1# Change Log
2
3## [Unreleased]
4
5## [v0.10.30] - 2020-06-25
6
7### Fixed
8
9* `DsaRef::private_key_to_pem` can no longer be called without a private key.
10
11### Changed
12
13* Improved the `Debug` implementations of many types.
14
15### Added
16
17* Added `is_empty` implementations for `Asn1StringRef` and `Asn1BitStringRef`.
18* Added `EcPointRef::{to_pem, to_dir}` and `EcKeyRef::{public_key_from_pem, public_key_from_der}`.
19* Added `Default` implementations for many types.
20* Added `Debug` implementations for many types.
21* Added `SslRef::set_mtu`.
22* Added `Cipher::{aes_128_ocb, aes_192_ocb, aes_256_ocb}`.
23
24### Deprecated
25
26* Deprecated `SslStreamBuilder::set_dtls_mtu_size` in favor of `SslRef::set_mtu`.
27
28## [v0.10.29] - 2020-04-07
29
30### Fixed
31
32* Fixed a memory leak in `X509Builder::append_extension`.
33
34### Added
35
36* Added `SslConnector::into_context` and `SslConnector::context`.
37* Added `SslAcceptor::into_context` and `SslAcceptor::context`.
38* Added `SslMethod::tls_client` and `SslMethod::tls_server`.
39* Added `SslContextBuilder::set_cert_store`.
40* Added `SslContextRef::verify_mode` and `SslRef::verify_mode`.
41* Added `SslRef::is_init_finished`.
42* Added `X509Object`.
43* Added `X509StoreRef::objects`.
44
45## [v0.10.28] - 2020-02-04
46
47### Fixed
48
49* Fixed the mutability of `Signer::sign_oneshot` and `Verifier::verify_oneshot`. This is unfortunately a breaking
50    change, but a necessary soundness fix.
51
52## [v0.10.27] - 2020-01-29
53
54### Added
55
56* Added `MessageDigest::null`.
57* Added `PKey::private_key_from_pkcs8`.
58* Added `SslOptions::NO_RENEGOTIATION`.
59* Added `SslStreamBuilder::set_dtls_mtu_size`.
60
61## [v0.10.26] - 2019-11-22
62
63### Fixed
64
65* Fixed improper handling of the IV buffer in `envelope::{Seal, Unseal}`.
66
67### Added
68
69* Added `Asn1TimeRef::{diff, compare}`.
70* Added `Asn1Time::from_unix`.
71* Added `PartialEq` and `PartialOrd` implementations for `Asn1Time` and `Asn1TimeRef`.
72* Added `base64::{encode_block, decode_block}`.
73* Added `EcGroupRef::order_bits`.
74* Added `Clone` implementations for `Sha1`, `Sha224`, `Sha256`, `Sha384`, and `Sha512`.
75* Added `SslContextBuilder::{set_sigalgs_list, set_groups_list}`.
76
77## [v0.10.25] - 2019-10-02
78
79### Fixed
80
81* Fixed a memory leak in `EcdsaSig::from_private_components` when using OpenSSL 1.0.x.
82
83### Added
84
85* Added support for Ed25519 and Ed448 keys.
86* Implemented `ToOwned` for `PKeyRef` and `Clone` for `PKey`.
87
88## [v0.10.24] - 2019-07-19
89
90### Fixed
91
92* Worked around an OpenSSL 1.0.x bug triggered by code calling `SSL_set_app_data`.
93
94### Added
95
96* Added `aes::{wrap_key, unwrap_key}`.
97* Added `CmsContentInfoRef::to_pem` and `CmsContentInfo::from_pem`.
98* Added `DsaRef::private_key_to_pem`.
99* Added `EcGroupRef::{cofactor, generator}`.
100* Added `EcPointRef::to_owned`.
101* Added a `Debug` implementation for `EcKey`.
102* Added `SslAcceptor::{mozilla_intermediate_v5, mozilla_modern_v5}`.
103* Added `Cipher::{aes_128_ofb, aes_192_ecb, aes_192_cbc, aes_192_ctr, aes_192_cfb1, aes_192_cfb128, aes_192_cfb8,
104    aes_192_gcm, aes_192_ccm, aes_192_ofb, aes_256_ofb}`.
105
106## [v0.10.23] - 2019-05-18
107
108### Fixed
109
110* Fixed session callbacks when an `Ssl`'s context is replaced.
111
112### Added
113
114* Added `SslContextBuilder::add_client_ca`.
115
116## [v0.10.22] - 2019-05-08
117
118### Added
119
120* Added support for the LibreSSL 2.9.x series.
121
122## [v0.10.21] - 2019-04-30
123
124### Fixed
125
126* Fixed overly conservatifve buffer size checks in `Crypter` when using stream ciphers.
127
128### Added
129
130* Added bindings to envelope encryption APIs.
131* Added `PkeyRef::size`.
132
133## [v0.10.20] - 2019-03-20
134
135### Added
136
137* Added `CmsContentInfo::from_der` and `CmsContentInfo::encrypt`.
138* Added `X509Ref::verify` and `X509ReqRef::verify`.
139* Implemented `PartialEq` and `Eq` for `MessageDigest`.
140* Added `MessageDigest::type_` and `EcGroupRef::curve_name`.
141
142## [v0.10.19] - 2019-03-01
143
144### Added
145
146* The openssl-sys build script now logs the values of environment variables.
147* Added `ERR_PACK` to openssl-sys.
148* The `ERR_*` functions in openssl-sys are const functions when building against newer Rust versions.
149* Implemented `Clone` for `Dsa`.
150* Added `SslContextRef::add_session` and `SslContextRef::remove_session`.
151* Added `SslSessionRef::time`, `SslSessionRef::timeout`, and `SslSessionRef::protocol_version`.
152* Added `SslContextBuilder::set_session_cache_size` and `SslContextRef::session_cache_size`.
153
154## [v0.10.18] - 2019-02-22
155
156### Fixed
157
158* Fixed the return type of `ssl::cipher_name`.
159
160## [v0.10.17] - 2019-02-22
161
162### Added
163
164* Implemented `AsRef<str>` and `AsRef<[u8]>` for `OpenSslString`.
165* Added `Asn1Integer::from_bn`.
166* Added `RsaRef::check_key`.
167* Added `Asn1Time::from_str` and `Asn1Time::from_str_x509`.
168* Added `Rsa::generate_with_e`.
169* Added `Cipher::des_ede3_cfb64`.
170* Added `SslCipherRef::standard_name` and `ssl::cipher_name`.
171
172## [v0.10.16] - 2018-12-16
173
174### Added
175
176* Added SHA3 and SHAKE to `MessageDigest`.
177* Added `rand::keep_random_devices_open`.
178* Added support for LibreSSL 2.9.0.
179
180## [v0.10.15] - 2018-10-22
181
182### Added
183
184* Implemented `DoubleEndedIterator` for stack iterators.
185
186## [v0.10.14] - 2018-10-18
187
188### Fixed
189
190* Made some accidentally exposed internal functions private.
191
192### Added
193
194* Added support for LibreSSL 2.8.
195
196### Changed
197
198* The OpenSSL version used with the `vendored` feature has been upgraded from 1.1.0 to 1.1.1.
199
200## [v0.10.13] - 2018-10-14
201
202### Fixed
203
204* Fixed a double-free in the `SslContextBuilder::set_get_session_callback` API.
205
206### Added
207
208* Added `SslContextBuilder::set_client_hello_callback`.
209* Added support for LibreSSL 2.8.1.
210* Added `EcdsaSig::from_der` and `EcdsaSig::to_der`.
211* Added PKCS#7 support.
212
213## [v0.10.12] - 2018-09-13
214
215### Fixed
216
217* Fixed handling of SNI callbacks during renegotiation.
218
219### Added
220
221* Added `SslRef::get_shutdown` and `SslRef::set_shutdown`.
222* Added support for SRTP in DTLS sessions.
223* Added support for LibreSSL 2.8.0.
224
225## [v0.10.11] - 2018-08-04
226
227### Added
228
229* The new `vendored` cargo feature will cause openssl-sys to compile and statically link to a
230    vendored copy of OpenSSL.
231* Added `SslContextBuilder::set_psk_server_callback`.
232* Added `DsaRef::pub_key` and `DsaRef::priv_key`.
233* Added `Dsa::from_private_components` and `Dsa::from_public_components`.
234* Added `X509NameRef::entries`.
235
236### Deprecated
237
238* `SslContextBuilder::set_psk_callback` has been renamed to
239    `SslContextBuilder::set_psk_client_callback` and deprecated.
240
241## [v0.10.10] - 2018-06-06
242
243### Added
244
245* Added `SslRef::set_alpn_protos`.
246* Added `SslContextBuilder::set_ciphersuites`.
247
248## [v0.10.9] - 2018-06-01
249
250### Fixed
251
252* Fixed a use-after-free in `CmsContentInfo::sign`.
253* `SslRef::servername` now returns `None` rather than panicking on a non-UTF8 name.
254
255### Added
256
257* Added `MessageDigest::from_nid`.
258* Added `Nid::signature_algorithms`, `Nid::long_name`, and `Nid::short_name`.
259* Added early data and early keying material export support for TLS 1.3.
260* Added `SslRef::verified_chain`.
261* Added `SslRef::servername_raw` which returns a `&[u8]` rather than `&str`.
262* Added `SslRef::finished` and `SslRef::peer_finished`.
263* Added `X509Ref::digest` to replace `X509Ref::fingerprint`.
264* `X509StoreBuilder` and `X509Store` now implement `Sync` and `Send`.
265
266### Deprecated
267
268* `X509Ref::fingerprint` has been deprecated in favor of `X509Ref::digest`.
269
270## [v0.10.8] - 2018-05-20
271
272### Fixed
273
274* `openssl-sys` will now detect Homebrew-installed OpenSSL when installed to a non-default
275    directory.
276* The `X509_V_ERR_INVALID_CALL`, `X509_V_ERR_STORE_LOOKUP`, and
277    `X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION` constants in `openssl-sys` are now only present when
278    building against 1.1.0g and up rather than 1.1.0.
279* `SslContextBuilder::max_proto_version` and `SslContextBuilder::min_proto_version` are only present
280    when building against 1.1.0g and up rather than 1.1.0.
281
282### Added
283
284* Added `CmsContentInfo::sign`.
285* Added `Clone` and `ToOwned` implementations to `Rsa` and `RsaRef` respectively.
286* The `min_proto_version` and `max_proto_version` methods are available when linking against
287    LibreSSL 2.6.1 and up in addition to OpenSSL.
288* `X509VerifyParam` is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.
289* ALPN support is available when linking against LibreSSL 2.6.1 and up in addition to OpenSSL.
290* `Stack` and `StackRef` are now `Sync` and `Send`.
291
292## [v0.10.7] - 2018-04-30
293
294### Added
295
296* Added `X509Req::public_key` and `X509Req::extensions`.
297* Added `RsaPrivateKeyBuilder` to allow control over initialization of optional components of an RSA
298    private key.
299* Added DER encode/decode support to `SslSession`.
300* openssl-sys now provides the `DEP_OPENSSL_VERSION_NUMBER` and
301    `DEP_OPENSSL_LIBRESSL_VERSION_NUMBER` environment variables to downstream build scripts which
302    contains the hex-encoded version number of the OpenSSL or LibreSSL distribution being built
303    against. The other variables are deprecated.
304
305## [v0.10.6] - 2018-03-05
306
307### Added
308
309* Added `SslOptions::ENABLE_MIDDLEBOX_COMPAT`.
310* Added more `Sync` and `Send` implementations.
311* Added `PKeyRef::id`.
312* Added `Padding::PKCS1_PSS`.
313* Added `Signer::set_rsa_pss_saltlen`, `Signer::set_rsa_mgf1_md`, `Signer::set_rsa_pss_saltlen`, and
314    `Signer::set_rsa_mgf1_md`
315* Added `X509StoreContextRef::verify` to directly verify certificates.
316* Added low level ECDSA support.
317* Added support for TLSv1.3 custom extensions. (OpenSSL 1.1.1 only)
318* Added AES-CCM support.
319* Added `EcKey::from_private_components`.
320* Added CMAC support.
321* Added support for LibreSSL 2.7.
322* Added `X509Ref::serial_number`.
323* Added `Asn1IntegerRef::to_bn`.
324* Added support for TLSv1.3 stateless handshakes. (OpenSSL 1.1.1 only)
325
326### Changed
327
328* The Cargo features previously used to gate access to version-specific OpenSSL APIs have been
329    removed. Those APIs will be available automatically when building against an appropriate OpenSSL
330    version.
331* Fixed `PKey::private_key_from_der` to return a `PKey<Private>` rather than a `PKey<Public>`. This
332    is technically a breaking change but the function was pretty useless previously.
333
334### Deprecated
335
336* `X509CheckFlags::FLAG_NO_WILDCARDS` has been renamed to `X509CheckFlags::NO_WILDCARDS` and the old
337    name deprecated.
338
339## [v0.10.5] - 2018-02-28
340
341### Fixed
342
343* `ErrorStack`'s `Display` implementation no longer writes an empty string if it contains no errors.
344
345### Added
346
347* Added `SslRef::version2`.
348* Added `Cipher::des_ede3_cbc`.
349* Added `SslRef::export_keying_material`.
350* Added the ability to push an `Error` or `ErrorStack` back onto OpenSSL's error stack. Various
351    callback bindings use this to propagate errors properly.
352* Added `SslContextBuilder::set_cookie_generate_cb` and `SslContextBuilder::set_cookie_verify_cb`.
353* Added `SslContextBuilder::set_max_proto_version`, `SslContextBuilder::set_min_proto_version`,
354    `SslContextBuilder::max_proto_version`, and `SslContextBuilder::min_proto_version`.
355
356### Changed
357
358* Updated `SslConnector`'s default cipher list to match Python's.
359
360### Deprecated
361
362* `SslRef::version` has been deprecated. Use `SslRef::version_str` instead.
363
364## [v0.10.4] - 2018-02-18
365
366### Added
367
368* Added OpenSSL 1.1.1 support.
369* Added `Rsa::public_key_from_pem_pkcs1`.
370* Added `SslOptions::NO_TLSV1_3`. (OpenSSL 1.1.1 only)
371* Added `SslVersion`.
372* Added `SslSessionCacheMode` and `SslContextBuilder::set_session_cache_mode`.
373* Added `SslContextBuilder::set_new_session_callback`,
374    `SslContextBuilder::set_remove_session_callback`, and
375    `SslContextBuilder::set_get_session_callback`.
376* Added `SslContextBuilder::set_keylog_callback`. (OpenSSL 1.1.1 only)
377* Added `SslRef::client_random` and `SslRef::server_random`. (OpenSSL 1.1.0+ only)
378
379### Fixed
380
381* The `SslAcceptorBuilder::mozilla_modern` constructor now disables TLSv1.0 and TLSv1.1 in
382    accordance with Mozilla's recommendations.
383
384## [v0.10.3] - 2018-02-12
385
386### Added
387
388* OpenSSL is now automatically detected on FreeBSD systems.
389* Added `GeneralName` accessors for `rfc822Name` and `uri` variants.
390* Added DES-EDE3 support.
391
392### Fixed
393
394* Fixed a memory leak in `X509StoreBuilder::add_cert`.
395
396## [v0.10.2] - 2018-01-11
397
398### Added
399
400* Added `ConnectConfiguration::set_use_server_name_indication` and
401    `ConnectConfiguration::set_verify_hostname` for use in contexts where you don't have ownership
402    of the `ConnectConfiguration`.
403
404## [v0.10.1] - 2018-01-10
405
406### Added
407
408* Added a `From<ErrorStack> for ssl::Error` implementation.
409
410## [v0.10.0] - 2018-01-10
411
412### Compatibility
413
414* openssl 0.10 still uses openssl-sys 0.9, so openssl 0.9 and 0.10 can coexist without issue.
415
416### Added
417
418* The `ssl::select_next_proto` function can be used to easily implement the ALPN selection callback
419    in a "standard" way.
420* FIPS mode support is available in the `fips` module.
421* Accessors for the Issuer and Issuer Alternative Name fields of X509 certificates have been added.
422* The `X509VerifyResult` can now be set in the certificate verification callback via
423    `X509StoreContextRef::set_error`.
424
425### Changed
426
427* All constants have been moved to associated constants of their type. For example, `bn::MSB_ONE`
428    is now `bn::MsbOption::ONE`.
429* Asymmetric key types are now parameterized over what they contain. In OpenSSL, the same type is
430    used for key parameters, public keys, and private keys. Unfortunately, some APIs simply assume
431    that certain components are present and will segfault trying to use things that aren't there.
432
433    The `pkey` module contains new tag types named `Params`, `Public`, and `Private`, and the
434    `Dh`, `Dsa`, `EcKey`, `Rsa`, and `PKey` have a type parameter set to one of those values. This
435    allows the `Signer` constructor to indicate that it requires a private key at compile time for
436    example. Previously, `Signer` would simply segfault if provided a key without private
437    components.
438* ALPN support has been changed to more directly model OpenSSL's own APIs. Instead of a single
439    method used for both the server and client sides which performed everything automatically, the
440    `SslContextBuilder::set_alpn_protos` and `SslContextBuilder::set_alpn_select_callback` handle
441    the client and server sides respectively.
442* `SslConnector::danger_connect_without_providing_domain_for_certificate_verification_and_server_name_indication`
443    has been removed in favor of new methods which provide more control. The
444    `ConnectConfiguration::use_server_name_indication` method controls the use of Server Name
445    Indication (SNI), and the `ConnectConfiguration::verify_hostname` method controls the use of
446    hostname verification. These can be controlled independently, and if both are disabled, the
447    domain argument to `ConnectConfiguration::connect` is ignored.
448* Shared secret derivation is now handled by the new `derive::Deriver` type rather than
449    `pkey::PKeyContext`, which has been removed.
450* `ssl::Error` is now no longer an enum, and provides more direct access to the relevant state.
451* `SslConnectorBuilder::new` has been moved and renamed to `SslConnector::builder`.
452* `SslAcceptorBuilder::mozilla_intermediate` and `SslAcceptorBuilder::mozilla_modern` have been
453    moved to `SslAcceptor` and no longer take the private key and certificate chain. Install those
454    manually after creating the builder.
455* `X509VerifyError` is now `X509VerifyResult` and can now have the "ok" value in addition to error
456    values.
457* `x509::X509FileType` is now `ssl::SslFiletype`.
458* Asymmetric key serialization and deserialization methods now document the formats that they
459    correspond to, and some have been renamed to better indicate that.
460
461### Removed
462
463* All deprecated APIs have been removed.
464* NPN support has been removed. It has been supersceded by ALPN, and is hopefully no longer being
465    used in practice. If you still depend on it, please file an issue!
466* `SslRef::compression` has been removed.
467* Some `ssl::SslOptions` flags have been removed as they no longer do anything.
468
469## Older
470
471Look at the [release tags] for information about older releases.
472
473[Unreleased]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.30...master
474[v0.10.30]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.29...openssl-v0.10.30
475[v0.10.29]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.28...openssl-v0.10.29
476[v0.10.28]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.27...openssl-v0.10.28
477[v0.10.27]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.26...openssl-v0.10.27
478[v0.10.26]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.25...openssl-v0.10.26
479[v0.10.25]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.24...openssl-v0.10.25
480[v0.10.24]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.23...openssl-v0.10.24
481[v0.10.23]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.22...openssl-v0.10.23
482[v0.10.22]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.21...openssl-v0.10.22
483[v0.10.21]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.20...openssl-v0.10.21
484[v0.10.20]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.19...openssl-v0.10.20
485[v0.10.19]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.18...openssl-v0.10.19
486[v0.10.18]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.17...openssl-v0.10.18
487[v0.10.17]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.16...openssl-v0.10.17
488[v0.10.16]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.15...openssl-v0.10.16
489[v0.10.15]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.14...openssl-v0.10.15
490[v0.10.14]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.13...openssl-v0.10.14
491[v0.10.13]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.12...openssl-v0.10.13
492[v0.10.12]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.11...openssl-v0.10.12
493[v0.10.11]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.10...openssl-v0.10.11
494[v0.10.10]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.9...openssl-v0.10.10
495[v0.10.9]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.8...openssl-v0.10.9
496[v0.10.8]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.7...openssl-v0.10.8
497[v0.10.7]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.6...openssl-v0.10.7
498[v0.10.6]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.5...openssl-v0.10.6
499[v0.10.5]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.4...openssl-v0.10.5
500[v0.10.4]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.3...openssl-v0.10.4
501[v0.10.3]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.2...openssl-v0.10.3
502[v0.10.2]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.1...openssl-v0.10.2
503[v0.10.1]: https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.0...openssl-v0.10.1
504[v0.10.0]: https://github.com/sfackler/rust-openssl/compare/v0.9.23...openssl-v0.10.0
505[release tags]: https://github.com/sfackler/rust-openssl/releases
506