===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/69.html,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- www/69.html	2021/04/14 21:11:50	1.37
+++ www/69.html	2021/04/15 14:06:07	1.38
@@ -1118,54 +1118,425 @@
   <ul>
     <li>New Features
     <ul>
+	<li>Support for DTLSv1.2.
+	<li>Continued rewrite of the record layer for the legacy stack.
+	<li>Numerous bugs and interoperability issues were fixed in the new verifier.
+	<li>The OpenSSL 1.1 TLSv1.3 API is not yet available.
+    </ul>
 
-<!-- taken from plus.html, not sorted into categories:
+    <li>Portable Improvements
+    <ul>
+	<li>Added '--enable-libtls-only' build option, which builds and installs a
+	    statically-linked libtls, skipping libcrypto and libssl. This is useful
+	    for systems that ship with OpenSSL but wish to also package libtls.
 
-	<li>Added a -legacy_verify flag to <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> to force use of the old validator.
-	<li>Changed <a href="https://man.openbsd.org/crypto.3">crypto(3)</a>
-		to call its get_issuer() callback to try and find a suitable
-		certificate in cases where it has failed to find a print certificate
-		from the supplied roots and intermediates.
-	<li>Corrected an issue where <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> verify might not error on expired certificates.
-	<li>Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software.
-	<li>Implemented auto chain for the TLSv1.3 server.
-	<li>Implemented the key material exporter for TLSv1.3.
-	<li>Fixed problems which could arise with software such as bacula and icinga when a root certificate was specified as both a trusted and an untrusted certificate.
-	<li>Added support for <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> in TLSv1.3 and fixed to correctly return ciphers shared by the client and the server.
-	<li>Requested client certificate only when required in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
-	<li>Enabled DTLSv1.2.
--->
-
+	<li>Update getentropy on Windows to use Cryptography Next Generation
+	    (CNG). wincrypt is deprecated and no longer works with newer Windows
+	    environments, such as in Windows Store apps.
     </ul>
 
     <li>API and Documentation Enhancements
     <ul>
-	<li>...
+	<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
+	    draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
+
+	<li>Add support for SSL_get_shared_ciphers() with TLSv1.3.
+
+	<li>Add DTLSv1.2 methods.
+
+	<li>Implement SSL_is_dtls() and use it internally in place of the
+	    SSL_IS_DTLS macro.
+
+	<li>Provide EVP_PKEY_new_CMAC_KEY(3).
+
+	<li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
+
+	<li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
+	    logging.
+
+	<li>Provide SSL_use_certificate_chain_file(3).
+
+	<li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
+
+	<li>Provide various DTLSv1.2 specific functions and defines.
+
+	<li>Document meaning of '*' in the genrsa output.
+
+	<li>Updated documentation for SSL_get_shared_ciphers(3).
+
+	<li>Add documentation for SSL_get_finished(3).
+
+	<li>Document EVP_PKEY_new_CMAC_key(3)
+
+	<li>Document SSL_use_certificate_chain_file(3).
+
+	<li>Document SSL_set_hostflags(3) and SSL_get0_peername(3).
+
+	<li>Update SSL_get_version.3 manual for DTLSv.1.2 support.
+
+	<li>Make supported protocols and options for DHE params more prominent
+	    in tls_config_set_protocols.3.
+
+	<li>Various documentation improvements around TLS methods.
     </ul>
 
     <li>Compatibility Changes
     <ul>
-	<li>...
+	<li>Make openssl(1) s_server ignore -4 and -6 for compatibility with
+	    OpenSSL.
+
+	<li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
+	    command.
+
+	<li>Send a host header with OCSP queries to make openssl(1) ocsp
+	    work with some widely used OCSP responders.
+
+	<li>Add ability to ocspcheck(8) to parse a port in the specified
+	    OCSP URL.
+
+	<li>Implement auto chain for the TLSv1.3 server since some software
+	    relies on this.
+
+	<li>Implement key exporter for TLSv1.3.
+	<li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
+	    that it never returned server ciphers, so now it will fail when
+	    called from the client side.
+
+	<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
+
+	<li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
+	    zero if the minimum or maximum has been set to zero to match
+	    OpenSSL's behavior.
+
+	<li>Add DTLSv1.2 support to openssl s_client/s_server.
     </ul>
 
     <li>Testing and Proactive Security
     <ul>
-	<li>...
+	<li>Malformed ASN.1 in a certificate revocation list or a timestamp
+	    response token can lead to a NULL pointer dereference.
+
+	<li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
+
+	<li>Use EXFLAG_INVALID to handle out of memory and parse errors in
+	    x509v3_cache_extensions().
+
+	<li>Refactor and clean up ocspcheck(8) and add regression tests.
     </ul>
 
     <li>Internal Improvements
       <ul>
-	<li>...
-      </ul>
+	<li>Further cleanup of the DTLS record handling.
 
-    <li>Portable Improvements
-    <ul>
-	<li>...
-    </ul>
+	<li>Continue the replacement of the TLSv1.2 record layer by
+	    reimplementing the read side of the TLSv1.2 record handling.
 
+	<li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
+
+	<li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
+
+	<li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
+	    .data.rel.ro and .rodata, respectively.
+
+	<li>Add a const qualifier to srtp_known_profiles.
+
+	<li>Simplify TLS method by removing the client and server specific
+	    methods internally.
+
+	<li>Avoid casting away const in ssl_ctx_make_profiles().
+
+	<li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make
+	    the assert work for newer DTLS versions.
+
+	<li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
+
+	<li>Add a flag to mark DTLS methods as DTLS to have an easy way to
+	    recognize DTLS methods that avoids inspecting the version number.
+
+	<li>Mark a few more internal static tables const.
+
+	<li>Switch finish{,_peer}_md_len from an int to a size_t.
+
+	<li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
+	    for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
+	    was a historical artefact.
+
+	<li>Free struct members in tls13_record_layer_free() in their natural
+	    order for reviewability.
+
+	<li>Use consistent names in tls13_{client,server}_finished_{recv,send}().
+
+	<li>Add tls13_secret_{init,cleanup}() and use them throughout the
+	    TLSv1.3 code base.
+
+	<li>Move the read MAC key into the TLSv1.2 record layer.
+
+	<li>Make tls12_record_layer_free() NULL safe.
+
+	<li>Split the record protection from the TLSv1.2 record layer.
+
+	<li>Clean up sequence number handling in the new TLSv1.2 record layer.
+
+	<li>Clean up sequence number handling in DTLS.
+
+	<li>Clean up dtls1_reset_seq_numbers().
+
+	<li>Factor out code for explicit IV length, block size and MAC length
+	    from tls12_record_layer_open_record_protected_cipher().
+
+	<li>Provide record layer overhead for DTLS.
+
+	<li>Provide functions to determine if TLSv1.2 record protection is
+	    engaged.
+
+	<li>Add code to handle change of cipher state in the new TLSv1.2 record
+	    layer.
+
+	<li>Mop up now unused dtls1_build_sequence_numbers() function.
+
+	<li>Allow setting a keypair on a tls context without specifying the
+	    private key, and fake it internally in libtls. This removes the
+	    need for privsep engines like relayd to use bogus keys.
+
+	<li>Skip the private key check for fake private keys.
+
+	<li>Move the private key setup from tls_configure_ssl_keypair() to a
+	    helper function with proper error checking.
+
+	<li>Change the internal tls_configure_ssl_keypair() function to
+	    return -1 instead of 1 on failure.
+
+	<li>Move sequence numbers into the new TLSv1.2 record layer.
+
+	<li>Move AEAD handling into the new TLSv1.2 record layer.
+
+	<li>Factor out legacy stack version checks.
+
+	<li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
+	    were originally added with the default handshake MAC and PRF rather
+	    than the SHA256 handshake MAC and PRF.
+
+	<li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
+
+	<li>Use dtls1_record_retrieve_buffered_record() to load buffered
+	    application data.
+
+	<li>Enforce read ahead with DTLS.
+
+	<li>Remove bogus DTLS checks that disabled ECC and OCSP.
+
+	<li>Clean up and simplify dtls1_get_cipher().
+
+	<li>Group HelloVerifyRequest decoding and add missing check for trailing
+	    data.
+
+	<li>Revise HelloVerifyRequest handling for DTLSv1.2.
+
+	<li>Handle DTLS1_2_VERSION in various places.
+
+	<li>Rename the "truncated" label into "decode_err" and the "f_err"
+	    label into "fatal_err".
+
+	<li>Factor out and change some of the legacy client version code.
+
+	<li>Simplify version checks in the TLSv1.3 client. Ensure that the
+	    server announced TLSv1.3 and nothing higher and check that the
+	    legacy_version is set to TLSv1.2 as required by RFC 8446.
+
+	<li>Only use TLS versions internally rather than both TLS and DTLS
+	    versions since the latter are the one's complement of the human
+	    readable version numbers, which means that newer versions decrease
+	    in value.
+
+	<li>Identify DTLS based on the version major value.
+
+	<li>Move handling of cipher/hash based cipher suites into the new record
+	    layer.
+
+	<li>Add tls12_record_protection_unused() and call it from CCS functions.
+
+	<li>Move key/IV length checks closer to usage sites. Also add explicit
+	    checks against EVP_CIPHER_{iv,key}_length().
+
+	<li>Replace two handrolled tls12_record_protection_engaged().
+
+	<li>Improve internal version handling: add handshake fields for our
+	    minimum version, our maximum version and the TLS version negotiated
+	    during the handshake. Convert most of the internal code to use these
+	    version fields.
+
+	<li>Guard against future internal use of TLS1_get_{client,}_version()
+	    macros.
+
+	<li>Remove the internal ssl_downgrade_max_version() function which is no
+	    longer needed.
+
+	<li>Add support for DTLSv1.2 version handling.
+
+	<li>Remove no longer needed read ahead workarounds in the s_client and
+	    s_server.
+
+	<li>Split TLSv1.3 record protection from record layer.
+
+	<li>Move the TLSv1.3 handshake struct inside the shared handshake
+	    struct.
+
+	<li>Fully initialize rrec in tls12_record_layer_open_record_protected()
+	    to avoid confusing some static analyzers.
+
+	<li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
+	    does not set errno.
+
+	<li>Convert openssl(1) x509 to new option handling and do the usual
+	    clean up that goes along with it.
+
+	<li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
+
+	<li>Rename new_cipher to cipher to align naming with keyblock or other
+	    parts of the handshake data.
+
+	<li>Move the TLSv1.2 record number increment into the new record layer.
+
+	<li>Move finished and peer finished into the handshake struct.
+
+	<li>Remove pointless assignment in SSL_get0_alpn_selected().
+
+	<li>Add some error checking to openssl(1) x509.
+      </ul>
+
     <li>Bug Fixes
     <ul>
-	<li>...
+	<li>Move point-on-curve check to set_affine_coordinates to avoid
+	    verifying ECDSA signatures with unchecked public keys.
+
+	<li>Fix SSL_is_server() to behave as documented by re-introducing the
+	    client-specific methods.
+
+	<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0).
+
+	<li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
+
+	<li>Correct the return value type from ERR_peek_error() to a long.
+
+	<li>Avoid use of uninitialized in ASN1_time_parse() which could happen
+	    on parsing UTCTime if the caller did not initialise the passed
+	    struct tm.
+
+	<li>Destroy the mutex in a tls_config object on tls_config_free().
+
+	<li>Free alert_data and phh_data in tls13_record_layer_free()
+	    these could leak if SSL_shutdown() or tls_close() were called
+	    after closing the underlying socket().
+
+	<li>Gracefully handle root certificates being both trusted and
+	    untrusted.
+
+	<li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
+	    verifier.
+
+	<li>Use the legacy verifier when building auto chains for TLS.
+
+	<li>Search the intermediates only after searching the root certs in the
+	    new verifier to avoid problems with the legacy callback.
+
+	<li>Bail out early after finding a single chain in the new verifier, if
+	    we have been called via the legacy verifier API.
+
+	<li>Set (invalid and likely incomplete) chain on the xsc on chain build
+	    failure prior to calling the callback. This is required by various
+	    callers, including auto chain.
+
+	<li>Remove direct assignment of aead_ctx to avoid a leak.
+
+	<li>Fail early in legacy exporter if the master secret is not available
+	    to avoid a segfault if it is called when the handshake is not
+	    completed.
+
+	<li>Only print the certificate file once on verification failure.
+
+	<li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
+	    the new validator checks for EXFLAG_CRITICAL in
+	    x509_vfy_check_chain_extension() for all untrusted certs in the
+	    chain. Take into account that the root is not necessarily trusted.
+
+	<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
+
+	<li>Fix two bugs in the legacy verifier that resulted from refactoring
+	    of X509_verify_cert() for the new verifier: a return value was
+	    incorrectly treated as boolean, making it insufficient to decide
+	    whether validation should carry on or not.
+
+	<li>Fix checks for memory caps of constraints names. There are internal
+	    caps on the number of name constraints and other names, that the new
+	    name constraints code allocates per cert chain. These limits were
+	    checked too late, making them only partially effective.
+
+	<li>Fix a copy-paste error - skid was confused with an akid when
+	    checking for EXFLAG_INVALID. This broke OCSP validation with
+	    certain mirrors.
+
+	<li>Avoid a use-after-scope in tls13_cert_add().
+
+	<li>Avoid mangled output in BIO_debug_callback().
+
+	<li>Fix client initiated renegotiation by replacing use of s->internal-type
+	    with s->server.
+
+	<li>Avoid transcript initialization when sending a TLS HelloRequest,
+	    fixing server initiated renegotiation.
+
+	<li>Avoid leaking param->name in x509_verify_param_zero().
+
+	<li>Avoid a leak in an error path in openssl(1) x509.
+
+	<li>When sending an alert in TLSv1.3, only set its error code when no
+	    other error was set previously. Certain clients rely on specific
+	    SSL_R_ error codes to identify that they are dealing with a self
+	    signed cert.
+
+	<li>When switching from the TLSv1.3 stack to the legacy stack include
+	    a TLS record header. This is necessary if there is more than one
+	    handshake message in the TLS plaintext record.
+
+	<li>Fix resource handling on error in OCSP_request_add0_id().
+
+	<li>Make sure there is enough room for stashing the handshake message
+	    when switching to the legacy TLS stack.
+
+	<li>Fix a memory leak in the openssl(1) s_client.
+
+	<li>Unbreak DTLS retransmissions for flights that include a CCS.
+
+	<li>If x509_verify() fails, ensure that the error is set on both
+	    the x509_verify_ctx() and its store context to make some failures
+	    visible from SSL_get_verify_result().
+
+	<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509
+	    verifier to fix hashed certificate directories.
+
+	<li>Only check BIO_should_read() on read and BIO_should_write() on
+	    write.  Previously, BIO_should_write() was also checked after read
+	    and BIO_should_read() after write which could cause stalls in
+	    software that uses the same BIO for read and write.
+
+	<li>In openssl(1) verify, also check for error on the store context
+	    since the return value of X509_verify_cert() is unreliable in
+	    presence of a callback that returns 1 too often.
+
+	<li>Handle additional certificate error cases in the new X.509 verifier.
+	    Keep track of the errors encountered if a verify callback tells the
+	    verifier to continue and report them back via the error on the store
+	    context. This mimics the behavior of the old verifier that would
+	    persist the first error encountered while building the chain.
+
+	<li>Report specific failures for "self signed certificates" in a way
+	    compatible with the old verifier since software relies on the
+	    error code.
+
+	<li>Plug a large memory leak in the new verifier caused by calling
+	    X509_policy_check() repeatedly.
+
+	<li>Avoid leaking memory in x509_verify_chain_dup().
     </ul>
   </ul>
 
