===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/69.html,v
retrieving revision 1.37
retrieving revision 1.38
diff -c -r1.37 -r1.38
*** www/69.html 2021/04/14 21:11:50 1.37
--- www/69.html 2021/04/15 14:06:07 1.38
***************
*** 1118,1171 ****
- New Features
- API and Documentation Enhancements
- Compatibility Changes
- Testing and Proactive Security
- Internal Improvements
!
- Portable Improvements
!
- Bug Fixes
--- 1118,1542 ----
- New Features
+ - Support for DTLSv1.2.
+
- Continued rewrite of the record layer for the legacy stack.
+
- Numerous bugs and interoperability issues were fixed in the new verifier.
+
- The OpenSSL 1.1 TLSv1.3 API is not yet available.
+
! - Portable Improvements
!
! - Added '--enable-libtls-only' build option, which builds and installs a
! statically-linked libtls, skipping libcrypto and libssl. This is useful
! for systems that ship with OpenSSL but wish to also package libtls.
!
- Update getentropy on Windows to use Cryptography Next Generation
! (CNG). wincrypt is deprecated and no longer works with newer Windows
! environments, such as in Windows Store apps.
- API and Documentation Enhancements
! - Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
! draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
!
!
- Add support for SSL_get_shared_ciphers() with TLSv1.3.
!
!
- Add DTLSv1.2 methods.
!
!
- Implement SSL_is_dtls() and use it internally in place of the
! SSL_IS_DTLS macro.
!
!
- Provide EVP_PKEY_new_CMAC_KEY(3).
!
!
- Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
!
!
- Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
! logging.
!
!
- Provide SSL_use_certificate_chain_file(3).
!
!
- Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
!
!
- Provide various DTLSv1.2 specific functions and defines.
!
!
- Document meaning of '*' in the genrsa output.
!
!
- Updated documentation for SSL_get_shared_ciphers(3).
!
!
- Add documentation for SSL_get_finished(3).
!
!
- Document EVP_PKEY_new_CMAC_key(3)
!
!
- Document SSL_use_certificate_chain_file(3).
!
!
- Document SSL_set_hostflags(3) and SSL_get0_peername(3).
!
!
- Update SSL_get_version.3 manual for DTLSv.1.2 support.
!
!
- Make supported protocols and options for DHE params more prominent
! in tls_config_set_protocols.3.
!
!
- Various documentation improvements around TLS methods.
- Compatibility Changes
! - Make openssl(1) s_server ignore -4 and -6 for compatibility with
! OpenSSL.
!
!
- Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
! command.
!
!
- Send a host header with OCSP queries to make openssl(1) ocsp
! work with some widely used OCSP responders.
!
!
- Add ability to ocspcheck(8) to parse a port in the specified
! OCSP URL.
!
!
- Implement auto chain for the TLSv1.3 server since some software
! relies on this.
!
!
- Implement key exporter for TLSv1.3.
!
- Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
! that it never returned server ciphers, so now it will fail when
! called from the client side.
!
!
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
!
!
- Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
! zero if the minimum or maximum has been set to zero to match
! OpenSSL's behavior.
!
!
- Add DTLSv1.2 support to openssl s_client/s_server.
- Testing and Proactive Security
! - Malformed ASN.1 in a certificate revocation list or a timestamp
! response token can lead to a NULL pointer dereference.
!
!
- Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
!
!
- Use EXFLAG_INVALID to handle out of memory and parse errors in
! x509v3_cache_extensions().
!
!
- Refactor and clean up ocspcheck(8) and add regression tests.
- Internal Improvements
! - Further cleanup of the DTLS record handling.
!
- Continue the replacement of the TLSv1.2 record layer by
! reimplementing the read side of the TLSv1.2 record handling.
+
- Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
+
+
- Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
+
+
- Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
+ .data.rel.ro and .rodata, respectively.
+
+
- Add a const qualifier to srtp_known_profiles.
+
+
- Simplify TLS method by removing the client and server specific
+ methods internally.
+
+
- Avoid casting away const in ssl_ctx_make_profiles().
+
+
- Avoid explicitly conditioning an assert on DTLS1_VERSION to make
+ the assert work for newer DTLS versions.
+
+
- Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
+
+
- Add a flag to mark DTLS methods as DTLS to have an easy way to
+ recognize DTLS methods that avoids inspecting the version number.
+
+
- Mark a few more internal static tables const.
+
+
- Switch finish{,_peer}_md_len from an int to a size_t.
+
+
- Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
+ for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
+ was a historical artefact.
+
+
- Free struct members in tls13_record_layer_free() in their natural
+ order for reviewability.
+
+
- Use consistent names in tls13_{client,server}_finished_{recv,send}().
+
+
- Add tls13_secret_{init,cleanup}() and use them throughout the
+ TLSv1.3 code base.
+
+
- Move the read MAC key into the TLSv1.2 record layer.
+
+
- Make tls12_record_layer_free() NULL safe.
+
+
- Split the record protection from the TLSv1.2 record layer.
+
+
- Clean up sequence number handling in the new TLSv1.2 record layer.
+
+
- Clean up sequence number handling in DTLS.
+
+
- Clean up dtls1_reset_seq_numbers().
+
+
- Factor out code for explicit IV length, block size and MAC length
+ from tls12_record_layer_open_record_protected_cipher().
+
+
- Provide record layer overhead for DTLS.
+
+
- Provide functions to determine if TLSv1.2 record protection is
+ engaged.
+
+
- Add code to handle change of cipher state in the new TLSv1.2 record
+ layer.
+
+
- Mop up now unused dtls1_build_sequence_numbers() function.
+
+
- Allow setting a keypair on a tls context without specifying the
+ private key, and fake it internally in libtls. This removes the
+ need for privsep engines like relayd to use bogus keys.
+
+
- Skip the private key check for fake private keys.
+
+
- Move the private key setup from tls_configure_ssl_keypair() to a
+ helper function with proper error checking.
+
+
- Change the internal tls_configure_ssl_keypair() function to
+ return -1 instead of 1 on failure.
+
+
- Move sequence numbers into the new TLSv1.2 record layer.
+
+
- Move AEAD handling into the new TLSv1.2 record layer.
+
+
- Factor out legacy stack version checks.
+
+
- Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
+ were originally added with the default handshake MAC and PRF rather
+ than the SHA256 handshake MAC and PRF.
+
+
- Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
+
+
- Use dtls1_record_retrieve_buffered_record() to load buffered
+ application data.
+
+
- Enforce read ahead with DTLS.
+
+
- Remove bogus DTLS checks that disabled ECC and OCSP.
+
+
- Clean up and simplify dtls1_get_cipher().
+
+
- Group HelloVerifyRequest decoding and add missing check for trailing
+ data.
+
+
- Revise HelloVerifyRequest handling for DTLSv1.2.
+
+
- Handle DTLS1_2_VERSION in various places.
+
+
- Rename the "truncated" label into "decode_err" and the "f_err"
+ label into "fatal_err".
+
+
- Factor out and change some of the legacy client version code.
+
+
- Simplify version checks in the TLSv1.3 client. Ensure that the
+ server announced TLSv1.3 and nothing higher and check that the
+ legacy_version is set to TLSv1.2 as required by RFC 8446.
+
+
- Only use TLS versions internally rather than both TLS and DTLS
+ versions since the latter are the one's complement of the human
+ readable version numbers, which means that newer versions decrease
+ in value.
+
+
- Identify DTLS based on the version major value.
+
+
- Move handling of cipher/hash based cipher suites into the new record
+ layer.
+
+
- Add tls12_record_protection_unused() and call it from CCS functions.
+
+
- Move key/IV length checks closer to usage sites. Also add explicit
+ checks against EVP_CIPHER_{iv,key}_length().
+
+
- Replace two handrolled tls12_record_protection_engaged().
+
+
- Improve internal version handling: add handshake fields for our
+ minimum version, our maximum version and the TLS version negotiated
+ during the handshake. Convert most of the internal code to use these
+ version fields.
+
+
- Guard against future internal use of TLS1_get_{client,}_version()
+ macros.
+
+
- Remove the internal ssl_downgrade_max_version() function which is no
+ longer needed.
+
+
- Add support for DTLSv1.2 version handling.
+
+
- Remove no longer needed read ahead workarounds in the s_client and
+ s_server.
+
+
- Split TLSv1.3 record protection from record layer.
+
+
- Move the TLSv1.3 handshake struct inside the shared handshake
+ struct.
+
+
- Fully initialize rrec in tls12_record_layer_open_record_protected()
+ to avoid confusing some static analyzers.
+
+
- Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
+ does not set errno.
+
+
- Convert openssl(1) x509 to new option handling and do the usual
+ clean up that goes along with it.
+
+
- Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
+
+
- Rename new_cipher to cipher to align naming with keyblock or other
+ parts of the handshake data.
+
+
- Move the TLSv1.2 record number increment into the new record layer.
+
+
- Move finished and peer finished into the handshake struct.
+
+
- Remove pointless assignment in SSL_get0_alpn_selected().
+
+
- Add some error checking to openssl(1) x509.
+
+
- Bug Fixes
! - Move point-on-curve check to set_affine_coordinates to avoid
! verifying ECDSA signatures with unchecked public keys.
!
!
- Fix SSL_is_server() to behave as documented by re-introducing the
! client-specific methods.
!
!
- Avoid undefined behavior due to memcpy(NULL, NULL, 0).
!
!
- Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
!
!
- Correct the return value type from ERR_peek_error() to a long.
!
!
- Avoid use of uninitialized in ASN1_time_parse() which could happen
! on parsing UTCTime if the caller did not initialise the passed
! struct tm.
!
!
- Destroy the mutex in a tls_config object on tls_config_free().
!
!
- Free alert_data and phh_data in tls13_record_layer_free()
! these could leak if SSL_shutdown() or tls_close() were called
! after closing the underlying socket().
!
!
- Gracefully handle root certificates being both trusted and
! untrusted.
!
!
- Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
! verifier.
!
!
- Use the legacy verifier when building auto chains for TLS.
!
!
- Search the intermediates only after searching the root certs in the
! new verifier to avoid problems with the legacy callback.
!
!
- Bail out early after finding a single chain in the new verifier, if
! we have been called via the legacy verifier API.
!
!
- Set (invalid and likely incomplete) chain on the xsc on chain build
! failure prior to calling the callback. This is required by various
! callers, including auto chain.
!
!
- Remove direct assignment of aead_ctx to avoid a leak.
!
!
- Fail early in legacy exporter if the master secret is not available
! to avoid a segfault if it is called when the handshake is not
! completed.
!
!
- Only print the certificate file once on verification failure.
!
!
- Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
! the new validator checks for EXFLAG_CRITICAL in
! x509_vfy_check_chain_extension() for all untrusted certs in the
! chain. Take into account that the root is not necessarily trusted.
!
!
- Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
!
!
- Fix two bugs in the legacy verifier that resulted from refactoring
! of X509_verify_cert() for the new verifier: a return value was
! incorrectly treated as boolean, making it insufficient to decide
! whether validation should carry on or not.
!
!
- Fix checks for memory caps of constraints names. There are internal
! caps on the number of name constraints and other names, that the new
! name constraints code allocates per cert chain. These limits were
! checked too late, making them only partially effective.
!
!
- Fix a copy-paste error - skid was confused with an akid when
! checking for EXFLAG_INVALID. This broke OCSP validation with
! certain mirrors.
!
!
- Avoid a use-after-scope in tls13_cert_add().
!
!
- Avoid mangled output in BIO_debug_callback().
!
!
- Fix client initiated renegotiation by replacing use of s->internal-type
! with s->server.
!
!
- Avoid transcript initialization when sending a TLS HelloRequest,
! fixing server initiated renegotiation.
!
!
- Avoid leaking param->name in x509_verify_param_zero().
!
!
- Avoid a leak in an error path in openssl(1) x509.
!
!
- When sending an alert in TLSv1.3, only set its error code when no
! other error was set previously. Certain clients rely on specific
! SSL_R_ error codes to identify that they are dealing with a self
! signed cert.
!
!
- When switching from the TLSv1.3 stack to the legacy stack include
! a TLS record header. This is necessary if there is more than one
! handshake message in the TLS plaintext record.
!
!
- Fix resource handling on error in OCSP_request_add0_id().
!
!
- Make sure there is enough room for stashing the handshake message
! when switching to the legacy TLS stack.
!
!
- Fix a memory leak in the openssl(1) s_client.
!
!
- Unbreak DTLS retransmissions for flights that include a CCS.
!
!
- If x509_verify() fails, ensure that the error is set on both
! the x509_verify_ctx() and its store context to make some failures
! visible from SSL_get_verify_result().
!
!
- Use the X509_STORE_CTX get_issuer() callback from the new X.509
! verifier to fix hashed certificate directories.
!
!
- Only check BIO_should_read() on read and BIO_should_write() on
! write. Previously, BIO_should_write() was also checked after read
! and BIO_should_read() after write which could cause stalls in
! software that uses the same BIO for read and write.
!
!
- In openssl(1) verify, also check for error on the store context
! since the return value of X509_verify_cert() is unreliable in
! presence of a callback that returns 1 too often.
!
!
- Handle additional certificate error cases in the new X.509 verifier.
! Keep track of the errors encountered if a verify callback tells the
! verifier to continue and report them back via the error on the store
! context. This mimics the behavior of the old verifier that would
! persist the first error encountered while building the chain.
!
!
- Report specific failures for "self signed certificates" in a way
! compatible with the old verifier since software relies on the
! error code.
!
!
- Plug a large memory leak in the new verifier caused by calling
! X509_policy_check() repeatedly.
!
!
- Avoid leaking memory in x509_verify_chain_dup().