version 1.18, 2016/02/03 16:40:02 |
version 1.19, 2016/02/03 17:20:15 |
|
|
twenty years ago. |
twenty years ago. |
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<tt>cert.pem</tt> file. |
<tt>cert.pem</tt> file. |
<li>Fixed a leak in <tt>SSL_new</tt> in the error path. |
<li>Fixed a leak in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=SSL_new&sektion=3">SSL_new(3)</a> |
|
in the error path. |
<li>Fixed a memory leak and out-of-bounds access in <tt>OBJ_obj2txt</tt>. |
<li>Fixed a memory leak and out-of-bounds access in <tt>OBJ_obj2txt</tt>. |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<tt>sizeof(RC4_CHUNK)</tt>. |
<tt>sizeof(RC4_CHUNK)</tt>. |
<li>Added <tt>EVP_aead_chacha20_poly1305_ietf()</tt> which matches the |
<li>Added |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a> |
|
which matches the |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
than that already used in TLS with |
than that already used in TLS with |
<tt>EVP_aead_chacha20_poly1305()</tt>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a>. |
<li>More man pages converted from pod to |
<li>More man pages converted from pod to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a> |
format. |
format. |
|
|
<li>SSLv3 is now permanently removed from the tree. |
<li>SSLv3 is now permanently removed from the tree. |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<ul> |
<ul> |
<li>The <tt>tls_read</tt>/<tt>write</tt> functions now work better |
<li>The |
with external event libraries. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_read(3)</a> |
|
and |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_write(3)</a> |
|
functions now work better with external event libraries. |
<li>Client-side verification is now supported, with the client |
<li>Client-side verification is now supported, with the client |
supplying the certificate to the server. |
supplying the certificate to the server. |
<li>Also, when using <tt>tls_connect_fds</tt>, |
<li>Also, when using |
<tt>tls_connect_socket</tt> or <tt>tls_accept_fds</tt>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_fds(3)</a>, |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_socket(3)</a> |
|
or |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_accept_fds(3)</a>, |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
The caller is responsible for closing them in this case. |
The caller is responsible for closing them in this case. |
</ul> |
</ul> |
|
|
<li>Support always extracting the peer cipher and version with |
<li>Support always extracting the peer cipher and version with |
<tt>libtls</tt>. |
<tt>libtls</tt>. |
<li>Added ability to check certificate validity times with |
<li>Added ability to check certificate validity times with |
<tt>libtls</tt>, <tt>tls_peer_cert_notbefore</tt> and |
<tt>libtls</tt>, |
<tt>tls_peer_cert_notafter</tt>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notbefore(3)</a> |
<li>Changed <tt>tls_connect_servername</tt> to use the first address that |
and |
resolves with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notafter(3)</a>. |
|
<li>Changed |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_servername(3)</a> |
|
to use the first address that resolves with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>. |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
(non-functional since initial commit in 2004). |
(non-functional since initial commit in 2004). |
<li>Reject too small bits value in <tt>BN_generate_prime_ex()</tt>, |
<li>Reject too small bits value in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=BN_generate_prime&sektion=3">BN_generate_prime_ex(3)</a>, |
so that it does not risk becoming negative in |
so that it does not risk becoming negative in |
<tt>probable_prime_dh_safe()</tt>. |
<tt>probable_prime_dh_safe()</tt>. |
<li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of |
<li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of |