version 1.87, 2018/10/17 11:01:13 |
version 1.88, 2018/10/17 12:26:57 |
|
|
<li>X509 verification is now more strict so |
<li>X509 verification is now more strict so |
<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a> |
<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a> |
host, ip or email failure will cause future |
host, ip or email failure will cause future |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert</a> |
<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert(3)</a> |
calls to fail. |
calls to fail. |
<li>Support for single DES cipher suites is removed. |
<li>Support for single DES cipher suites is removed. |
<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to |
<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to |
<a href="https://man.openbsd.org/man3/RSA_sign.3">RSA_sign(3)</a> |
<a href="https://man.openbsd.org/man3/RSA_sign.3">RSA_sign(3)</a> |
<li>Modified signature of CRYPTO_mem_leaks_* to return -1. This function |
<li>Modified signature of <a href="https://man.openbsd.org/CRYPTO_mem_leaks.3">CRYPTO_mem_leaks_*(3)</a> to return -1. This function |
is a no-op in LibreSSL, so this function returns an error to not |
is a no-op in LibreSSL, so this function returns an error to not |
indicate the (non-)existence of memory leaks. |
indicate the (non-)existence of memory leaks. |
<li>SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, |
<li><a href="https://man.openbsd.org/SSL_copy_session_id.3">SSL_copy_session_id(3)</a>, PEM_Sign, <a href="https://man.openbsd.org/EVP_EncodeUpdate.3">EVP_EncodeUpdate(3)</a>, <a href="https://man.openbsd.org/BIO_set_cipher.3">BIO_set_cipher(3)</a>, <a href="https://man.openbsd.org/X509_OBJECT_up_ref_count.3">X509_OBJECT_up_ref_count(3)</a> now return an int for error handling, matching OpenSSL. |
X509_OBJECT_up_ref_count now return an int for error handling, |
|
matching OpenSSL. |
|
<li>Converted a number of #defines into proper functions, matching |
<li>Converted a number of #defines into proper functions, matching |
OpenSSL's ABI. |
OpenSSL's ABI (e.g. <a href="https://man.openbsd.org/X509_CRL_get_issuer.3">X509_CRL_get_issuer(3)</a> and other X509_*get*(3) functions) |
<li>Added X509_get0_serialNumber from OpenSSL. |
<li>Added X509_get0_serialNumber(3) from OpenSSL. |
<li>Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding |
<li>Removed EVP_PKEY2PKCS8_broken(3) and PKCS8_set_broken(3), while adding |
PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching |
PKCS8_pkey_add1_attr_by_NID(3) and PKCS8_pkey_get0_attrs(3), matching |
OpenSSL. |
OpenSSL. |
<li>Removed broken pkcs8 formats from openssl(1). |
<li>Removed broken pkcs8 formats from <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>. |
<li>Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. |
<li>Added <a href="https://man.openbsd.org/RSA_meth_get_finish.3">RSA_meth_get_finish(3)</a> and <a href="https://man.openbsd.org/RSA_meth_set1_name.3">RSA_meth_set1_name(3)</a> from OpenSSL. |
<li>Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be |
<li>Added new <a href="https://man.openbsd.org/EVP_CIPHER_CTX_get_iv.3">EVP_CIPHER_CTX_(get|set)_iv(3)</a> API that allows the IV to be retrieved and set with appropriate validation. |
retrieved and set with appropriate validation. |
|
<li>Extensive documentation updates and additional API history. |
<li>Extensive documentation updates and additional API history. |
<li>Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. |
<li>Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. |
<li>Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers |
<li>Made <a href="https://man.openbsd.org/ENGINE_finish.3">ENGINE_finish(3)</a> and <a href="https://man.openbsd.org/ENGINE_free.3">ENGINE_free(3)</a> succeed on NULL and simplify callers and matching OpenSSL behavior, rewrote ENGINE_* documentation. |
and matching OpenSSL behavior, rewrote ENGINE_* documentation. |
|
<li>Added const annotations to many existing APIs from OpenSSL, making |
<li>Added const annotations to many existing APIs from OpenSSL, making |
interoperability easier for downstream applications. |
interoperability easier for downstream applications. |
<li>Documented security pitfalls with BN_FLG_CONSTTIME and constant-time |
<li>Documented <a href="https://man.openbsd.org/BN_set_flags.3#BUGS">security pitfalls</a> with BN_FLG_CONSTTIME and constant-time operation of BN_* functions. |
operation of BN_* functions. |
|
</ul> |
</ul> |
<li>Testing and Proactive Security |
<li>Testing and Proactive Security |
<ul> |
<ul> |