH	48	*) Initial experimental support for X9.42 DH parameter format: mainly
	49	to support use of 'q' parameter for RFC5114 parameters.
	50	[Steve Henson]
	51
20bee968 DSH	52	*) Add DH parameters from RFC5114 including test data to dhtest.
	53	[Steve Henson]
	54
a98b8ce6 DSH	55	*) Update fips_test_suite to support multiple command line options. New
	56	test to induce all self test errors in sequence and check expected
	57	failures.
	58	[Steve Henson]
	59
f4324e51 DSH	60	*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
	61	sign or verify all in one operation.
	62	[Steve Henson]
	63
3ec9dceb DSH	64	*) Add fips_algvs: a multicall fips utility incorporaing all the algorithm
	65	test programs and fips_test_suite. Includes functionality to parse
	66	the minimal script output of fipsalgest.pl directly.
f4324e51	67	[Steve Henson]
3ec9dceb	68
5e4eb995 DSH	69	*) Add authorisation parameter to FIPS_module_mode_set().
	70	[Steve Henson]
	71
2bfeb7dc DSH	72	*) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
	73	[Steve Henson]
	74
4420b3b1	75	*) Use separate DRBG fields for internal and external flags. New function
cb71870d DSH	76	FIPS_drbg_health_check() to perform on demand health checking. Add
cb71870d DSH	77	generation tests to fips_test_suite with reduced health check interval to
4420b3b1 DSH	78	demonstrate periodic health checking. Add "nodh" option to
	79	fips_test_suite to skip very slow DH test.
	80	[Steve Henson]
	81
15094852 DSH	82	*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
	83	based on NID.
	84	[Steve Henson]
	85
a11f06b2 DSH	86	*) More extensive health check for DRBG checking many more failure modes.
	87	New function FIPS_selftest_drbg_all() to handle every possible DRBG
	88	combination: call this in fips_test_suite.
	89	[Steve Henson]
	90
7fdcb457 DSH	91	*) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test
	92	and POST to handle Dual EC cases.
	93	[Steve Henson]
	94
f55f5f77 DSH	95	*) Add support for canonical generation of DSA parameter 'g'. See
	96	FIPS 186-3 A.2.3.
	97
7fdcb457 DSH	98	*) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
7fdcb457 DSH	99	POST to handle HMAC cases.
20f12e63 DSH	100	[Steve Henson]
20f12e63 DSH	101
01a9a759 DSH	102	*) Add functions FIPS_module_version() and FIPS_module_version_text()
	103	to return numberical and string versions of the FIPS module number.
	104	[Steve Henson]
	105
c2fd5989 DSH	106	*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
	107	FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implmeneted
	108	outside the validated module in the FIPS capable OpenSSL.
	109	[Steve Henson]
	110
e0d1a2f8 DSH	111	*) Minor change to DRBG entropy callback semantics. In some cases
	112	there is no mutiple of the block length between min_len and
	113	max_len. Allow the callback to return more than max_len bytes
	114	of entropy but discard any extra: it is the callback's responsibility
	115	to ensure that the extra data discarded does not impact the
	116	requested amount of entropy.
	117	[Steve Henson]
	118
cac4fb58 DSH	119	*) Add PRNG security strength checks to RSA, DSA and ECDSA using
	120	information in FIPS186-3, SP800-57 and SP800-131A.
	121	[Steve Henson]
	122
b5dd1787 DSH	123	*) CCM support via EVP. Interface is very similar to GCM case except we
	124	must supply all data in one chunk (i.e. no update, final) and the
	125	message length must be supplied if AAD is used. Add algorithm test
	126	support.
23916810 DSH	127	[Steve Henson]
23916810 DSH	128
ac892b7a DSH	129	*) Initial version of POST overhaul. Add POST callback to allow the status
	130	of POST to be monitored and/or failures induced. Modify fips_test_suite
	131	to use callback. Always run all selftests even if one fails.
	132	[Steve Henson]
	133
06b7e5a0 DSH	134	*) XTS support including algorithm test driver in the fips_gcmtest program.
	135	Note: this does increase the maximum key length from 32 to 64 bytes but
	136	there should be no binary compatibility issues as existing applications
	137	will never use XTS mode.
32a2d8dd DSH	138	[Steve Henson]
32a2d8dd DSH	139
05e24c87 DSH	140	*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
	141	to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
	142	performs algorithm blocking for unapproved PRNG types. Also do not
	143	set PRNG type in FIPS_mode_set(): leave this to the application.
	144	Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
d7a3ce98	145	the standard OpenSSL PRNG: set additional data to a date time vector.
05e24c87 DSH	146	[Steve Henson]
05e24c87 DSH	147
cab0595c DSH	148	) Rename old X9.31 PRNG functions of the form FIPS_rand to FIPS_x931*.
	149	This shouldn't present any incompatibility problems because applications
	150	shouldn't be using these directly and any that are will need to rethink
	151	anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
	152	[Steve Henson]
	153
96ec46f7 DSH	154	*) Extensive self tests and health checking required by SP800-90 DRBG.
	155	Remove strength parameter from FIPS_drbg_instantiate and always
	156	instantiate at maximum supported strength.
	157	[Steve Henson]
	158
8857b380 DSH	159	*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
	160	[Steve Henson]
	161
11e80de3 DSH	162	*) New algorithm test program fips_dhvs to handle DH primitives only testing.
	163	[Steve Henson]
	164
	165	*) New function DH_compute_key_padded() to compute a DH key and pad with
	166	leading zeroes if needed: this complies with SP800-56A et al.
	167	[Steve Henson]
	168
591cbfae DSH	169	*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
	170	anything, incomplete, subject to change and largely untested at present.
	171	[Steve Henson]
	172
eead69f5 DSH	173	*) Modify fipscanisteronly build option to only build the necessary object
	174	files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
	175	[Steve Henson]
	176
017bc57b DSH	177	*) Add experimental option FIPSSYMS to give all symbols in
017bc57b DSH	178	fipscanister.o and FIPS or fips prefix. This will avoid
5d439d69 DSH	179	conflicts with future versions of OpenSSL. Add perl script
	180	util/fipsas.pl to preprocess assembly language source files
	181	and rename any affected symbols.
017bc57b DSH	182	[Steve Henson]
017bc57b DSH	183
25c65429 DSH	184	*) Add selftest checks and algorithm block of non-fips algorithms in
	185	FIPS mode. Remove DES2 from selftests.
	186	[Steve Henson]
	187
fe26d066 DSH	188	*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
fe26d066 DSH	189	return internal method without any ENGINE dependencies. Add new
25c65429	190	tiny fips sign and verify functions.
fe26d066 DSH	191	[Steve Henson]
fe26d066 DSH	192
b3310161 DSH	193	*) New build option no-ec2m to disable characteristic 2 code.
	194	[Steve Henson]
	195
30b56225 DSH	196	*) New build option "fipscanisteronly". This only builds fipscanister.o
	197	and (currently) associated fips utilities. Uses the file Makefile.fips
	198	instead of Makefile.org as the prototype.
	199	[Steve Henson]
	200
b3d8022e DSH	201	*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
	202	Update fips_gcmtest to use IV generator.
	203	[Steve Henson]
	204
bdaa5415 DSH	205	*) Initial, experimental EVP support for AES-GCM. AAD can be input by
	206	setting output buffer to NULL. The *Final function must be
	207	called although it will not retrieve any additional data. The tag
	208	can be set or retrieved with a ctrl. The IV length is by default 12
	209	bytes (96 bits) but can be set to an alternative value. If the IV
	210	length exceeds the maximum IV length (currently 16 bytes) it cannot be
	211	set before the key.
	212	[Steve Henson]
	213
3da0ca79 DSH	214	*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
	215	underlying do_cipher function handles all cipher semantics itself
	216	including padding and finalisation. This is useful if (for example)
	217	an ENGINE cipher handles block padding itself. The behaviour of
	218	do_cipher is subtly changed if this flag is set: the return value
	219	is the number of characters written to the output buffer (zero is
	220	no longer an error code) or a negative error code. Also if the
d45087c6	221	input buffer is NULL and length 0 finalisation should be performed.
3da0ca79 DSH	222	[Steve Henson]
3da0ca79 DSH	223
2b3936e8 DSH	224	*) If a candidate issuer certificate is already part of the constructed
	225	path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
	226	[Steve Henson]
	227
7c2d4fee BM	228	*) Improve forward-security support: add functions
	229
	230	void SSL_CTX_set_not_resumable_session_callback(SSL_CTX ctx, int (cb)(SSL *ssl, int is_forward_secure))
	231	void SSL_set_not_resumable_session_callback(SSL ssl, int (cb)(SSL *ssl, int is_forward_secure))
	232
	233	for use by SSL/TLS servers; the callback function will be called whenever a
	234	new session is created, and gets to decide whether the session may be
	235	cached to make it resumable (return 0) or not (return 1). (As by the
	236	SSL/TLS protocol specifications, the session_id sent by the server will be
	237	empty to indicate that the session is not resumable; also, the server will
	238	not generate RFC 4507 (RFC 5077) session tickets.)
	239
	240	A simple reasonable callback implementation is to return is_forward_secure.
	241	This parameter will be set to 1 or 0 depending on the ciphersuite selected
	242	by the SSL/TLS server library, indicating whether it can provide forward
	243	security.
	244