[BACK]Return to 68.html CVS log [TXT][DIR] Up to [local] / www

Diff for /www/68.html between version 1.56 and 1.57

version 1.56, 2020/10/08 15:22:38 version 1.57, 2020/10/08 15:37:13
Line 472 
Line 472 
   
     <li>API and Documentation Enhancements      <li>API and Documentation Enhancements
     <ul>      <ul>
         <li>New CMAC_Init(3) and ChaCha(3) manual pages.          <li>New <a href="https://man.openbsd.org/CMAC_Init">CMAC_Init(3)</a> and <a href="https://man.openbsd.org/ChaCha">ChaCha(3)</a> manual pages.
         <li>Document SSL_set1_host(3), SSL_set_SSL_CTX(3).          <li>Document <a href="https://man.openbsd.org/SSL_set1_host">SSL_set1_host(3)</a>, <a href="https://man.openbsd.org/SSL_set_SSL_CTX">SSL_set_SSL_CTX(3)</a>.
         <li>Document PKCS7 attribute functions.          <li>Document PKCS7 attribute functions.
         <li>Document PKCS7_final(3), PKCS7_add_attribute(3).          <li>Document <a href="https://man.openbsd.org/PKCS7_final">PKCS7_final(3)</a>, <a href="https://man.openbsd.org/PKCS7_add_attribute">PKCS7_add_attribute(3)</a>.
         <li>Document PKCS7_get_signer_info(3).          <li>Document <a href="https://man.openbsd.org/PKCS7_get_signer_info">PKCS7_get_signer_info(3)</a>.
         <li>Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).          <li>Document <a href="https://man.openbsd.org/PEM_ASN1_read">PEM_ASN1_read(3)</a> and <a href="https://man.openbsd.org/PEM_ASN1_read_bio">PEM_ASN1_read_bio(3)</a>.
         <li>Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).          <li>Document <a href="https://man.openbsd.org/PEM_X509_INFO_read">PEM_X509_INFO_read(3)</a> and <a href="https://man.openbsd.org/PEM_X509_INFO_read_bio">PEM_X509_INFO_read_bio(3)</a>.
         <li>Document PEM_def_callback(3).          <li>Document <a href="https://man.openbsd.org/PEM_def_callback">PEM_def_callback(3)</a>.
         <li>Document EVP_read_pw_string_min(3).          <li>Document <a href="https://man.openbsd.org/EVP_read_pw_string_min">EVP_read_pw_string_min(3)</a>.
         <li>Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.          <li>Merge documentation of <a href="https://man.openbsd.org/X509_get0_serialNumber">X509_get0_serialNumber(3)</a> from OpenSSL 1.1.1.
         <li>Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)          <li>Document error handling of <a href="https://man.openbsd.org/X509_PUBKEY_get0">X509_PUBKEY_get0(3)</a> and <a href="https://man.openbsd.org/X509_PUBKEY_get">X509_PUBKEY_get(3)</a>.
         <li>Document X509_get0_pubkey_bitstr(3).          <li>Document <a href="https://man.openbsd.org/X509_get0_pubkey_bitstr">X509_get0_pubkey_bitstr(3)</a>
         <li>Document openssl(1) certhash.          <li>Document <a href="https://man.openbsd.org/openssl">openssl(1)</a> certhash.
     </ul>      </ul>
   
     <li>Compatibility Changes      <li>Compatibility Changes
Line 495 
Line 495 
         <li>Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.          <li>Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
         <li>Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates.          <li>Improve TLSv1.3 client certificate selection to allow EC certificates instead of only RSA certificates.
         <li>Add minimal info callback support for TLSv1.3.          <li>Add minimal info callback support for TLSv1.3.
         <li>Support TLSv1.3 options in the openssl(1) command.          <li>Support TLSv1.3 options in the <a href="https://man.openbsd.org/openssl">openssl(1)</a> command.
         <li>Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis.          <li>Add support for additional GOST curves from RFC 7836 and draft-deremin-rfc4491-bis.
         <li>Add OIDs for HMAC using the Streebog hash function.          <li>Add OIDs for HMAC using the Streebog hash function.
         <li>Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.          <li>Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
Line 519 
Line 519 
         <li>Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits.          <li>Improve length checks in the TLSv1.3 record layer and provide appropriate alerts for violations of record layer limits.
         <li>Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name.          <li>Enforce that SNI hostnames received by the TLS server are correctly formed as per RFC 5890 and RFC 6066, responding with illegal parameter for a nonconformant host name.
         <li>Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages.          <li>Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic retry of handshake messages.
         <li>Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack.          <li>Improve the handling of <a href="https://man.openbsd.org/BIO_read">BIO_read(3)</a>/<a href="https://man.openbsd.org/BIO_write">BIO_write(3)</a> failures in the TLSv1.3 stack.
         <li>Start replacing the existing TLSv1.2 record layer.          <li>Start replacing the existing TLSv1.2 record layer.
         <li>Simplify SSL method lookups.          <li>Simplify SSL method lookups.
         <li>Clean up and simplify SSL_get_ciphers(), SSL_set_session(), SSL_set_ssl_method() and several internal functions.          <li>Clean up and simplify <a href="https://man.openbsd.org/SSL_get_ciphers">SSL_get_ciphers(3)</a>, <a href="https://man.openbsd.org/SSL_set_session">SSL_set_session(3)</a>, <a href="https://man.openbsd.org/SSL_set_ssl_method">SSL_set_ssl_method(3)</a> and several internal functions.
         <li>Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues().          <li>Refactor dtls1_new(), dtls1_hm_fragment_new(), dtls1_drain_fragments(), dtls1_clear_queues().
         <li>Make the message type available in the internal TLS extensions API functions.          <li>Make the message type available in the internal TLS extensions API functions.
         <li>Numerous openssl(1) subcommands were converted to the new option handling.          <li>Numerous <a href="https://man.openbsd.org/openssl">openssl(1)</a> subcommands were converted to the new option handling.
         <li>Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying.          <li>Copy the session ID directly in ssl_get_prev_session() instead of handing it through several functions for copying.
       </ul>        </ul>
   
Line 541 
Line 541 
         <li>Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2          <li>Enforce in the TLSv1.3 server that that ClientHello messages after a HelloRetryRequest match the original ClientHello as per RFC 8446 section 4.1.2
         <li>Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes.          <li>Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes.
         <li>Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode.          <li>Correct use of sockaddr_storage instead of sockaddr in openssl(1) s_client, which could lead to using 14 bytes of stack garbage instead of an IPv6 address in DTLS mode.
         <li>Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause use-after-free and double-free issues in calling programs.          <li>Fix a longstanding bug in <a href="https://man.openbsd.org/PEM_X509_INFO_read_bio">PEM_X509_INFO_read_bio(3)</a> that could cause use-after-free and double-free issues in calling programs.
         <li>Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs.          <li>Zero out variable on the stack to avoid leaving garbage in the tail of short session IDs.
         <li>Ensure that appropriate alerts are sent on various error conditions.          <li>Ensure that appropriate alerts are sent on various error conditions.
         <li>Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call.          <li>Move state initialization from <a href="https://man.openbsd.org/SSL_clear">SSL_clear(3)</a> to ssl3_clear() to ensure that it gets correctly reinitialized across a <a href="https://man.openbsd.org/SSL_set_ssl_method">SSL_set_ssl_method(3)</a> call.
         <li>Add a custom copy handler for AES keywrap to fix a use-after-free.          <li>Add a custom copy handler for AES keywrap to fix a use-after-free.
         <li>Avoid an out-of-bounds write in BN_rand().          <li>Avoid an out-of-bounds write in <a href="https://man.openbsd.org/BN_rand">BN_rand(3)</a>.
         <li>Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c.          <li>Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up the code in ui_lib.c.
         <li>Correctly track selected ALPN length to avoid a potential segmentation fault with SSL_get0_alpn_selected() when alpn_selected is NULL.          <li>Correctly track selected ALPN length to avoid a potential segmentation fault with <a href="https://man.openbsd.org/SSL_get0_alpn_selected">SSL_get0_alpn_selected(3)</a> when alpn_selected is NULL.
         <li>Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define.          <li>Include machine/endian.h gost2814789.c in order to pick up the __STRICT_ALIGNMENT define.
         <li>Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().          <li>Correctly handle ssl_cert_dup() failure in <a href="https://man.openbsd.org/SSL_set_SSL_CTX">SSL_set_SSL_CTX(3)</a>.
         <li>Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead of constructing a broken objects that may cause NULL pointer accesses.          <li>Fail on receiving an invalid NID in <a href="https://man.openbsd.org/X509_ATTRIBUTE_create">X509_ATTRIBUTE_create(3)</a> instead of constructing a broken objects that may cause NULL pointer accesses.
         <li>Fix SSL_shutdown behavior in TLSv1.3 to match the legacy stack.  The previous behavior could cause a hang.          <li>Fix <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a> behavior in TLSv1.3 to match the legacy stack.  The previous behavior could cause a hang.
         <li>Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from X509_cmp_time so that a certificate with an invalid NotAfter does not appear valid.          <li>Modify "openssl x509" to display invalid certificate times as invalid, and correctly deal with the failing return case from <a href="https://man.openbsd.org/X509_cmp_time ">X509_cmp_time(3)</a> so that a certificate with an invalid NotAfter does not appear valid.
     </ul>      </ul>
   </ul>    </ul>
   
Legend:
Removed from v.1.56  
changed lines
  Added in v.1.57