===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/69.html,v
retrieving revision 1.37
retrieving revision 1.38
diff -c -r1.37 -r1.38
*** www/69.html	2021/04/14 21:11:50	1.37
--- www/69.html	2021/04/15 14:06:07	1.38
***************
*** 1118,1171 ****
    <ul>
      <li>New Features
      <ul>
  
! <!-- taken from plus.html, not sorted into categories:
  
! 	<li>Added a -legacy_verify flag to <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> to force use of the old validator.
! 	<li>Changed <a href="https://man.openbsd.org/crypto.3">crypto(3)</a>
! 		to call its get_issuer() callback to try and find a suitable
! 		certificate in cases where it has failed to find a print certificate
! 		from the supplied roots and intermediates.
! 	<li>Corrected an issue where <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> verify might not error on expired certificates.
! 	<li>Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
! 	<li>Implemented auto chain for the TLSv1.3 server.
! 	<li>Implemented the key material exporter for TLSv1.3.
! 	<li>Fixed problems which could arise with software such as bacula and icinga when a root certificate was specified as both a trusted and an untrusted certificate.
! 	<li>Added support for <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> in TLSv1.3 and fixed to correctly return ciphers shared by the client and the server.
! 	<li>Requested client certificate only when required in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
! 	<li>Enabled DTLSv1.2.
! -->
! 
      </ul>
  
      <li>API and Documentation Enhancements
      <ul>
! 	<li>...
      </ul>
  
      <li>Compatibility Changes
      <ul>
! 	<li>...
      </ul>
  
      <li>Testing and Proactive Security
      <ul>
! 	<li>...
      </ul>
  
      <li>Internal Improvements
        <ul>
! 	<li>...
!       </ul>
  
!     <li>Portable Improvements
!     <ul>
! 	<li>...
!     </ul>
  
      <li>Bug Fixes
      <ul>
! 	<li>...
      </ul>
    </ul>
  
--- 1118,1542 ----
    <ul>
      <li>New Features
      <ul>
+ 	<li>Support for DTLSv1.2.
+ 	<li>Continued rewrite of the record layer for the legacy stack.
+ 	<li>Numerous bugs and interoperability issues were fixed in the new verifier.
+ 	<li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
+     </ul>
  
!     <li>Portable Improvements
!     <ul>
! 	<li>Added '--enable-libtls-only' build option, which builds and installs a
! 	    statically-linked libtls, skipping libcrypto and libssl. This is useful
! 	    for systems that ship with OpenSSL but wish to also package libtls.
  
! 	<li>Update getentropy on Windows to use Cryptography Next Generation
! 	    (CNG). wincrypt is deprecated and no longer works with newer Windows
! 	    environments, such as in Windows Store apps.
      </ul>
  
      <li>API and Documentation Enhancements
      <ul>
! 	<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
! 	    draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
! 
! 	<li>Add support for SSL_get_shared_ciphers() with TLSv1.3.
! 
! 	<li>Add DTLSv1.2 methods.
! 
! 	<li>Implement SSL_is_dtls() and use it internally in place of the
! 	    SSL_IS_DTLS macro.
! 
! 	<li>Provide EVP_PKEY_new_CMAC_KEY(3).
! 
! 	<li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
! 
! 	<li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
! 	    logging.
! 
! 	<li>Provide SSL_use_certificate_chain_file(3).
! 
! 	<li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
! 
! 	<li>Provide various DTLSv1.2 specific functions and defines.
! 
! 	<li>Document meaning of '*' in the genrsa output.
! 
! 	<li>Updated documentation for SSL_get_shared_ciphers(3).
! 
! 	<li>Add documentation for SSL_get_finished(3).
! 
! 	<li>Document EVP_PKEY_new_CMAC_key(3)
! 
! 	<li>Document SSL_use_certificate_chain_file(3).
! 
! 	<li>Document SSL_set_hostflags(3) and SSL_get0_peername(3).
! 
! 	<li>Update SSL_get_version.3 manual for DTLSv.1.2 support.
! 
! 	<li>Make supported protocols and options for DHE params more prominent
! 	    in tls_config_set_protocols.3.
! 
! 	<li>Various documentation improvements around TLS methods.
      </ul>
  
      <li>Compatibility Changes
      <ul>
! 	<li>Make openssl(1) s_server ignore -4 and -6 for compatibility with
! 	    OpenSSL.
! 
! 	<li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
! 	    command.
! 
! 	<li>Send a host header with OCSP queries to make openssl(1) ocsp
! 	    work with some widely used OCSP responders.
! 
! 	<li>Add ability to ocspcheck(8) to parse a port in the specified
! 	    OCSP URL.
! 
! 	<li>Implement auto chain for the TLSv1.3 server since some software
! 	    relies on this.
! 
! 	<li>Implement key exporter for TLSv1.3.
! 	<li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
! 	    that it never returned server ciphers, so now it will fail when
! 	    called from the client side.
! 
! 	<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
! 
! 	<li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
! 	    zero if the minimum or maximum has been set to zero to match
! 	    OpenSSL's behavior.
! 
! 	<li>Add DTLSv1.2 support to openssl s_client/s_server.
      </ul>
  
      <li>Testing and Proactive Security
      <ul>
! 	<li>Malformed ASN.1 in a certificate revocation list or a timestamp
! 	    response token can lead to a NULL pointer dereference.
! 
! 	<li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
! 
! 	<li>Use EXFLAG_INVALID to handle out of memory and parse errors in
! 	    x509v3_cache_extensions().
! 
! 	<li>Refactor and clean up ocspcheck(8) and add regression tests.
      </ul>
  
      <li>Internal Improvements
        <ul>
! 	<li>Further cleanup of the DTLS record handling.
  
! 	<li>Continue the replacement of the TLSv1.2 record layer by
! 	    reimplementing the read side of the TLSv1.2 record handling.
  
+ 	<li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
+ 
+ 	<li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
+ 
+ 	<li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
+ 	    .data.rel.ro and .rodata, respectively.
+ 
+ 	<li>Add a const qualifier to srtp_known_profiles.
+ 
+ 	<li>Simplify TLS method by removing the client and server specific
+ 	    methods internally.
+ 
+ 	<li>Avoid casting away const in ssl_ctx_make_profiles().
+ 
+ 	<li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
+ 	    the assert work for newer DTLS versions.
+ 
+ 	<li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
+ 
+ 	<li>Add a flag to mark DTLS methods as DTLS to have an easy way to
+ 	    recognize DTLS methods that avoids inspecting the version number.
+ 
+ 	<li>Mark a few more internal static tables const.
+ 
+ 	<li>Switch finish{,_peer}_md_len from an int to a size_t.
+ 
+ 	<li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
+ 	    for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
+ 	    was a historical artefact.
+ 
+ 	<li>Free struct members in tls13_record_layer_free() in their natural
+ 	    order for reviewability.
+ 
+ 	<li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
+ 
+ 	<li>Add tls13_secret_{init,cleanup}() and use them throughout the
+ 	    TLSv1.3 code base.
+ 
+ 	<li>Move the read MAC key into the TLSv1.2 record layer.
+ 
+ 	<li>Make tls12_record_layer_free() NULL safe.
+ 
+ 	<li>Split the record protection from the TLSv1.2 record layer.
+ 
+ 	<li>Clean up sequence number handling in the new TLSv1.2 record layer.
+ 
+ 	<li>Clean up sequence number handling in DTLS.
+ 
+ 	<li>Clean up dtls1_reset_seq_numbers().
+ 
+ 	<li>Factor out code for explicit IV length, block size and MAC length
+ 	    from tls12_record_layer_open_record_protected_cipher().
+ 
+ 	<li>Provide record layer overhead for DTLS.
+ 
+ 	<li>Provide functions to determine if TLSv1.2 record protection is
+ 	    engaged.
+ 
+ 	<li>Add code to handle change of cipher state in the new TLSv1.2 record
+ 	    layer.
+ 
+ 	<li>Mop up now unused dtls1_build_sequence_numbers() function.
+ 
+ 	<li>Allow setting a keypair on a tls context without specifying the
+ 	    private key, and fake it internally in libtls. This removes the
+ 	    need for privsep engines like relayd to use bogus keys.
+ 
+ 	<li>Skip the private key check for fake private keys.
+ 
+ 	<li>Move the private key setup from tls_configure_ssl_keypair() to a
+ 	    helper function with proper error checking.
+ 
+ 	<li>Change the internal tls_configure_ssl_keypair() function to
+ 	    return -1 instead of 1 on failure.
+ 
+ 	<li>Move sequence numbers into the new TLSv1.2 record layer.
+ 
+ 	<li>Move AEAD handling into the new TLSv1.2 record layer.
+ 
+ 	<li>Factor out legacy stack version checks.
+ 
+ 	<li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
+ 	    were originally added with the default handshake MAC and PRF rather
+ 	    than the SHA256 handshake MAC and PRF.
+ 
+ 	<li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
+ 
+ 	<li>Use dtls1_record_retrieve_buffered_record() to load buffered
+ 	    application data.
+ 
+ 	<li>Enforce read ahead with DTLS.
+ 
+ 	<li>Remove bogus DTLS checks that disabled ECC and OCSP.
+ 
+ 	<li>Clean up and simplify dtls1_get_cipher().
+ 
+ 	<li>Group HelloVerifyRequest decoding and add missing check for trailing
+ 	    data.
+ 
+ 	<li>Revise HelloVerifyRequest handling for DTLSv1.2.
+ 
+ 	<li>Handle DTLS1_2_VERSION in various places.
+ 
+ 	<li>Rename the "truncated" label into "decode_err" and the "f_err"
+ 	    label into "fatal_err".
+ 
+ 	<li>Factor out and change some of the legacy client version code.
+ 
+ 	<li>Simplify version checks in the TLSv1.3 client. Ensure that the
+ 	    server announced TLSv1.3 and nothing higher and check that the
+ 	    legacy_version is set to TLSv1.2 as required by RFC 8446.
+ 
+ 	<li>Only use TLS versions internally rather than both TLS and DTLS
+ 	    versions since the latter are the one's complement of the human
+ 	    readable version numbers, which means that newer versions decrease
+ 	    in value.
+ 
+ 	<li>Identify DTLS based on the version major value.
+ 
+ 	<li>Move handling of cipher/hash based cipher suites into the new record
+ 	    layer.
+ 
+ 	<li>Add tls12_record_protection_unused() and call it from CCS functions.
+ 
+ 	<li>Move key/IV length checks closer to usage sites. Also add explicit
+ 	    checks against EVP_CIPHER_{iv,key}_length().
+ 
+ 	<li>Replace two handrolled tls12_record_protection_engaged().
+ 
+ 	<li>Improve internal version handling: add handshake fields for our
+ 	    minimum version, our maximum version and the TLS version negotiated
+ 	    during the handshake. Convert most of the internal code to use these
+ 	    version fields.
+ 
+ 	<li>Guard against future internal use of TLS1_get_{client,}_version()
+ 	    macros.
+ 
+ 	<li>Remove the internal ssl_downgrade_max_version() function which is no
+ 	    longer needed.
+ 
+ 	<li>Add support for DTLSv1.2 version handling.
+ 
+ 	<li>Remove no longer needed read ahead workarounds in the s_client and
+ 	    s_server.
+ 
+ 	<li>Split TLSv1.3 record protection from record layer.
+ 
+ 	<li>Move the TLSv1.3 handshake struct inside the shared handshake
+ 	    struct.
+ 
+ 	<li>Fully initialize rrec in tls12_record_layer_open_record_protected()
+ 	    to avoid confusing some static analyzers.
+ 
+ 	<li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
+ 	    does not set errno.
+ 
+ 	<li>Convert openssl(1) x509 to new option handling and do the usual
+ 	    clean up that goes along with it.
+ 
+ 	<li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
+ 
+ 	<li>Rename new_cipher to cipher to align naming with keyblock or other
+ 	    parts of the handshake data.
+ 
+ 	<li>Move the TLSv1.2 record number increment into the new record layer.
+ 
+ 	<li>Move finished and peer finished into the handshake struct.
+ 
+ 	<li>Remove pointless assignment in SSL_get0_alpn_selected().
+ 
+ 	<li>Add some error checking to openssl(1) x509.
+       </ul>
+ 
      <li>Bug Fixes
      <ul>
! 	<li>Move point-on-curve check to set_affine_coordinates to avoid
! 	    verifying ECDSA signatures with unchecked public keys.
! 
! 	<li>Fix SSL_is_server() to behave as documented by re-introducing the
! 	    client-specific methods.
! 
! 	<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
! 
! 	<li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
! 
! 	<li>Correct the return value type from ERR_peek_error() to a long.
! 
! 	<li>Avoid use of uninitialized in ASN1_time_parse() which could happen
! 	    on parsing UTCTime if the caller did not initialise the passed
! 	    struct tm.
! 
! 	<li>Destroy the mutex in a tls_config object on tls_config_free().
! 
! 	<li>Free alert_data and phh_data in tls13_record_layer_free()
! 	    these could leak if SSL_shutdown() or tls_close() were called
! 	    after closing the underlying socket().
! 
! 	<li>Gracefully handle root certificates being both trusted and
! 	    untrusted.
! 
! 	<li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
! 	    verifier.
! 
! 	<li>Use the legacy verifier when building auto chains for TLS.
! 
! 	<li>Search the intermediates only after searching the root certs in the
! 	    new verifier to avoid problems with the legacy callback.
! 
! 	<li>Bail out early after finding a single chain in the new verifier, if
! 	    we have been called via the legacy verifier API.
! 
! 	<li>Set (invalid and likely incomplete) chain on the xsc on chain build
! 	    failure prior to calling the callback. This is required by various
! 	    callers, including auto chain.
! 
! 	<li>Remove direct assignment of aead_ctx to avoid a leak.
! 
! 	<li>Fail early in legacy exporter if the master secret is not available
! 	    to avoid a segfault if it is called when the handshake is not
! 	    completed.
! 
! 	<li>Only print the certificate file once on verification failure.
! 
! 	<li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
! 	    the new validator checks for EXFLAG_CRITICAL in
! 	    x509_vfy_check_chain_extension() for all untrusted certs in the
! 	    chain. Take into account that the root is not necessarily trusted.
! 
! 	<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
! 
! 	<li>Fix two bugs in the legacy verifier that resulted from refactoring
! 	    of X509_verify_cert() for the new verifier: a return value was
! 	    incorrectly treated as boolean, making it insufficient to decide
! 	    whether validation should carry on or not.
! 
! 	<li>Fix checks for memory caps of constraints names. There are internal
! 	    caps on the number of name constraints and other names, that the new
! 	    name constraints code allocates per cert chain. These limits were
! 	    checked too late, making them only partially effective.
! 
! 	<li>Fix a copy-paste error - skid was confused with an akid when
! 	    checking for EXFLAG_INVALID. This broke OCSP validation with
! 	    certain mirrors.
! 
! 	<li>Avoid a use-after-scope in tls13_cert_add().
! 
! 	<li>Avoid mangled output in BIO_debug_callback().
! 
! 	<li>Fix client initiated renegotiation by replacing use of s->internal-type
! 	    with s->server.
! 
! 	<li>Avoid transcript initialization when sending a TLS HelloRequest,
! 	    fixing server initiated renegotiation.
! 
! 	<li>Avoid leaking param->name in x509_verify_param_zero().
! 
! 	<li>Avoid a leak in an error path in openssl(1) x509.
! 
! 	<li>When sending an alert in TLSv1.3, only set its error code when no
! 	    other error was set previously. Certain clients rely on specific
! 	    SSL_R_ error codes to identify that they are dealing with a self
! 	    signed cert.
! 
! 	<li>When switching from the TLSv1.3 stack to the legacy stack include
! 	    a TLS record header. This is necessary if there is more than one
! 	    handshake message in the TLS plaintext record.
! 
! 	<li>Fix resource handling on error in OCSP_request_add0_id().
! 
! 	<li>Make sure there is enough room for stashing the handshake message
! 	    when switching to the legacy TLS stack.
! 
! 	<li>Fix a memory leak in the openssl(1) s_client.
! 
! 	<li>Unbreak DTLS retransmissions for flights that include a CCS.
! 
! 	<li>If x509_verify() fails, ensure that the error is set on both
! 	    the x509_verify_ctx() and its store context to make some failures
! 	    visible from SSL_get_verify_result().
! 
! 	<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
! 	    verifier to fix hashed certificate directories.
! 
! 	<li>Only check BIO_should_read() on read and BIO_should_write() on
! 	    write.  Previously, BIO_should_write() was also checked after read
! 	    and BIO_should_read() after write which could cause stalls in
! 	    software that uses the same BIO for read and write.
! 
! 	<li>In openssl(1) verify, also check for error on the store context
! 	    since the return value of X509_verify_cert() is unreliable in
! 	    presence of a callback that returns 1 too often.
! 
! 	<li>Handle additional certificate error cases in the new X.509 verifier.
! 	    Keep track of the errors encountered if a verify callback tells the
! 	    verifier to continue and report them back via the error on the store
! 	    context. This mimics the behavior of the old verifier that would
! 	    persist the first error encountered while building the chain.
! 
! 	<li>Report specific failures for "self signed certificates" in a way
! 	    compatible with the old verifier since software relies on the
! 	    error code.
! 
! 	<li>Plug a large memory leak in the new verifier caused by calling
! 	    X509_policy_check() repeatedly.
! 
! 	<li>Avoid leaking memory in x509_verify_chain_dup().
      </ul>
    </ul>