1# Change Log 2 3## [Unreleased] 4 5## [v0.10.28] - 2020-02-04 6 7### Fixed 8 9* Fixed the mutability of `Signer::sign_oneshot` and `Verifier::verify_oneshot`. This is unfortunately a breaking 10 change, but a necessary soundness fix. 11 12## [v0.10.27] - 2020-01-29 13 14### Added 15 16* Added `MessageDigest::null`. 17* Added `PKey::private_key_from_pkcs8`. 18* Added `SslOptions::NO_RENEGOTIATION`. 19* Added `SslStreamBuilder::set_dtls_mtu_size`. 20 21## [v0.10.26] - 2019-11-22 22 23### Fixed 24 25* Fixed improper handling of the IV buffer in `envelope::{Seal, Unseal}`. 26 27### Added 28 29* Added `Asn1TimeRef::{diff, compare}`. 30* Added `Asn1Time::from_unix`. 31* Added `PartialEq` and `PartialOrd` implementations for `Asn1Time` and `Asn1TimeRef`. 32* Added `base64::{encode_block, decode_block}`. 33* Added `EcGroupRef::order_bits`. 34* Added `Clone` implementations for `Sha1`, `Sha224`, `Sha256`, `Sha384`, and `Sha512`. 35* Added `SslContextBuilder::{set_sigalgs_list, set_groups_list}`. 36 37## [v0.10.25] - 2019-10-02 38 39### Fixed 40 41* Fixed a memory leak in `EcdsaSig::from_private_components` when using OpenSSL 1.0.x. 42 43### Added 44 45* Added support for Ed25519 and Ed448 keys. 46* Implemented `ToOwned` for `PKeyRef` and `Clone` for `PKey`. 47 48## [v0.10.24] - 2019-07-19 49 50### Fixed 51 52* Worked around an OpenSSL 1.0.x bug triggered by code calling `SSL_set_app_data`. 53 54### Added 55 56* Added `aes::{wrap_key, unwrap_key}`. 57* Added `CmsContentInfoRef::to_pem` and `CmsContentInfo::from_pem`. 58* Added `DsaRef::private_key_to_pem`. 59* Added `EcGroupRef::{cofactor, generator}`. 60* Added `EcPointRef::to_owned`. 61* Added a `Debug` implementation for `EcKey`. 62* Added `SslAcceptor::{mozilla_intermediate_v5, mozilla_modern_v5}`. 63* Added `Cipher::{aes_128_ofb, aes_192_ecb, aes_192_cbc, aes_192_ctr, aes_192_cfb1, aes_192_cfb128, aes_192_cfb8, 64 aes_192_gcm, aes_192_ccm, aes_192_ofb, aes_256_ofb}`. 65 66## [v0.10.23] - 2019-05-18 67 68### Fixed 69 70* Fixed session callbacks when an `Ssl`'s context is replaced. 71 72### Added 73 74* Added `SslContextBuilder::add_client_ca`. 75 76## [v0.10.22] - 2019-05-08 77 78### Added 79 80* Added support for the LibreSSL 2.9.x series. 81 82## [v0.10.21] - 2019-04-30 83 84### Fixed 85 86* Fixed overly conservatifve buffer size checks in `Crypter` when using stream ciphers. 87 88### Added 89 90* Added bindings to envelope encryption APIs. 91* Added `PkeyRef::size`. 92 93## [v0.10.20] - 2019-03-20 94 95### Added 96 97* Added `CmsContentInfo::from_der` and `CmsContentInfo::encrypt`. 98* Added `X509Ref::verify` and `X509ReqRef::verify`. 99* Implemented `PartialEq` and `Eq` for `MessageDigest`. 100* Added `MessageDigest::type_` and `EcGroupRef::curve_name`. 101 102## [v0.10.19] - 2019-03-01 103 104### Added 105 106* The openssl-sys build script now logs the values of environment variables. 107* Added `ERR_PACK` to openssl-sys. 108* The `ERR_*` functions in openssl-sys are const functions when building against newer Rust versions. 109* Implemented `Clone` for `Dsa`. 110* Added `SslContextRef::add_session` and `SslContextRef::remove_session`. 111* Added `SslSessionRef::time`, `SslSessionRef::timeout`, and `SslSessionRef::protocol_version`. 112* Added `SslContextBuilder::set_session_cache_size` and `SslContextRef::session_cache_size`. 113 114## [v0.10.18] - 2019-02-22 115 116### Fixed 117 118* Fixed the return type of `ssl::cipher_name`. 119 120## [v0.10.17] - 2019-02-22 121 122### Added 123 124* Implemented `AsRef<str>` and `AsRef<[u8]>` for `OpenSslString`. 125* Added `Asn1Integer::from_bn`. 126* Added `RsaRef::check_key`. 127* Added `Asn1Time::from_str` and `Asn1Time::from_str_x509`. 128* Added `Rsa::generate_with_e`. 129* Added `Cipher::des_ede3_cfb64`. 130* Added `SslCipherRef::standard_name` and `ssl::cipher_name`. 131 132## [v0.10.16] - 2018-12-16 133 134### Added 135 136* Added SHA3 and SHAKE to `MessageDigest`. 137* Added `rand::keep_random_devices_open`. 138* Added support for LibreSSL 2.9.0. 139 140## [v0.10.15] - 2018-10-22 141 142### Added 143 144* Implemented `DoubleEndedIterator` for stack iterators. 145 146## [v0.10.14] - 2018-10-18 147 148### Fixed 149 150* Made some accidentally exposed internal functions private. 151 152### Added 153 154* Added support for LibreSSL 2.8. 155 156### Changed 157 158* The OpenSSL version used with the `vendored` feature has been upgraded from 1.1.0 to 1.1.1. 159 160## [v0.10.13] - 2018-10-14 161 162### Fixed 163 164* Fixed a double-free in the `SslContextBuilder::set_get_session_callback` API. 165 166### Added 167 168* Added `SslContextBuilder::set_client_hello_callback`. 169* Added support for LibreSSL 2.8.1. 170* Added `EcdsaSig::from_der` and `EcdsaSig::to_der`. 171* Added PKCS#7 support. 172 173## [v0.10.12] - 2018-09-13 174 175### Fixed 176 177* Fixed handling of SNI callbacks during renegotiation. 178 179### Added 180 181* Added `SslRef::get_shutdown` and `SslRef::set_shutdown`. 182* Added support for SRTP in DTLS sessions. 183* Added support for LibreSSL 2.8.0. 184 185## [v0.10.11] - 2018-08-04 186 187### Added 188 189* The new `vendored` cargo feature will cause openssl-sys to compile and statically link to a 190 vendored copy of OpenSSL. 191* Added `SslContextBuilder::set_psk_server_callback`. 192* Added `DsaRef::pub_key` and `DsaRef::priv_key`. 193* Added `Dsa::from_private_components` and `Dsa::from_public_components`. 194* Added `X509NameRef::entries`. 195 196### Deprecated 197 198* `SslContextBuilder::set_psk_callback` has been renamed to 199 `SslContextBuilder::set_psk_client_callback` and deprecated. 200 201## [v0.10.10] - 2018-06-06 202 203### Added 204 205* Added `SslRef::set_alpn_protos`. 206* Added `SslContextBuilder::set_ciphersuites`. 207 208## [v0.10.9] - 2018-06-01 209 210### Fixed 211 212* Fixed a use-after-free in `CmsContentInfo::sign`. 213* `SslRef::servername` now returns `None` rather than panicking on a non-UTF8 name. 214 215### Added 216 217* Added `MessageDigest::from_nid`. 218* Added `Nid::signature_algorithms`, `Nid::long_name`, and `Nid::short_name`. 219* Added early data and early keying material export support for TLS 1.3. 220* Added `SslRef::verified_chain`. 221* Added `SslRef::servername_raw` which returns a `&[u8]` rather than `&str`. 222* Added `SslRef::finished` and `SslRef::peer_finished`. 223* Added `X509Ref::digest` to replace `X509Ref::fingerprint`. 224* `X509StoreBuilder` and `X509Store` now implement `Sync` and `Send`. 225 226### Deprecated 227 228* `X509Ref::fingerprint` has been deprecated in favor of `X509Ref::digest`. 229 230## [v0.10.8] - 2018-05-20 231 232### Fixed 233 234* `openssl-sys` will now detect Homebrew-installed OpenSSL when installed to a non-default 235 directory. 236* The `X509_V_ERR_INVALID_CALL`, `X509_V_ERR_STORE_LOOKUP`, and 237 `X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION` constants in `openssl-sys` are now only present when 238 building against 1.1.0g and up rather than 1.1.0. 239* `SslContextBuilder::max_proto_version` and `SslContextBuilder::min_proto_version` are only present 240 when building against 1.1.0g and up rather than 1.1.0. 241 242### Added 243 244* Added `CmsContentInfo::sign`. 245* Added `Clone` and `ToOwned` implementations to `Rsa` and `RsaRef` respectively. 246* The `min_proto_version` and `max_proto_version` methods are available when linking against 247 LibreSSL 2.6.1 and up in addition to OpenSSL. 248* `X509VerifyParam` is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL. 249* ALPN support is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL. 250* `Stack` and `StackRef` are now `Sync` and `Send`. 251 252## [v0.10.7] - 2018-04-30 253 254### Added 255 256* Added `X509Req::public_key` and `X509Req::extensions`. 257* Added `RsaPrivateKeyBuilder` to allow control over initialization of optional components of an RSA 258 private key. 259* Added DER encode/decode support to `SslSession`. 260* openssl-sys now provides the `DEP_OPENSSL_VERSION_NUMBER` and 261 `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER` environment variables to downstream build scripts which 262 contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built 263 against. The other variables are deprecated. 264 265## [v0.10.6] - 2018-03-05 266 267### Added 268 269* Added `SslOptions::ENABLE_MIDDLEBOX_COMPAT`. 270* Added more `Sync` and `Send` implementations. 271* Added `PKeyRef::id`. 272* Added `Padding::PKCS1_PSS`. 273* Added `Signer::set_rsa_pss_saltlen`, `Signer::set_rsa_mgf1_md`, `Signer::set_rsa_pss_saltlen`, and 274 `Signer::set_rsa_mgf1_md` 275* Added `X509StoreContextRef::verify` to directly verify certificates. 276* Added low level ECDSA support. 277* Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only) 278* Added AES-CCM support. 279* Added `EcKey::from_private_components`. 280* Added CMAC support. 281* Added support for LibreSSL 2.7. 282* Added `X509Ref::serial_number`. 283* Added `Asn1IntegerRef::to_bn`. 284* Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only) 285 286### Changed 287 288* The Cargo features previously used to gate access to version-specific OpenSSL APIs have been 289 removed. Those APIs will be available automatically when building against an appropriate OpenSSL 290 version. 291* Fixed `PKey::private_key_from_der` to return a `PKey<Private>` rather than a `PKey<Public>`. This 292 is technically a breaking change but the function was pretty useless previously. 293 294### Deprecated 295 296* `X509CheckFlags::FLAG_NO_WILDCARDS` has been renamed to `X509CheckFlags::NO_WILDCARDS` and the old 297 name deprecated. 298 299## [v0.10.5] - 2018-02-28 300 301### Fixed 302 303* `ErrorStack`'s `Display` implementation no longer writes an empty string if it contains no errors. 304 305### Added 306 307* Added `SslRef::version2`. 308* Added `Cipher::des_ede3_cbc`. 309* Added `SslRef::export_keying_material`. 310* Added the ability to push an `Error` or `ErrorStack` back onto OpenSSL's error stack. Various 311 callback bindings use this to propagate errors properly. 312* Added `SslContextBuilder::set_cookie_generate_cb` and `SslContextBuilder::set_cookie_verify_cb`. 313* Added `SslContextBuilder::set_max_proto_version`, `SslContextBuilder::set_min_proto_version`, 314 `SslContextBuilder::max_proto_version`, and `SslContextBuilder::min_proto_version`. 315 316### Changed 317 318* Updated `SslConnector`'s default cipher list to match Python's. 319 320### Deprecated 321 322* `SslRef::version` has been deprecated. Use `SslRef::version_str` instead. 323 324## [v0.10.4] - 2018-02-18 325 326### Added 327 328* Added OpenSSL 1.1.1 support. 329* Added `Rsa::public_key_from_pem_pkcs1`. 330* Added `SslOptions::NO_TLSV1_3`. (OpenSSL 1.1.1 only) 331* Added `SslVersion`. 332* Added `SslSessionCacheMode` and `SslContextBuilder::set_session_cache_mode`. 333* Added `SslContextBuilder::set_new_session_callback`, 334 `SslContextBuilder::set_remove_session_callback`, and 335 `SslContextBuilder::set_get_session_callback`. 336* Added `SslContextBuilder::set_keylog_callback`. (OpenSSL 1.1.1 only) 337* Added `SslRef::client_random` and `SslRef::server_random`. (OpenSSL 1.1.0+ only) 338 339### Fixed 340 341* The `SslAcceptorBuilder::mozilla_modern` constructor now disables TLSv1.0 and TLSv1.1 in 342 accordance with Mozilla's recommendations. 343 344## [v0.10.3] - 2018-02-12 345 346### Added 347 348* OpenSSL is now automatically detected on FreeBSD systems. 349* Added `GeneralName` accessors for `rfc822Name` and `uri` variants. 350* Added DES-EDE3 support. 351 352### Fixed 353 354* Fixed a memory leak in `X509StoreBuilder::add_cert`. 355 356## [v0.10.2] - 2018-01-11 357 358### Added 359 360* Added `ConnectConfiguration::set_use_server_name_indication` and 361 `ConnectConfiguration::set_verify_hostname` for use in contexts where you don't have ownership 362 of the `ConnectConfiguration`. 363 364## [v0.10.1] - 2018-01-10 365 366### Added 367 368* Added a `From<ErrorStack> for ssl::Error` implementation. 369 370## [v0.10.0] - 2018-01-10 371 372### Compatibility 373 374* openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue. 375 376### Added 377 378* The `ssl::select_next_proto` function can be used to easily implement the ALPN selection callback 379 in a "standard" way. 380* FIPS mode support is available in the `fips` module. 381* Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added. 382* The `X509VerifyResult` can now be set in the certificate verification callback via 383 `X509StoreContextRef::set_error`. 384 385### Changed 386 387* All constants have been moved to associated constants of their type. For example, `bn::MSB_ONE` 388 is now `bn::MsbOption::ONE`. 389* Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is 390 used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume 391 that certain components are present and will segfault trying to use things that aren't there. 392 393 The `pkey` module contains new tag types named `Params`, `Public`, and `Private`, and the 394 `Dh`, `Dsa`, `EcKey`, `Rsa`, and `PKey` have a type parameter set to one of those values. This 395 allows the `Signer` constructor to indicate that it requires a private key at compile time for 396 example. Previously, `Signer` would simply segfault if provided a key without private 397 components. 398* ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single 399 method used for both the server and client sides which performed everything automatically, the 400 `SslContextBuilder::set_alpn_protos` and `SslContextBuilder::set_alpn_select_callback` handle 401 the client and server sides respectively. 402* `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication` 403 has been removed in favor of new methods which provide more control. The 404 `ConnectConfiguration::use_server_name_indication` method controls the use of Server Name 405 Indication (SNI), and the `ConnectConfiguration::verify_hostname` method controls the use of 406 hostname verification. These can be controlled independently, and if both are disabled, the 407 domain argument to `ConnectConfiguration::connect` is ignored. 408* Shared secret derivation is now handled by the new `derive::Deriver` type rather than 409 `pkey::PKeyContext`, which has been removed. 410* `ssl::Error` is now no longer an enum, and provides more direct access to the relevant state. 411* `SslConnectorBuilder::new` has been moved and renamed to `SslConnector::builder`. 412* `SslAcceptorBuilder::mozilla_intermediate` and `SslAcceptorBuilder::mozilla_modern` have been 413 moved to `SslAcceptor` and no longer take the private key and certificate chain. Install those 414 manually after creating the builder. 415* `X509VerifyError` is now `X509VerifyResult` and can now have the "ok" value in addition to error 416 values. 417* `x509::X509FileType` is now `ssl::SslFiletype`. 418* Asymmetric key serialization and deserialization methods now document the formats that they 419 correspond to, and some have been renamed to better indicate that. 420 421### Removed 422 423* All deprecated APIs have been removed. 424* NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being 425 used in practice. If you still depend on it, please file an issue! 426* `SslRef::compression` has been removed. 427* Some `ssl::SslOptions` flags have been removed as they no longer do anything. 428 429## Older 430 431Look at the [release tags] for information about older releases. 432 433[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.28...master 434[v0.10.28]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.27...openssl-v0.10.28 435[v0.10.27]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.26...openssl-v0.10.27 436[v0.10.26]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.25...openssl-v0.10.26 437[v0.10.25]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.24...openssl-v0.10.25 438[v0.10.24]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.23...openssl-v0.10.24 439[v0.10.23]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.22...openssl-v0.10.23 440[v0.10.22]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.21...openssl-v0.10.22 441[v0.10.21]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.20...openssl-v0.10.21 442[v0.10.20]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.19...openssl-v0.10.20 443[v0.10.19]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.18...openssl-v0.10.19 444[v0.10.18]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.17...openssl-v0.10.18 445[v0.10.17]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.16...openssl-v0.10.17 446[v0.10.16]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.15...openssl-v0.10.16 447[v0.10.15]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.14...openssl-v0.10.15 448[v0.10.14]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.13...openssl-v0.10.14 449[v0.10.13]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.12...openssl-v0.10.13 450[v0.10.12]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.11...openssl-v0.10.12 451[v0.10.11]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.10...openssl-v0.10.11 452[v0.10.10]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.9...openssl-v0.10.10 453[v0.10.9]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.8...openssl-v0.10.9 454[v0.10.8]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.7...openssl-v0.10.8 455[v0.10.7]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.6...openssl-v0.10.7 456[v0.10.6]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.5...openssl-v0.10.6 457[v0.10.5]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.4...openssl-v0.10.5 458[v0.10.4]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.3...openssl-v0.10.4 459[v0.10.3]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.2...openssl-v0.10.3 460[v0.10.2]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.1...openssl-v0.10.2 461[v0.10.1]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.0...openssl-v0.10.1 462[v0.10.0]: https://github.com/sfackler/rust-openssl/compare/v0.9.23...openssl-v0.10.0 463[release tags]: https://github.com/sfackler/rust-openssl/releases 464