version 1.56, 2020/10/08 15:22:38 |
version 1.57, 2020/10/08 15:37:13 |
|
|
|
|
<li>API and Documentation Enhancements |
<li>API and Documentation Enhancements |
<ul> |
<ul> |
<li>New CMAC_Init(3) and ChaCha(3) manual pages. |
<li>New <a href="https://man.openbsd.org/CMAC_Init">CMAC_Init(3)</a> and <a href="https://man.openbsd.org/ChaCha">ChaCha(3)</a> manual pages. |
<li>Document SSL_set1_host(3), SSL_set_SSL_CTX(3). |
<li>Document <a href="https://man.openbsd.org/SSL_set1_host">SSL_set1_host(3)</a>, <a href="https://man.openbsd.org/SSL_set_SSL_CTX">SSL_set_SSL_CTX(3)</a>. |
<li>Document PKCS7 attribute functions. |
<li>Document PKCS7 attribute functions. |
<li>Document PKCS7_final(3), PKCS7_add_attribute(3). |
<li>Document <a href="https://man.openbsd.org/PKCS7_final">PKCS7_final(3)</a>, <a href="https://man.openbsd.org/PKCS7_add_attribute">PKCS7_add_attribute(3)</a>. |
<li>Document PKCS7_get_signer_info(3). |
<li>Document <a href="https://man.openbsd.org/PKCS7_get_signer_info">PKCS7_get_signer_info(3)</a>. |
<li>Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). |
<li>Document <a href="https://man.openbsd.org/PEM_ASN1_read">PEM_ASN1_read(3)</a> and <a href="https://man.openbsd.org/PEM_ASN1_read_bio">PEM_ASN1_read_bio(3)</a>. |
<li>Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). |
<li>Document <a href="https://man.openbsd.org/PEM_X509_INFO_read">PEM_X509_INFO_read(3)</a> and <a href="https://man.openbsd.org/PEM_X509_INFO_read_bio">PEM_X509_INFO_read_bio(3)</a>. |
<li>Document PEM_def_callback(3). |
<li>Document <a href="https://man.openbsd.org/PEM_def_callback">PEM_def_callback(3)</a>. |
<li>Document EVP_read_pw_string_min(3). |
<li>Document <a href="https://man.openbsd.org/EVP_read_pw_string_min">EVP_read_pw_string_min(3)</a>. |
<li>Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. |
<li>Merge documentation of <a href="https://man.openbsd.org/X509_get0_serialNumber">X509_get0_serialNumber(3)</a> from OpenSSL 1.1.1. |
<li>Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) |
<li>Document error handling of <a href="https://man.openbsd.org/X509_PUBKEY_get0">X509_PUBKEY_get0(3)</a> and <a href="https://man.openbsd.org/X509_PUBKEY_get">X509_PUBKEY_get(3)</a>. |
<li>Document X509_get0_pubkey_bitstr(3). |
<li>Document <a href="https://man.openbsd.org/X509_get0_pubkey_bitstr">X509_get0_pubkey_bitstr(3)</a> |
<li>Document openssl(1) certhash. |
<li>Document <a href="https://man.openbsd.org/openssl">openssl(1)</a> certhash. |
</ul> |
</ul> |
|
|
<li>Compatibility Changes |
<li>Compatibility Changes |
|
|
<li>Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. |
<li>Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. |
<li>Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates. |
<li>Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates. |
<li>Add minimal info callback support for TLSv1.3. |
<li>Add minimal info callback support for TLSv1.3. |
<li>Support TLSv1.3 options in the openssl(1) command. |
<li>Support TLSv1.3 options in the <a href="https://man.openbsd.org/openssl">openssl(1)</a> command. |
<li>Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis. |
<li>Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis. |
<li>Add OIDs for HMAC using the Streebog hash function. |
<li>Add OIDs for HMAC using the Streebog hash function. |
<li>Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. |
<li>Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. |
|
|
<li>Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits. |
<li>Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits. |
<li>Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name. |
<li>Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name. |
<li>Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages. |
<li>Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages. |
<li>Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack. |
<li>Improve the handling of <a href="https://man.openbsd.org/BIO_read">BIO_read(3)</a>/<a href="https://man.openbsd.org/BIO_write">BIO_write(3)</a> failures in the TLSv1.3 stack. |
<li>Start replacing the existing TLSv1.2 record layer. |
<li>Start replacing the existing TLSv1.2 record layer. |
<li>Simplify SSL method lookups. |
<li>Simplify SSL method lookups. |
<li>Clean up and simplify SSL_get_ciphers(), SSL_set_session(), SSL_set_ssl_method() and several internal functions. |
<li>Clean up and simplify <a href="https://man.openbsd.org/SSL_get_ciphers">SSL_get_ciphers(3)</a>, <a href="https://man.openbsd.org/SSL_set_session">SSL_set_session(3)</a>, <a href="https://man.openbsd.org/SSL_set_ssl_method">SSL_set_ssl_method(3)</a> and several internal functions. |
<li>Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues(). |
<li>Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues(). |
<li>Make the message type available in the internal TLS extensions API functions. |
<li>Make the message type available in the internal TLS extensions API functions. |
<li>Numerous openssl(1) subcommands were converted to the new option handling. |
<li>Numerous <a href="https://man.openbsd.org/openssl">openssl(1)</a> subcommands were converted to the new option handling. |
<li>Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying. |
<li>Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying. |
</ul> |
</ul> |
|
|
|
|
<li>Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2 |
<li>Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2 |
<li>Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. |
<li>Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. |
<li>Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode. |
<li>Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode. |
<li>Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs. |
<li>Fix a longstanding bug in <a href="https://man.openbsd.org/PEM_X509_INFO_read_bio">PEM_X509_INFO_read_bio(3)</a> that could cause use-after-free and double-free issues in calling programs. |
<li>Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs. |
<li>Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs. |
<li>Ensure that appropriate alerts are sent on various error conditions. |
<li>Ensure that appropriate alerts are sent on various error conditions. |
<li>Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call. |
<li>Move state initialization from <a href="https://man.openbsd.org/SSL_clear">SSL_clear(3)</a> to ssl3_clear() to ensure that it gets correctly reinitialized across a <a href="https://man.openbsd.org/SSL_set_ssl_method">SSL_set_ssl_method(3)</a> call. |
<li>Add a custom copy handler for AES keywrap to fix a use-after-free. |
<li>Add a custom copy handler for AES keywrap to fix a use-after-free. |
<li>Avoid an out-of-bounds write in BN_rand(). |
<li>Avoid an out-of-bounds write in <a href="https://man.openbsd.org/BN_rand">BN_rand(3)</a>. |
<li>Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c. |
<li>Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c. |
<li>Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected() when alpn_selected is NULL. |
<li>Correctly track selected ALPN length to avoid a potential segmentation fault with <a href="https://man.openbsd.org/SSL_get0_alpn_selected">SSL_get0_alpn_selected(3)</a> when alpn_selected is NULL. |
<li>Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define. |
<li>Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define. |
<li>Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). |
<li>Correctly handle ssl_cert_dup() failure in <a href="https://man.openbsd.org/SSL_set_SSL_CTX">SSL_set_SSL_CTX(3)</a>. |
<li>Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead of constructing a broken objects that may cause NULL pointer accesses. |
<li>Fail on receiving an invalid NID in <a href="https://man.openbsd.org/X509_ATTRIBUTE_create">X509_ATTRIBUTE_create(3)</a> instead of constructing a broken objects that may cause NULL pointer accesses. |
<li>Fix SSL_shutdown behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang. |
<li>Fix <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a> behavior in TLSv1.3 to match the legacy stack. The previous behavior could cause a hang. |
<li>Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time so that a certificate with an invalid NotAfter does not appear valid. |
<li>Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from <a href="https://man.openbsd.org/X509_cmp_time ">X509_cmp_time(3)</a> so that a certificate with an invalid NotAfter does not appear valid. |
</ul> |
</ul> |
</ul> |
</ul> |
|
|