www/64.html - diff

Return to 64.html CVS log

Up to [local] / www

Diff for /www/64.html between version 1.85 and 1.86

version 1.85, 2018/10/17 07:48:17

version 1.86, 2018/10/17 10:42:19

Line 91

<li>New <a href="https://man.openbsd.org/acpipci.4">acpipci(4/arm64)</a>

driver providing support for PCI host bridges

based on information provided by ACPI.

<li>New

<a href="https://man.openbsd.org/mvclock.4">mvclock(4)</a>,

<a href="https://man.openbsd.org/mvgpio.4">mvgpio(4)</a>,

<a href="https://man.openbsd.org/mvicu.4">mvicu(4)</a>,

Line 248

and in assembly files on amd64 and i386.

<li>Added SpectreRSB mitigation on amd64.

<li>Added Intel L1 Terminal Fault mitigation on amd64.

<li>When available, PCIDs are used on amd64 to separate user

and kernel thread TLB entries.

<li>Meltdown mitigation was added to i386.

<li>amd64 now uses eager-FPU switching to prevent FPU state

Line 277

bound into an alternate routing domain.

<li><a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> is

now pledged.

<li>Prevent <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and

<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> from being

started more than once (in the same routing domain).

<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> is now fully

pledged.

Line 423

improved the rounding of partition offsets and

sizes to cylinder boundaries.

<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>

now range checks all user input.

<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>

no longer allows FS_RAID partitions to be given a mount point.

<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>

Line 436

now handles terminfo colors greater than 256 correctly.

<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a>

now supports client certificate authentication.

<li>Numerous improvements to the

<a href="https://man.openbsd.org/fuse.4">fuse(4)</a> subsystem.

<li>Improvements to the way the kernel searches for available

memory to satisfy anonymous

Line 506

authentication log messages.

</ul>

<li>Non-exhaustive list of bug fixes:

<ul>

<li><a href="http://man.openbsd.org/ssh.1">ssh(1)</a>:

<a href="http://man.openbsd.org/ssh-keygen.1">ssh-keygen(1)</a>:

avoid spurious "invalid format" errors when attempting to load

Line 536

from OpenSSH <7.8.

</ul>

<p>

<li>LibreSSL 2.8.2

<ul>

<li>X509 verification was made more strict so

<li>API and Documentation Enhancements

<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a>

<ul>

host, ip or email failure will cause future

<li>X509 verification is now more strict so

<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert</a>

<a href="https://man.openbsd.org/X509_VERIFY_PARAM_set_flags.3">X509_VERIFY_PARAM</a>

calls to fail.

host, ip or email failure will cause future

<li>Support for single DES cipher suites has been removed.

<a href="https://man.openbsd.org/X509_verify_cert.3">X509_verify_cert</a>

<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) was added to

calls to fail.

<li>Support for single DES cipher suites is removed.

<li>Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to

<li>Modified signature of CRYPTO_mem_leaks_* to return -1. This function

is a no-op in LibreSSL, so this function returns an error to not

indicate the (non-)existence of memory leaks.

<li>SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher,

X509_OBJECT_up_ref_count now return an int for error handling,

matching OpenSSL.

<li>Converted a number of #defines into proper functions, matching

OpenSSL's ABI.

<li>Added X509_get0_serialNumber from OpenSSL.

<li>Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding

PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching

OpenSSL.

<li>Removed broken pkcs8 formats from openssl(1).

<li>Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL.

<li>Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be

retrieved and set with appropriate validation.

<li>Extensive documentation updates and additional API history.

<li>Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.

<li>Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers

and matching OpenSSL behavior, rewrote ENGINE_* documentation.

<li>Added const annotations to many existing APIs from OpenSSL, making

interoperability easier for downstream applications.

<li>Documented security pitfalls with BN_FLG_CONSTTIME and constant-time

operation of BN_* functions.

</ul>

<li>Testing and Proactive Security

<ul>

<li>Added Wycheproof test support for ECDH, RSASSA-PSS, AES-GCM,

AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and

X25519 test vectors. Applied appropriate fixes for errors uncovered by

tests.

<li>Added more cipher tests, including all TLSv1.2 ciphers.

<li>Added a blinding value when generating DSA and ECDSA signatures, in

order to reduce the possibility of a side-channel attack leaking the

private key.

<li>Added timing-safe compares for checking results of signature

verification.

<li>Added ECC constant time scalar multiplication support.

From Billy Brumley and his team at Tampere University of Technology.

</ul>

<li>Internal Improvements

<ul>

<li>Simplified key exchange signature generation and verification.

<li>Converted more code paths to use CBB/CBS. All handshake messages are

now created by CBB. RSA key exchange is simplified and uses dedicated

buffers for secrets.

<li>Simplified session ticket parsing and handling, inspired by

BoringSSL.

<li>Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the

EVP_AEAD interface.

<li>Stopped using composite EVP_CIPHER AEADs.

<li>Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and

SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths.

<li>Updated BN_clear to use explicit_bzero.

<li>Cleaned up BN_* implementations following changes made in OpenSSL by

Davide Galassi and others.

<li>Revised the implementation of RSASSA-PKCS1-v1_5 to match the

specification in RFC 8017. Based on an OpenSSL commit by David

Benjamin.

</ul>

<li>Bug Fixes

<ul>

<li>Fixed a one-byte buffer overrun in callers of EVP_read_pw_string

<li>Fixed various memory leaks found by Coverity.

<li>Converted more functions in public API to use const arguments.

<li>Correctly clear the current cipher state, when changing cipher state.

This fixed an issue where renegotion of cipher suites would fail

when switched from AEAD to non-AEAD or vice-versa.

Issue reported by Bernard Spil.

<li>Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry

<li>Fixed a potential memory leak on failure in ASN1_item_digest

<li>Fixed a potential memory alignment crash in asn1_item_combine_free

<li>Fixed small timing side-channels in ecdsa_sign_setup and

dsa_sign_setup.

<li>Added a missing bounds check in c2i_ASN1_BIT_STRING.

<li>Fixed a potential leak/incorrect return value in DSA signature

generation.

</ul>

<p>

Line 576

Line 658

<li><a href="https://man.openbsd.org/update-plist.1">update-plist(1)</a>

has been entirely rewritten and now figures out MULTI_PACKAGES and

variable substitution almost 100%.

<li>New packages now run maintenance database tools like

update-desktop-database just once instead of after

every package addition/removal.

</ul>

<dl>

Line 590

Line 672

<ul>

<li>aarch64: 8319

<li>amd64: 10304

<li>arm:

</ul></td><td valign=top width="25%"><ul>

<li>i386: 10230

<li>mips64:

<li>mips64el:

</ul></td><td valign=top width="25%"><ul>

<li>powerpc:

<li>sparc64:

</ul></td></tr></table>

<p>