1# Change Log
2
3## [Unreleased]
4
5## [v0.10.28] - 2020-02-04
6
7### Fixed
8
9* Fixed the mutability of `Signer::sign_oneshot` and `Verifier::verify_oneshot`. This is unfortunately a breaking
10    change, but a necessary soundness fix.
11
12## [v0.10.27] - 2020-01-29
13
14### Added
15
16* Added `MessageDigest::null`.
17* Added `PKey::private_key_from_pkcs8`.
18* Added `SslOptions::NO_RENEGOTIATION`.
19* Added `SslStreamBuilder::set_dtls_mtu_size`.
20
21## [v0.10.26] - 2019-11-22
22
23### Fixed
24
25* Fixed improper handling of the IV buffer in `envelope::{Seal, Unseal}`.
26
27### Added
28
29* Added `Asn1TimeRef::{diff, compare}`.
30* Added `Asn1Time::from_unix`.
31* Added `PartialEq` and `PartialOrd` implementations for `Asn1Time` and `Asn1TimeRef`.
32* Added `base64::{encode_block, decode_block}`.
33* Added `EcGroupRef::order_bits`.
34* Added `Clone` implementations for `Sha1`, `Sha224`, `Sha256`, `Sha384`, and `Sha512`.
35* Added `SslContextBuilder::{set_sigalgs_list, set_groups_list}`.
36
37## [v0.10.25] - 2019-10-02
38
39### Fixed
40
41* Fixed a memory leak in `EcdsaSig::from_private_components` when using OpenSSL 1.0.x.
42
43### Added
44
45* Added support for Ed25519 and Ed448 keys.
46* Implemented `ToOwned` for `PKeyRef` and `Clone` for `PKey`.
47
48## [v0.10.24] - 2019-07-19
49
50### Fixed
51
52* Worked around an OpenSSL 1.0.x bug triggered by code calling `SSL_set_app_data`.
53
54### Added
55
56* Added `aes::{wrap_key, unwrap_key}`.
57* Added `CmsContentInfoRef::to_pem` and `CmsContentInfo::from_pem`.
58* Added `DsaRef::private_key_to_pem`.
59* Added `EcGroupRef::{cofactor, generator}`.
60* Added `EcPointRef::to_owned`.
61* Added a `Debug` implementation for `EcKey`.
62* Added `SslAcceptor::{mozilla_intermediate_v5, mozilla_modern_v5}`.
63* Added `Cipher::{aes_128_ofb, aes_192_ecb, aes_192_cbc, aes_192_ctr, aes_192_cfb1, aes_192_cfb128, aes_192_cfb8,
64    aes_192_gcm, aes_192_ccm, aes_192_ofb, aes_256_ofb}`.
65
66## [v0.10.23] - 2019-05-18
67
68### Fixed
69
70* Fixed session callbacks when an `Ssl`'s context is replaced.
71
72### Added
73
74* Added `SslContextBuilder::add_client_ca`.
75
76## [v0.10.22] - 2019-05-08
77
78### Added
79
80* Added support for the LibreSSL 2.9.x series.
81
82## [v0.10.21] - 2019-04-30
83
84### Fixed
85
86* Fixed overly conservatifve buffer size checks in `Crypter` when using stream ciphers.
87
88### Added
89
90* Added bindings to envelope encryption APIs.
91* Added `PkeyRef::size`.
92
93## [v0.10.20] - 2019-03-20
94
95### Added
96
97* Added `CmsContentInfo::from_der` and `CmsContentInfo::encrypt`.
98* Added `X509Ref::verify` and `X509ReqRef::verify`.
99* Implemented `PartialEq` and `Eq` for `MessageDigest`.
100* Added `MessageDigest::type_` and `EcGroupRef::curve_name`.
101
102## [v0.10.19] - 2019-03-01
103
104### Added
105
106* The openssl-sys build script now logs the values of environment variables.
107* Added `ERR_PACK` to openssl-sys.
108* The `ERR_*` functions in openssl-sys are const functions when building against newer Rust versions.
109* Implemented `Clone` for `Dsa`.
110* Added `SslContextRef::add_session` and `SslContextRef::remove_session`.
111* Added `SslSessionRef::time`, `SslSessionRef::timeout`, and `SslSessionRef::protocol_version`.
112* Added `SslContextBuilder::set_session_cache_size` and `SslContextRef::session_cache_size`.
113
114## [v0.10.18] - 2019-02-22
115
116### Fixed
117
118* Fixed the return type of `ssl::cipher_name`.
119
120## [v0.10.17] - 2019-02-22
121
122### Added
123
124* Implemented `AsRef<str>` and `AsRef<[u8]>` for `OpenSslString`.
125* Added `Asn1Integer::from_bn`.
126* Added `RsaRef::check_key`.
127* Added `Asn1Time::from_str` and `Asn1Time::from_str_x509`.
128* Added `Rsa::generate_with_e`.
129* Added `Cipher::des_ede3_cfb64`.
130* Added `SslCipherRef::standard_name` and `ssl::cipher_name`.
131
132## [v0.10.16] - 2018-12-16
133
134### Added
135
136* Added SHA3 and SHAKE to `MessageDigest`.
137* Added `rand::keep_random_devices_open`.
138* Added support for LibreSSL 2.9.0.
139
140## [v0.10.15] - 2018-10-22
141
142### Added
143
144* Implemented `DoubleEndedIterator` for stack iterators.
145
146## [v0.10.14] - 2018-10-18
147
148### Fixed
149
150* Made some accidentally exposed internal functions private.
151
152### Added
153
154* Added support for LibreSSL 2.8.
155
156### Changed
157
158* The OpenSSL version used with the `vendored` feature has been upgraded from 1.1.0 to 1.1.1.
159
160## [v0.10.13] - 2018-10-14
161
162### Fixed
163
164* Fixed a double-free in the `SslContextBuilder::set_get_session_callback` API.
165
166### Added
167
168* Added `SslContextBuilder::set_client_hello_callback`.
169* Added support for LibreSSL 2.8.1.
170* Added `EcdsaSig::from_der` and `EcdsaSig::to_der`.
171* Added PKCS#7 support.
172
173## [v0.10.12] - 2018-09-13
174
175### Fixed
176
177* Fixed handling of SNI callbacks during renegotiation.
178
179### Added
180
181* Added `SslRef::get_shutdown` and `SslRef::set_shutdown`.
182* Added support for SRTP in DTLS sessions.
183* Added support for LibreSSL 2.8.0.
184
185## [v0.10.11] - 2018-08-04
186
187### Added
188
189* The new `vendored` cargo feature will cause openssl-sys to compile and statically link to a
190    vendored copy of OpenSSL.
191* Added `SslContextBuilder::set_psk_server_callback`.
192* Added `DsaRef::pub_key` and `DsaRef::priv_key`.
193* Added `Dsa::from_private_components` and `Dsa::from_public_components`.
194* Added `X509NameRef::entries`.
195
196### Deprecated
197
198* `SslContextBuilder::set_psk_callback` has been renamed to
199    `SslContextBuilder::set_psk_client_callback` and deprecated.
200
201## [v0.10.10] - 2018-06-06
202
203### Added
204
205* Added `SslRef::set_alpn_protos`.
206* Added `SslContextBuilder::set_ciphersuites`.
207
208## [v0.10.9] - 2018-06-01
209
210### Fixed
211
212* Fixed a use-after-free in `CmsContentInfo::sign`.
213* `SslRef::servername` now returns `None` rather than panicking on a non-UTF8 name.
214
215### Added
216
217* Added `MessageDigest::from_nid`.
218* Added `Nid::signature_algorithms`, `Nid::long_name`, and `Nid::short_name`.
219* Added early data and early keying material export support for TLS 1.3.
220* Added `SslRef::verified_chain`.
221* Added `SslRef::servername_raw` which returns a `&[u8]` rather than `&str`.
222* Added `SslRef::finished` and `SslRef::peer_finished`.
223* Added `X509Ref::digest` to replace `X509Ref::fingerprint`.
224* `X509StoreBuilder` and `X509Store` now implement `Sync` and `Send`.
225
226### Deprecated
227
228* `X509Ref::fingerprint` has been deprecated in favor of `X509Ref::digest`.
229
230## [v0.10.8] - 2018-05-20
231
232### Fixed
233
234* `openssl-sys` will now detect Homebrew-installed OpenSSL when installed to a non-default
235    directory.
236* The `X509_V_ERR_INVALID_CALL`, `X509_V_ERR_STORE_LOOKUP`, and
237    `X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION` constants in `openssl-sys` are now only present when
238    building against 1.1.0g and up rather than 1.1.0.
239* `SslContextBuilder::max_proto_version` and `SslContextBuilder::min_proto_version` are only present
240    when building against 1.1.0g and up rather than 1.1.0.
241
242### Added
243
244* Added `CmsContentInfo::sign`.
245* Added `Clone` and `ToOwned` implementations to `Rsa` and `RsaRef` respectively.
246* The `min_proto_version` and `max_proto_version` methods are available when linking against
247    LibreSSL 2.6.1 and up in addition to OpenSSL.
248* `X509VerifyParam` is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.
249* ALPN support is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.
250* `Stack` and `StackRef` are now `Sync` and `Send`.
251
252## [v0.10.7] - 2018-04-30
253
254### Added
255
256* Added `X509Req::public_key` and `X509Req::extensions`.
257* Added `RsaPrivateKeyBuilder` to allow control over initialization of optional components of an RSA
258    private key.
259* Added DER encode/decode support to `SslSession`.
260* openssl-sys now provides the `DEP_OPENSSL_VERSION_NUMBER` and
261    `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER` environment variables to downstream build scripts which
262    contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built
263    against. The other variables are deprecated.
264
265## [v0.10.6] - 2018-03-05
266
267### Added
268
269* Added `SslOptions::ENABLE_MIDDLEBOX_COMPAT`.
270* Added more `Sync` and `Send` implementations.
271* Added `PKeyRef::id`.
272* Added `Padding::PKCS1_PSS`.
273* Added `Signer::set_rsa_pss_saltlen`, `Signer::set_rsa_mgf1_md`, `Signer::set_rsa_pss_saltlen`, and
274    `Signer::set_rsa_mgf1_md`
275* Added `X509StoreContextRef::verify` to directly verify certificates.
276* Added low level ECDSA support.
277* Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only)
278* Added AES-CCM support.
279* Added `EcKey::from_private_components`.
280* Added CMAC support.
281* Added support for LibreSSL 2.7.
282* Added `X509Ref::serial_number`.
283* Added `Asn1IntegerRef::to_bn`.
284* Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only)
285
286### Changed
287
288* The Cargo features previously used to gate access to version-specific OpenSSL APIs have been
289    removed. Those APIs will be available automatically when building against an appropriate OpenSSL
290    version.
291* Fixed `PKey::private_key_from_der` to return a `PKey<Private>` rather than a `PKey<Public>`. This
292    is technically a breaking change but the function was pretty useless previously.
293
294### Deprecated
295
296* `X509CheckFlags::FLAG_NO_WILDCARDS` has been renamed to `X509CheckFlags::NO_WILDCARDS` and the old
297    name deprecated.
298
299## [v0.10.5] - 2018-02-28
300
301### Fixed
302
303* `ErrorStack`'s `Display` implementation no longer writes an empty string if it contains no errors.
304
305### Added
306
307* Added `SslRef::version2`.
308* Added `Cipher::des_ede3_cbc`.
309* Added `SslRef::export_keying_material`.
310* Added the ability to push an `Error` or `ErrorStack` back onto OpenSSL's error stack. Various
311    callback bindings use this to propagate errors properly.
312* Added `SslContextBuilder::set_cookie_generate_cb` and `SslContextBuilder::set_cookie_verify_cb`.
313* Added `SslContextBuilder::set_max_proto_version`, `SslContextBuilder::set_min_proto_version`,
314    `SslContextBuilder::max_proto_version`, and `SslContextBuilder::min_proto_version`.
315
316### Changed
317
318* Updated `SslConnector`'s default cipher list to match Python's.
319
320### Deprecated
321
322* `SslRef::version` has been deprecated. Use `SslRef::version_str` instead.
323
324## [v0.10.4] - 2018-02-18
325
326### Added
327
328* Added OpenSSL 1.1.1 support.
329* Added `Rsa::public_key_from_pem_pkcs1`.
330* Added `SslOptions::NO_TLSV1_3`. (OpenSSL 1.1.1 only)
331* Added `SslVersion`.
332* Added `SslSessionCacheMode` and `SslContextBuilder::set_session_cache_mode`.
333* Added `SslContextBuilder::set_new_session_callback`,
334    `SslContextBuilder::set_remove_session_callback`, and
335    `SslContextBuilder::set_get_session_callback`.
336* Added `SslContextBuilder::set_keylog_callback`. (OpenSSL 1.1.1 only)
337* Added `SslRef::client_random` and `SslRef::server_random`. (OpenSSL 1.1.0+ only)
338
339### Fixed
340
341* The `SslAcceptorBuilder::mozilla_modern` constructor now disables TLSv1.0 and TLSv1.1 in
342    accordance with Mozilla's recommendations.
343
344## [v0.10.3] - 2018-02-12
345
346### Added
347
348* OpenSSL is now automatically detected on FreeBSD systems.
349* Added `GeneralName` accessors for `rfc822Name` and `uri` variants.
350* Added DES-EDE3 support.
351
352### Fixed
353
354* Fixed a memory leak in `X509StoreBuilder::add_cert`.
355
356## [v0.10.2] - 2018-01-11
357
358### Added
359
360* Added `ConnectConfiguration::set_use_server_name_indication` and
361    `ConnectConfiguration::set_verify_hostname` for use in contexts where you don't have ownership
362    of the `ConnectConfiguration`.
363
364## [v0.10.1] - 2018-01-10
365
366### Added
367
368* Added a `From<ErrorStack> for ssl::Error` implementation.
369
370## [v0.10.0] - 2018-01-10
371
372### Compatibility
373
374* openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue.
375
376### Added
377
378* The `ssl::select_next_proto` function can be used to easily implement the ALPN selection callback
379    in a "standard" way.
380* FIPS mode support is available in the `fips` module.
381* Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added.
382* The `X509VerifyResult` can now be set in the certificate verification callback via
383    `X509StoreContextRef::set_error`.
384
385### Changed
386
387* All constants have been moved to associated constants of their type. For example, `bn::MSB_ONE`
388    is now `bn::MsbOption::ONE`.
389* Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is
390    used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume
391    that certain components are present and will segfault trying to use things that aren't there.
392
393    The `pkey` module contains new tag types named `Params`, `Public`, and `Private`, and the
394    `Dh`, `Dsa`, `EcKey`, `Rsa`, and `PKey` have a type parameter set to one of those values. This
395    allows the `Signer` constructor to indicate that it requires a private key at compile time for
396    example. Previously, `Signer` would simply segfault if provided a key without private
397    components.
398* ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single
399    method used for both the server and client sides which performed everything automatically, the
400    `SslContextBuilder::set_alpn_protos` and `SslContextBuilder::set_alpn_select_callback` handle
401    the client and server sides respectively.
402* `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication`
403    has been removed in favor of new methods which provide more control. The
404    `ConnectConfiguration::use_server_name_indication` method controls the use of Server Name
405    Indication (SNI), and the `ConnectConfiguration::verify_hostname` method controls the use of
406    hostname verification. These can be controlled independently, and if both are disabled, the
407    domain argument to `ConnectConfiguration::connect` is ignored.
408* Shared secret derivation is now handled by the new `derive::Deriver` type rather than
409    `pkey::PKeyContext`, which has been removed.
410* `ssl::Error` is now no longer an enum, and provides more direct access to the relevant state.
411* `SslConnectorBuilder::new` has been moved and renamed to `SslConnector::builder`.
412* `SslAcceptorBuilder::mozilla_intermediate` and `SslAcceptorBuilder::mozilla_modern` have been
413    moved to `SslAcceptor` and no longer take the private key and certificate chain. Install those
414    manually after creating the builder.
415* `X509VerifyError` is now `X509VerifyResult` and can now have the "ok" value in addition to error
416    values.
417* `x509::X509FileType` is now `ssl::SslFiletype`.
418* Asymmetric key serialization and deserialization methods now document the formats that they
419    correspond to, and some have been renamed to better indicate that.
420
421### Removed
422
423* All deprecated APIs have been removed.
424* NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being
425    used in practice. If you still depend on it, please file an issue!
426* `SslRef::compression` has been removed.
427* Some `ssl::SslOptions` flags have been removed as they no longer do anything.
428
429## Older
430
431Look at the [release tags] for information about older releases.
432
433[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.28...master
434[v0.10.28]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.27...openssl-v0.10.28
435[v0.10.27]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.26...openssl-v0.10.27
436[v0.10.26]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.25...openssl-v0.10.26
437[v0.10.25]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.24...openssl-v0.10.25
438[v0.10.24]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.23...openssl-v0.10.24
439[v0.10.23]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.22...openssl-v0.10.23
440[v0.10.22]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.21...openssl-v0.10.22
441[v0.10.21]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.20...openssl-v0.10.21
442[v0.10.20]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.19...openssl-v0.10.20
443[v0.10.19]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.18...openssl-v0.10.19
444[v0.10.18]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.17...openssl-v0.10.18
445[v0.10.17]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.16...openssl-v0.10.17
446[v0.10.16]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.15...openssl-v0.10.16
447[v0.10.15]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.14...openssl-v0.10.15
448[v0.10.14]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.13...openssl-v0.10.14
449[v0.10.13]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.12...openssl-v0.10.13
450[v0.10.12]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.11...openssl-v0.10.12
451[v0.10.11]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.10...openssl-v0.10.11
452[v0.10.10]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.9...openssl-v0.10.10
453[v0.10.9]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.8...openssl-v0.10.9
454[v0.10.8]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.7...openssl-v0.10.8
455[v0.10.7]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.6...openssl-v0.10.7
456[v0.10.6]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.5...openssl-v0.10.6
457[v0.10.5]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.4...openssl-v0.10.5
458[v0.10.4]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.3...openssl-v0.10.4
459[v0.10.3]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.2...openssl-v0.10.3
460[v0.10.2]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.1...openssl-v0.10.2
461[v0.10.1]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.0...openssl-v0.10.1
462[v0.10.0]: https://github.com/sfackler/rust-openssl/compare/v0.9.23...openssl-v0.10.0
463[release tags]: https://github.com/sfackler/rust-openssl/releases
464