version 1.27, 2016/02/18 01:55:02 |
version 1.28, 2016/02/18 11:39:14 |
|
|
|
|
<li>Generic network stack improvements: |
<li>Generic network stack improvements: |
<ul> |
<ul> |
<li>Remove support for obsolete IPv6 socket options |
<li>Remove support for obsolete IPv6 socket options. |
<li>... |
<li>... |
</ul> |
</ul> |
<p> |
<p> |
|
|
|
|
<li>Assorted improvements: |
<li>Assorted improvements: |
<ul> |
<ul> |
<li>doas is a little friendlier to use |
<li>doas is a little friendlier to use. |
<li>Updated flex |
<li>Updated |
<li>Updated and improved less |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=flex&sektion=1">flex(1)</a>. |
|
<li>Updated and improved |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=less&sektion=1">less(1)</a>. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/macppc/pdisk.8?query=pdisk">pdisk(8)</a> was largely rewritten and pledged. |
<li><a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/macppc/pdisk.8?query=pdisk">pdisk(8)</a> was largely rewritten and pledged. |
<li>Renaming files in the root directory of a MSDOS filesystem was fixed. |
<li>Renaming files in the root directory of a MSDOS filesystem was fixed. |
<li>Many obsolete <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/disktab.5?query=disktab">disktab(5)</a> attributes and entries were removed. |
<li>Many obsolete <a href="http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/disktab.5?query=disktab">disktab(5)</a> attributes and entries were removed. |
|
|
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<li>Added <tt>Certplus CA</tt> root certificate to the default |
<tt>cert.pem</tt> file. |
<tt>cert.pem</tt> file. |
<li>Fixed a leak in |
<li>Fixed a leak in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=SSL_new&sektion=3">SSL_new(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=SSL_new&sektion=3">SSL_new(3)</a> |
in the error path. |
in the error path. |
<li>Fixed a memory leak and out-of-bounds access in <tt>OBJ_obj2txt</tt>. |
<li>Fixed a memory leak and out-of-bounds access in |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=OBJ_nid2obj&sektion=3">OBJ_obj2txt(3)</a>. |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<li>Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of |
<tt>sizeof(RC4_CHUNK)</tt>. |
<tt>sizeof(RC4_CHUNK)</tt>. |
<li>Added |
<li>Added |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a> |
which matches the |
which matches the |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
<tt>AEAD</tt> construction introduced in RFC 7539, which is different |
than that already used in TLS with |
than that already used in TLS with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=EVP_AEAD_CTX_init&sektion=3">EVP_aead_chacha20_poly1305(3)</a>. |
<li>More man pages converted from pod to |
<li>More man pages converted from pod to |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=mdoc&sektion=7">mdoc(7)</a> |
format. |
format. |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<li>Added <tt>COMODO RSA Certification Authority</tt> and |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
<tt>QuoVadis</tt> root certificates to <tt>cert.pem</tt>. |
|
|
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) |
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) |
root certificate from <tt>cert.pem</tt>. |
root certificate from <tt>cert.pem</tt>. |
<li>Fixed incorrect TLS certificate loading by |
<li>Fixed incorrect TLS certificate loading by |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a>. |
<li>The following CVEs had been fixed: |
<li>The following CVEs had been fixed: |
<ul> |
<ul> |
<li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client |
<li><tt>CVE-2015-3194</tt>—NULL pointer dereference in client |
side certificate validation. |
side certificate validation. |
<li><tt>CVE-2015-3195</tt>—memory leak in PKCS7, not reachable |
<li><tt>CVE-2015-3195</tt>—memory leak in PKCS7, not reachable |
from TLS/SSL. |
from TLS/SSL. |
</ul> |
</ul> |
<li>Note: The following OpenSSL CVEs did not apply to LibreSSL: |
<li>Note: The following OpenSSL CVEs did not apply to LibreSSL: |
<ul> |
<ul> |
<li><tt>CVE-2015-3193</tt>—carry propagating bug in the x86_64 |
<li><tt>CVE-2015-3193</tt>—carry propagating bug in the x86_64 |
Montgomery squaring procedure. |
Montgomery squaring procedure. |
<li><tt>CVE-2015-3196</tt>—double free race condition of the |
<li><tt>CVE-2015-3196</tt>—double free race condition of the |
identify hint data. |
identify hint data. |
</ul> |
</ul> |
</ul> |
</ul> |
<li>Code improvements: |
<li>Code improvements: |
|
|
<li>SSLv3 is now permanently removed from the tree. |
<li>SSLv3 is now permanently removed from the tree. |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<li>The <tt>libtls</tt> API is changed from the 2.2.x series: |
<ul> |
<ul> |
<li>The |
<li>The |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_read(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_read(3)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_write(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_write(3)</a> |
functions now work better with external event libraries. |
functions now work better with external event libraries. |
<li>Client-side verification is now supported, with the client |
<li>Client-side verification is now supported, with the client |
supplying the certificate to the server. |
supplying the certificate to the server. |
<li>Also, when using |
<li>Also, when using |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_fds(3)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_fds(3)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_socket(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_socket(3)</a> |
or |
or |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_accept_fds(3)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_accept_fds(3)</a>, |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
<tt>libtls</tt> no longer implicitly closes the passed in sockets. |
The caller is responsible for closing them in this case. |
The caller is responsible for closing them in this case. |
</ul> |
</ul> |
<li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not |
<li>New interface <tt>OPENSSL_cpu_caps</tt> is provided that does not |
allow software to inadvertently modify cpu capability flags. |
allow software to inadvertently modify cpu capability flags. |
|
|
<tt>ssize_t</tt> to <tt>size_t</tt>. |
<tt>ssize_t</tt> to <tt>size_t</tt>. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Deduplicated DTLS code, sharing bugfixes and improvements with TLS. |
<li>Converted |
<li>Converted |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=nc&sektion=1">nc(1)</a> |
to use <tt>libtls</tt> for client and server operations; it is |
to use <tt>libtls</tt> for client and server operations; it is |
included in the libressl-portable distribution as an example of how |
included in the libressl-portable distribution as an example of how |
to use the <tt>libtls</tt> library. This is intended to be a simpler |
to use the <tt>libtls</tt> library. This is intended to be a simpler |
|
|
<tt>libtls</tt>. |
<tt>libtls</tt>. |
<li>Added ability to check certificate validity times with |
<li>Added ability to check certificate validity times with |
<tt>libtls</tt>, |
<tt>libtls</tt>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notbefore(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notbefore(3)</a> |
and |
and |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notafter(3)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_peer_cert_notafter(3)</a>. |
<li>Changed |
<li>Changed |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_servername(3)</a> |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=tls_init&sektion=3">tls_connect_servername(3)</a> |
to use the first address that resolves with |
to use the first address that resolves with |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>. |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=getaddrinfo&sektion=3">getaddrinfo(3)</a>. |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
<li>Remove broken conditional <tt>EVP_CHECK_DES_KEY</tt> code |
(non-functional since initial commit in 2004). |
(non-functional since initial commit in 2004). |
<li>Reject too small bits value in |
<li>Reject too small bits value in |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=BN_generate_prime&sektion=3">BN_generate_prime_ex(3)</a>, |
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=BN_generate_prime&sektion=3">BN_generate_prime_ex(3)</a>, |
so that it does not risk becoming negative in |
so that it does not risk becoming negative in |
<tt>probable_prime_dh_safe()</tt>. |
<tt>probable_prime_dh_safe()</tt>. |
<li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of |
<li>Changed format of <tt>LIBRESSL_VERSION_NUMBER</tt> to match that of |