1# Change Log 2 3## [Unreleased] 4 5## [v0.10.30] - 2020-06-25 6 7### Fixed 8 9* `DsaRef::private_key_to_pem` can no longer be called without a private key. 10 11### Changed 12 13* Improved the `Debug` implementations of many types. 14 15### Added 16 17* Added `is_empty` implementations for `Asn1StringRef` and `Asn1BitStringRef`. 18* Added `EcPointRef::{to_pem, to_dir}` and `EcKeyRef::{public_key_from_pem, public_key_from_der}`. 19* Added `Default` implementations for many types. 20* Added `Debug` implementations for many types. 21* Added `SslRef::set_mtu`. 22* Added `Cipher::{aes_128_ocb, aes_192_ocb, aes_256_ocb}`. 23 24### Deprecated 25 26* Deprecated `SslStreamBuilder::set_dtls_mtu_size` in favor of `SslRef::set_mtu`. 27 28## [v0.10.29] - 2020-04-07 29 30### Fixed 31 32* Fixed a memory leak in `X509Builder::append_extension`. 33 34### Added 35 36* Added `SslConnector::into_context` and `SslConnector::context`. 37* Added `SslAcceptor::into_context` and `SslAcceptor::context`. 38* Added `SslMethod::tls_client` and `SslMethod::tls_server`. 39* Added `SslContextBuilder::set_cert_store`. 40* Added `SslContextRef::verify_mode` and `SslRef::verify_mode`. 41* Added `SslRef::is_init_finished`. 42* Added `X509Object`. 43* Added `X509StoreRef::objects`. 44 45## [v0.10.28] - 2020-02-04 46 47### Fixed 48 49* Fixed the mutability of `Signer::sign_oneshot` and `Verifier::verify_oneshot`. This is unfortunately a breaking 50 change, but a necessary soundness fix. 51 52## [v0.10.27] - 2020-01-29 53 54### Added 55 56* Added `MessageDigest::null`. 57* Added `PKey::private_key_from_pkcs8`. 58* Added `SslOptions::NO_RENEGOTIATION`. 59* Added `SslStreamBuilder::set_dtls_mtu_size`. 60 61## [v0.10.26] - 2019-11-22 62 63### Fixed 64 65* Fixed improper handling of the IV buffer in `envelope::{Seal, Unseal}`. 66 67### Added 68 69* Added `Asn1TimeRef::{diff, compare}`. 70* Added `Asn1Time::from_unix`. 71* Added `PartialEq` and `PartialOrd` implementations for `Asn1Time` and `Asn1TimeRef`. 72* Added `base64::{encode_block, decode_block}`. 73* Added `EcGroupRef::order_bits`. 74* Added `Clone` implementations for `Sha1`, `Sha224`, `Sha256`, `Sha384`, and `Sha512`. 75* Added `SslContextBuilder::{set_sigalgs_list, set_groups_list}`. 76 77## [v0.10.25] - 2019-10-02 78 79### Fixed 80 81* Fixed a memory leak in `EcdsaSig::from_private_components` when using OpenSSL 1.0.x. 82 83### Added 84 85* Added support for Ed25519 and Ed448 keys. 86* Implemented `ToOwned` for `PKeyRef` and `Clone` for `PKey`. 87 88## [v0.10.24] - 2019-07-19 89 90### Fixed 91 92* Worked around an OpenSSL 1.0.x bug triggered by code calling `SSL_set_app_data`. 93 94### Added 95 96* Added `aes::{wrap_key, unwrap_key}`. 97* Added `CmsContentInfoRef::to_pem` and `CmsContentInfo::from_pem`. 98* Added `DsaRef::private_key_to_pem`. 99* Added `EcGroupRef::{cofactor, generator}`. 100* Added `EcPointRef::to_owned`. 101* Added a `Debug` implementation for `EcKey`. 102* Added `SslAcceptor::{mozilla_intermediate_v5, mozilla_modern_v5}`. 103* Added `Cipher::{aes_128_ofb, aes_192_ecb, aes_192_cbc, aes_192_ctr, aes_192_cfb1, aes_192_cfb128, aes_192_cfb8, 104 aes_192_gcm, aes_192_ccm, aes_192_ofb, aes_256_ofb}`. 105 106## [v0.10.23] - 2019-05-18 107 108### Fixed 109 110* Fixed session callbacks when an `Ssl`'s context is replaced. 111 112### Added 113 114* Added `SslContextBuilder::add_client_ca`. 115 116## [v0.10.22] - 2019-05-08 117 118### Added 119 120* Added support for the LibreSSL 2.9.x series. 121 122## [v0.10.21] - 2019-04-30 123 124### Fixed 125 126* Fixed overly conservatifve buffer size checks in `Crypter` when using stream ciphers. 127 128### Added 129 130* Added bindings to envelope encryption APIs. 131* Added `PkeyRef::size`. 132 133## [v0.10.20] - 2019-03-20 134 135### Added 136 137* Added `CmsContentInfo::from_der` and `CmsContentInfo::encrypt`. 138* Added `X509Ref::verify` and `X509ReqRef::verify`. 139* Implemented `PartialEq` and `Eq` for `MessageDigest`. 140* Added `MessageDigest::type_` and `EcGroupRef::curve_name`. 141 142## [v0.10.19] - 2019-03-01 143 144### Added 145 146* The openssl-sys build script now logs the values of environment variables. 147* Added `ERR_PACK` to openssl-sys. 148* The `ERR_*` functions in openssl-sys are const functions when building against newer Rust versions. 149* Implemented `Clone` for `Dsa`. 150* Added `SslContextRef::add_session` and `SslContextRef::remove_session`. 151* Added `SslSessionRef::time`, `SslSessionRef::timeout`, and `SslSessionRef::protocol_version`. 152* Added `SslContextBuilder::set_session_cache_size` and `SslContextRef::session_cache_size`. 153 154## [v0.10.18] - 2019-02-22 155 156### Fixed 157 158* Fixed the return type of `ssl::cipher_name`. 159 160## [v0.10.17] - 2019-02-22 161 162### Added 163 164* Implemented `AsRef<str>` and `AsRef<[u8]>` for `OpenSslString`. 165* Added `Asn1Integer::from_bn`. 166* Added `RsaRef::check_key`. 167* Added `Asn1Time::from_str` and `Asn1Time::from_str_x509`. 168* Added `Rsa::generate_with_e`. 169* Added `Cipher::des_ede3_cfb64`. 170* Added `SslCipherRef::standard_name` and `ssl::cipher_name`. 171 172## [v0.10.16] - 2018-12-16 173 174### Added 175 176* Added SHA3 and SHAKE to `MessageDigest`. 177* Added `rand::keep_random_devices_open`. 178* Added support for LibreSSL 2.9.0. 179 180## [v0.10.15] - 2018-10-22 181 182### Added 183 184* Implemented `DoubleEndedIterator` for stack iterators. 185 186## [v0.10.14] - 2018-10-18 187 188### Fixed 189 190* Made some accidentally exposed internal functions private. 191 192### Added 193 194* Added support for LibreSSL 2.8. 195 196### Changed 197 198* The OpenSSL version used with the `vendored` feature has been upgraded from 1.1.0 to 1.1.1. 199 200## [v0.10.13] - 2018-10-14 201 202### Fixed 203 204* Fixed a double-free in the `SslContextBuilder::set_get_session_callback` API. 205 206### Added 207 208* Added `SslContextBuilder::set_client_hello_callback`. 209* Added support for LibreSSL 2.8.1. 210* Added `EcdsaSig::from_der` and `EcdsaSig::to_der`. 211* Added PKCS#7 support. 212 213## [v0.10.12] - 2018-09-13 214 215### Fixed 216 217* Fixed handling of SNI callbacks during renegotiation. 218 219### Added 220 221* Added `SslRef::get_shutdown` and `SslRef::set_shutdown`. 222* Added support for SRTP in DTLS sessions. 223* Added support for LibreSSL 2.8.0. 224 225## [v0.10.11] - 2018-08-04 226 227### Added 228 229* The new `vendored` cargo feature will cause openssl-sys to compile and statically link to a 230 vendored copy of OpenSSL. 231* Added `SslContextBuilder::set_psk_server_callback`. 232* Added `DsaRef::pub_key` and `DsaRef::priv_key`. 233* Added `Dsa::from_private_components` and `Dsa::from_public_components`. 234* Added `X509NameRef::entries`. 235 236### Deprecated 237 238* `SslContextBuilder::set_psk_callback` has been renamed to 239 `SslContextBuilder::set_psk_client_callback` and deprecated. 240 241## [v0.10.10] - 2018-06-06 242 243### Added 244 245* Added `SslRef::set_alpn_protos`. 246* Added `SslContextBuilder::set_ciphersuites`. 247 248## [v0.10.9] - 2018-06-01 249 250### Fixed 251 252* Fixed a use-after-free in `CmsContentInfo::sign`. 253* `SslRef::servername` now returns `None` rather than panicking on a non-UTF8 name. 254 255### Added 256 257* Added `MessageDigest::from_nid`. 258* Added `Nid::signature_algorithms`, `Nid::long_name`, and `Nid::short_name`. 259* Added early data and early keying material export support for TLS 1.3. 260* Added `SslRef::verified_chain`. 261* Added `SslRef::servername_raw` which returns a `&[u8]` rather than `&str`. 262* Added `SslRef::finished` and `SslRef::peer_finished`. 263* Added `X509Ref::digest` to replace `X509Ref::fingerprint`. 264* `X509StoreBuilder` and `X509Store` now implement `Sync` and `Send`. 265 266### Deprecated 267 268* `X509Ref::fingerprint` has been deprecated in favor of `X509Ref::digest`. 269 270## [v0.10.8] - 2018-05-20 271 272### Fixed 273 274* `openssl-sys` will now detect Homebrew-installed OpenSSL when installed to a non-default 275 directory. 276* The `X509_V_ERR_INVALID_CALL`, `X509_V_ERR_STORE_LOOKUP`, and 277 `X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION` constants in `openssl-sys` are now only present when 278 building against 1.1.0g and up rather than 1.1.0. 279* `SslContextBuilder::max_proto_version` and `SslContextBuilder::min_proto_version` are only present 280 when building against 1.1.0g and up rather than 1.1.0. 281 282### Added 283 284* Added `CmsContentInfo::sign`. 285* Added `Clone` and `ToOwned` implementations to `Rsa` and `RsaRef` respectively. 286* The `min_proto_version` and `max_proto_version` methods are available when linking against 287 LibreSSL 2.6.1 and up in addition to OpenSSL. 288* `X509VerifyParam` is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL. 289* ALPN support is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL. 290* `Stack` and `StackRef` are now `Sync` and `Send`. 291 292## [v0.10.7] - 2018-04-30 293 294### Added 295 296* Added `X509Req::public_key` and `X509Req::extensions`. 297* Added `RsaPrivateKeyBuilder` to allow control over initialization of optional components of an RSA 298 private key. 299* Added DER encode/decode support to `SslSession`. 300* openssl-sys now provides the `DEP_OPENSSL_VERSION_NUMBER` and 301 `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER` environment variables to downstream build scripts which 302 contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built 303 against. The other variables are deprecated. 304 305## [v0.10.6] - 2018-03-05 306 307### Added 308 309* Added `SslOptions::ENABLE_MIDDLEBOX_COMPAT`. 310* Added more `Sync` and `Send` implementations. 311* Added `PKeyRef::id`. 312* Added `Padding::PKCS1_PSS`. 313* Added `Signer::set_rsa_pss_saltlen`, `Signer::set_rsa_mgf1_md`, `Signer::set_rsa_pss_saltlen`, and 314 `Signer::set_rsa_mgf1_md` 315* Added `X509StoreContextRef::verify` to directly verify certificates. 316* Added low level ECDSA support. 317* Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only) 318* Added AES-CCM support. 319* Added `EcKey::from_private_components`. 320* Added CMAC support. 321* Added support for LibreSSL 2.7. 322* Added `X509Ref::serial_number`. 323* Added `Asn1IntegerRef::to_bn`. 324* Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only) 325 326### Changed 327 328* The Cargo features previously used to gate access to version-specific OpenSSL APIs have been 329 removed. Those APIs will be available automatically when building against an appropriate OpenSSL 330 version. 331* Fixed `PKey::private_key_from_der` to return a `PKey<Private>` rather than a `PKey<Public>`. This 332 is technically a breaking change but the function was pretty useless previously. 333 334### Deprecated 335 336* `X509CheckFlags::FLAG_NO_WILDCARDS` has been renamed to `X509CheckFlags::NO_WILDCARDS` and the old 337 name deprecated. 338 339## [v0.10.5] - 2018-02-28 340 341### Fixed 342 343* `ErrorStack`'s `Display` implementation no longer writes an empty string if it contains no errors. 344 345### Added 346 347* Added `SslRef::version2`. 348* Added `Cipher::des_ede3_cbc`. 349* Added `SslRef::export_keying_material`. 350* Added the ability to push an `Error` or `ErrorStack` back onto OpenSSL's error stack. Various 351 callback bindings use this to propagate errors properly. 352* Added `SslContextBuilder::set_cookie_generate_cb` and `SslContextBuilder::set_cookie_verify_cb`. 353* Added `SslContextBuilder::set_max_proto_version`, `SslContextBuilder::set_min_proto_version`, 354 `SslContextBuilder::max_proto_version`, and `SslContextBuilder::min_proto_version`. 355 356### Changed 357 358* Updated `SslConnector`'s default cipher list to match Python's. 359 360### Deprecated 361 362* `SslRef::version` has been deprecated. Use `SslRef::version_str` instead. 363 364## [v0.10.4] - 2018-02-18 365 366### Added 367 368* Added OpenSSL 1.1.1 support. 369* Added `Rsa::public_key_from_pem_pkcs1`. 370* Added `SslOptions::NO_TLSV1_3`. (OpenSSL 1.1.1 only) 371* Added `SslVersion`. 372* Added `SslSessionCacheMode` and `SslContextBuilder::set_session_cache_mode`. 373* Added `SslContextBuilder::set_new_session_callback`, 374 `SslContextBuilder::set_remove_session_callback`, and 375 `SslContextBuilder::set_get_session_callback`. 376* Added `SslContextBuilder::set_keylog_callback`. (OpenSSL 1.1.1 only) 377* Added `SslRef::client_random` and `SslRef::server_random`. (OpenSSL 1.1.0+ only) 378 379### Fixed 380 381* The `SslAcceptorBuilder::mozilla_modern` constructor now disables TLSv1.0 and TLSv1.1 in 382 accordance with Mozilla's recommendations. 383 384## [v0.10.3] - 2018-02-12 385 386### Added 387 388* OpenSSL is now automatically detected on FreeBSD systems. 389* Added `GeneralName` accessors for `rfc822Name` and `uri` variants. 390* Added DES-EDE3 support. 391 392### Fixed 393 394* Fixed a memory leak in `X509StoreBuilder::add_cert`. 395 396## [v0.10.2] - 2018-01-11 397 398### Added 399 400* Added `ConnectConfiguration::set_use_server_name_indication` and 401 `ConnectConfiguration::set_verify_hostname` for use in contexts where you don't have ownership 402 of the `ConnectConfiguration`. 403 404## [v0.10.1] - 2018-01-10 405 406### Added 407 408* Added a `From<ErrorStack> for ssl::Error` implementation. 409 410## [v0.10.0] - 2018-01-10 411 412### Compatibility 413 414* openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue. 415 416### Added 417 418* The `ssl::select_next_proto` function can be used to easily implement the ALPN selection callback 419 in a "standard" way. 420* FIPS mode support is available in the `fips` module. 421* Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added. 422* The `X509VerifyResult` can now be set in the certificate verification callback via 423 `X509StoreContextRef::set_error`. 424 425### Changed 426 427* All constants have been moved to associated constants of their type. For example, `bn::MSB_ONE` 428 is now `bn::MsbOption::ONE`. 429* Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is 430 used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume 431 that certain components are present and will segfault trying to use things that aren't there. 432 433 The `pkey` module contains new tag types named `Params`, `Public`, and `Private`, and the 434 `Dh`, `Dsa`, `EcKey`, `Rsa`, and `PKey` have a type parameter set to one of those values. This 435 allows the `Signer` constructor to indicate that it requires a private key at compile time for 436 example. Previously, `Signer` would simply segfault if provided a key without private 437 components. 438* ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single 439 method used for both the server and client sides which performed everything automatically, the 440 `SslContextBuilder::set_alpn_protos` and `SslContextBuilder::set_alpn_select_callback` handle 441 the client and server sides respectively. 442* `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication` 443 has been removed in favor of new methods which provide more control. The 444 `ConnectConfiguration::use_server_name_indication` method controls the use of Server Name 445 Indication (SNI), and the `ConnectConfiguration::verify_hostname` method controls the use of 446 hostname verification. These can be controlled independently, and if both are disabled, the 447 domain argument to `ConnectConfiguration::connect` is ignored. 448* Shared secret derivation is now handled by the new `derive::Deriver` type rather than 449 `pkey::PKeyContext`, which has been removed. 450* `ssl::Error` is now no longer an enum, and provides more direct access to the relevant state. 451* `SslConnectorBuilder::new` has been moved and renamed to `SslConnector::builder`. 452* `SslAcceptorBuilder::mozilla_intermediate` and `SslAcceptorBuilder::mozilla_modern` have been 453 moved to `SslAcceptor` and no longer take the private key and certificate chain. Install those 454 manually after creating the builder. 455* `X509VerifyError` is now `X509VerifyResult` and can now have the "ok" value in addition to error 456 values. 457* `x509::X509FileType` is now `ssl::SslFiletype`. 458* Asymmetric key serialization and deserialization methods now document the formats that they 459 correspond to, and some have been renamed to better indicate that. 460 461### Removed 462 463* All deprecated APIs have been removed. 464* NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being 465 used in practice. If you still depend on it, please file an issue! 466* `SslRef::compression` has been removed. 467* Some `ssl::SslOptions` flags have been removed as they no longer do anything. 468 469## Older 470 471Look at the [release tags] for information about older releases. 472 473[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.30...master 474[v0.10.30]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.29...openssl-v0.10.30 475[v0.10.29]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.28...openssl-v0.10.29 476[v0.10.28]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.27...openssl-v0.10.28 477[v0.10.27]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.26...openssl-v0.10.27 478[v0.10.26]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.25...openssl-v0.10.26 479[v0.10.25]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.24...openssl-v0.10.25 480[v0.10.24]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.23...openssl-v0.10.24 481[v0.10.23]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.22...openssl-v0.10.23 482[v0.10.22]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.21...openssl-v0.10.22 483[v0.10.21]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.20...openssl-v0.10.21 484[v0.10.20]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.19...openssl-v0.10.20 485[v0.10.19]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.18...openssl-v0.10.19 486[v0.10.18]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.17...openssl-v0.10.18 487[v0.10.17]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.16...openssl-v0.10.17 488[v0.10.16]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.15...openssl-v0.10.16 489[v0.10.15]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.14...openssl-v0.10.15 490[v0.10.14]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.13...openssl-v0.10.14 491[v0.10.13]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.12...openssl-v0.10.13 492[v0.10.12]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.11...openssl-v0.10.12 493[v0.10.11]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.10...openssl-v0.10.11 494[v0.10.10]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.9...openssl-v0.10.10 495[v0.10.9]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.8...openssl-v0.10.9 496[v0.10.8]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.7...openssl-v0.10.8 497[v0.10.7]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.6...openssl-v0.10.7 498[v0.10.6]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.5...openssl-v0.10.6 499[v0.10.5]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.4...openssl-v0.10.5 500[v0.10.4]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.3...openssl-v0.10.4 501[v0.10.3]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.2...openssl-v0.10.3 502[v0.10.2]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.1...openssl-v0.10.2 503[v0.10.1]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.0...openssl-v0.10.1 504[v0.10.0]: https://github.com/sfackler/rust-openssl/compare/v0.9.23...openssl-v0.10.0 505[release tags]: https://github.com/sfackler/rust-openssl/releases 506