Skip to content
CHANGES 375 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.8i and 0.9.9  [xx XXX xxxx]
Ben Laurie's avatar
Ben Laurie committed
  *) Removed effectively defunct crypto/store from the build.
     [Ben Laurie]

  *) Revamp of STACK to provide stronger type-checking. Still to come:
     TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
     ASN1_STRING, CONF_VALUE.
     [Ben Laurie]

Ben Laurie's avatar
Ben Laurie committed
  *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
     RAM on SSL connections.  This option can save about 34k per idle SSL.
     [Nick Mathewson]

Ben Laurie's avatar
Ben Laurie committed
  *) Revamp of LHASH to provide stronger type-checking. Still to come:
     STACK, TXT_DB, bsearch, qsort.
     [Ben Laurie]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Initial support for Cryptographic Message Syntax (aka CMS) based
     on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
     support for data, signedData, compressedData, digestedData and
     encryptedData, envelopedData types included. Scripts to check against
     RFC4134 examples draft and interop and consistency checks of many
     content types and variants.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Add options to enc utility to support use of zlib compression BIO.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

  *) Extend mk1mf to support importing of options and assembly language
     files from Configure script, currently only included in VC-WIN32.
     The assembly language rules can now optionally generate the source
     files from the associated perl scripts.
     [Steve Henson]

  *) Implement remaining functionality needed to support GOST ciphersuites.
     Interop testing has been performed using CryptoPro implementations.
     [Victor B. Wagner <vitus@cryptocom.ru>]

Andy Polyakov's avatar
Andy Polyakov committed
  *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
     "family."
     [Andy Polyakov]

  *) Implement Opaque PRF Input TLS extension as specified in
     draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
     official specification yet and no extension type assignment by
     IANA exists, this extension (for now) will have to be explicitly
     enabled when building OpenSSL by providing the extension number
     to use.  For example, specify an option

         -DTLSEXT_TYPE_opaque_prf_input=0x9527

     to the "config" or "Configure" script to enable the extension,
     assuming extension number 0x9527 (which is a completely arbitrary
     and unofficial assignment based on the MD5 hash of the Internet
     Draft).  Note that by doing so, you potentially lose
     interoperability with other TLS implementations since these might
     be using the same extension number for other purposes.

     SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
     opaque PRF input value to use in the handshake.  This will create
     an interal copy of the length-'len' string at 'src', and will
     return non-zero for success.

     To get more control and flexibility, provide a callback function
     by using

          SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
          SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)

     where

          int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
          void *arg;

     Callback function 'cb' will be called in handshakes, and is
     expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
     Argument 'arg' is for application purposes (the value as given to
     SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
     be provided to the callback function).  The callback function
     has to return non-zero to report success: usually 1 to use opaque
     PRF input just if possible, or 2 to enforce use of the opaque PRF
     input.  In the latter case, the library will abort the handshake
     if opaque PRF input is not successfully negotiated.

     Arguments 'peerinput' and 'len' given to the callback function
     will always be NULL and 0 in the case of a client.  A server will
     see the client's opaque PRF input through these variables if
     available (NULL and 0 otherwise).  Note that if the server
     provides an opaque PRF input, the length must be the same as the
     length of the client's opaque PRF input.

     Note that the callback function will only be called when creating
     a new session (session resumption can resume whatever was
     previously negotiated), and will not be called in SSL 2.0
     handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
     SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
     for applications that need to enforce opaque PRF input.

     [Bodo Moeller]

  *) Update ssl code to support digests other than SHA1+MD5 for handshake
     MAC. 

     [Victor B. Wagner <vitus@cryptocom.ru>]

  *) Add RFC4507 support to OpenSSL. This includes the corrections in
     RFC4507bis. The encrypted ticket format is an encrypted encoded
     SSL_SESSION structure, that way new session features are automatically
     supported.

     If a client application caches session in an SSL_SESSION structure
     support is transparent because tickets are now stored in the encoded
     SSL_SESSION.
     
     The SSL_CTX structure automatically generates keys for ticket
     protection in servers so again support should be possible
     with no application modification.

     If a client or server wishes to disable RFC4507 support then the option
     SSL_OP_NO_TICKET can be set.

     Add a TLS extension debugging callback to allow the contents of any client
     or server extensions to be examined.

     This work was sponsored by Google.
  *) Final changes to avoid use of pointer pointer casts in OpenSSL.
     OpenSSL should now compile cleanly on gcc 4.2
     [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]

  *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
     support including streaming MAC support: this is required for GOST
     ciphersuite support.
     [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]

  *) Add option -stream to use PKCS#7 streaming in smime utility. New
     function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
     to output in BER and PEM format.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Experimental support for use of HMAC via EVP_PKEY interface. This
     allows HMAC to be handled via the EVP_DigestSign*() interface. The
     EVP_PKEY "key" in this case is the HMAC key, potentially allowing
     ENGINE support for HMAC keys which are unextractable. New -mac and
     -macopt options to dgst utility.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

  *) New option -sigopt to dgst utility. Update dgst to use
     EVP_Digest{Sign,Verify}*. These two changes make it possible to use
     alternative signing paramaters such as X9.31 or PSS in the dgst 
     utility.
     [Steve Henson]

  *) Change ssl_cipher_apply_rule(), the internal function that does
     the work each time a ciphersuite string requests enabling
     ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
     removing ("!foo+bar") a class of ciphersuites: Now it maintains
     the order of disabled ciphersuites such that those ciphersuites
     that most recently went from enabled to disabled not only stay
     in order with respect to each other, but also have higher priority
     than other disabled ciphersuites the next time ciphersuites are
     enabled again.

     This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
     the same ciphersuites as with "HIGH" alone, but in a specific
     order where the PSK ciphersuites come first (since they are the
     most recently disabled ciphersuites when "HIGH" is parsed).

     Also, change ssl_create_cipher_list() (using this new
     funcionality) such that between otherwise identical
     cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
     the default order.
     [Bodo Moeller]

  *) Change ssl_create_cipher_list() so that it automatically
     arranges the ciphersuites in reasonable order before starting
     to process the rule string.  Thus, the definition for "DEFAULT"
     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
     This makes it much easier to arrive at a reasonable default order
     in applications for which anonymous ciphers are OK (meaning
     that you can't actually use DEFAULT).
     [Bodo Moeller; suggested by Victor Duchovni]

  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
     processing) into multiple integers instead of setting
     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
     "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
     (These masks as well as the individual bit definitions are hidden
     away into the non-exported interface ssl/ssl_locl.h, so this
     change to the definition of the SSL_CIPHER structure shouldn't
Loading full blame...