===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/69.html,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- www/69.html 2021/04/14 21:11:50 1.37
+++ www/69.html 2021/04/15 14:06:07 1.38
@@ -1118,54 +1118,425 @@
- New Features
+ - Support for DTLSv1.2.
+
- Continued rewrite of the record layer for the legacy stack.
+
- Numerous bugs and interoperability issues were fixed in the new verifier.
+
- The OpenSSL 1.1 TLSv1.3 API is not yet available.
+
-
-
+ - Update getentropy on Windows to use Cryptography Next Generation
+ (CNG). wincrypt is deprecated and no longer works with newer Windows
+ environments, such as in Windows Store apps.
API and Documentation Enhancements
- - ...
+
- Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360,
+ draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds.
+
+
- Add support for SSL_get_shared_ciphers() with TLSv1.3.
+
+
- Add DTLSv1.2 methods.
+
+
- Implement SSL_is_dtls() and use it internally in place of the
+ SSL_IS_DTLS macro.
+
+
- Provide EVP_PKEY_new_CMAC_KEY(3).
+
+
- Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
+
+
- Add DTLSv1.2 to openssl(1) s_server and s_client protocol message
+ logging.
+
+
- Provide SSL_use_certificate_chain_file(3).
+
+
- Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
+
+
- Provide various DTLSv1.2 specific functions and defines.
+
+
- Document meaning of '*' in the genrsa output.
+
+
- Updated documentation for SSL_get_shared_ciphers(3).
+
+
- Add documentation for SSL_get_finished(3).
+
+
- Document EVP_PKEY_new_CMAC_key(3)
+
+
- Document SSL_use_certificate_chain_file(3).
+
+
- Document SSL_set_hostflags(3) and SSL_get0_peername(3).
+
+
- Update SSL_get_version.3 manual for DTLSv.1.2 support.
+
+
- Make supported protocols and options for DHE params more prominent
+ in tls_config_set_protocols.3.
+
+
- Various documentation improvements around TLS methods.
Compatibility Changes
- - ...
+
- Make openssl(1) s_server ignore -4 and -6 for compatibility with
+ OpenSSL.
+
+
- Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
+ command.
+
+
- Send a host header with OCSP queries to make openssl(1) ocsp
+ work with some widely used OCSP responders.
+
+
- Add ability to ocspcheck(8) to parse a port in the specified
+ OCSP URL.
+
+
- Implement auto chain for the TLSv1.3 server since some software
+ relies on this.
+
+
- Implement key exporter for TLSv1.3.
+
- Align SSL_get_shared_ciphers() with OpenSSL. This takes into account
+ that it never returned server ciphers, so now it will fail when
+ called from the client side.
+
+
- Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA".
+
+
- Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of
+ zero if the minimum or maximum has been set to zero to match
+ OpenSSL's behavior.
+
+
- Add DTLSv1.2 support to openssl s_client/s_server.
Testing and Proactive Security
- - ...
+
- Malformed ASN.1 in a certificate revocation list or a timestamp
+ response token can lead to a NULL pointer dereference.
+
+
- Pull in fix for EVP_CipherUpdate() overflow from OpenSSL.
+
+
- Use EXFLAG_INVALID to handle out of memory and parse errors in
+ x509v3_cache_extensions().
+
+
- Refactor and clean up ocspcheck(8) and add regression tests.
Internal Improvements
+ Further cleanup of the DTLS record handling.
- Portable Improvements
-
+ Continue the replacement of the TLSv1.2 record layer by
+ reimplementing the read side of the TLSv1.2 record handling.
+ Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
+
+ Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
+
+ Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into
+ .data.rel.ro and .rodata, respectively.
+
+ Add a const qualifier to srtp_known_profiles.
+
+ Simplify TLS method by removing the client and server specific
+ methods internally.
+
+ Avoid casting away const in ssl_ctx_make_profiles().
+
+ Avoid explicitly conditioning an assert on DTLS1_VERSION to make
+ the assert work for newer DTLS versions.
+
+ Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL.
+
+ Add a flag to mark DTLS methods as DTLS to have an easy way to
+ recognize DTLS methods that avoids inspecting the version number.
+
+ Mark a few more internal static tables const.
+
+ Switch finish{,_peer}_md_len from an int to a size_t.
+
+ Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size
+ for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2
+ was a historical artefact.
+
+ Free struct members in tls13_record_layer_free() in their natural
+ order for reviewability.
+
+ Use consistent names in tls13_{client,server}_finished_{recv,send}().
+
+ Add tls13_secret_{init,cleanup}() and use them throughout the
+ TLSv1.3 code base.
+
+ Move the read MAC key into the TLSv1.2 record layer.
+
+ Make tls12_record_layer_free() NULL safe.
+
+ Split the record protection from the TLSv1.2 record layer.
+
+ Clean up sequence number handling in the new TLSv1.2 record layer.
+
+ Clean up sequence number handling in DTLS.
+
+ Clean up dtls1_reset_seq_numbers().
+
+ Factor out code for explicit IV length, block size and MAC length
+ from tls12_record_layer_open_record_protected_cipher().
+
+ Provide record layer overhead for DTLS.
+
+ Provide functions to determine if TLSv1.2 record protection is
+ engaged.
+
+ Add code to handle change of cipher state in the new TLSv1.2 record
+ layer.
+
+ Mop up now unused dtls1_build_sequence_numbers() function.
+
+ Allow setting a keypair on a tls context without specifying the
+ private key, and fake it internally in libtls. This removes the
+ need for privsep engines like relayd to use bogus keys.
+
+ Skip the private key check for fake private keys.
+
+ Move the private key setup from tls_configure_ssl_keypair() to a
+ helper function with proper error checking.
+
+ Change the internal tls_configure_ssl_keypair() function to
+ return -1 instead of 1 on failure.
+
+ Move sequence numbers into the new TLSv1.2 record layer.
+
+ Move AEAD handling into the new TLSv1.2 record layer.
+
+ Factor out legacy stack version checks.
+
+ Correct handshake MAC/PRF for various TLSv1.2 cipher suites which
+ were originally added with the default handshake MAC and PRF rather
+ than the SHA256 handshake MAC and PRF.
+
+ Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
+
+ Use dtls1_record_retrieve_buffered_record() to load buffered
+ application data.
+
+ Enforce read ahead with DTLS.
+
+ Remove bogus DTLS checks that disabled ECC and OCSP.
+
+ Clean up and simplify dtls1_get_cipher().
+
+ Group HelloVerifyRequest decoding and add missing check for trailing
+ data.
+
+ Revise HelloVerifyRequest handling for DTLSv1.2.
+
+ Handle DTLS1_2_VERSION in various places.
+
+ Rename the "truncated" label into "decode_err" and the "f_err"
+ label into "fatal_err".
+
+ Factor out and change some of the legacy client version code.
+
+ Simplify version checks in the TLSv1.3 client. Ensure that the
+ server announced TLSv1.3 and nothing higher and check that the
+ legacy_version is set to TLSv1.2 as required by RFC 8446.
+
+ Only use TLS versions internally rather than both TLS and DTLS
+ versions since the latter are the one's complement of the human
+ readable version numbers, which means that newer versions decrease
+ in value.
+
+ Identify DTLS based on the version major value.
+
+ Move handling of cipher/hash based cipher suites into the new record
+ layer.
+
+ Add tls12_record_protection_unused() and call it from CCS functions.
+
+ Move key/IV length checks closer to usage sites. Also add explicit
+ checks against EVP_CIPHER_{iv,key}_length().
+
+ Replace two handrolled tls12_record_protection_engaged().
+
+ Improve internal version handling: add handshake fields for our
+ minimum version, our maximum version and the TLS version negotiated
+ during the handshake. Convert most of the internal code to use these
+ version fields.
+
+ Guard against future internal use of TLS1_get_{client,}_version()
+ macros.
+
+ Remove the internal ssl_downgrade_max_version() function which is no
+ longer needed.
+
+ Add support for DTLSv1.2 version handling.
+
+ Remove no longer needed read ahead workarounds in the s_client and
+ s_server.
+
+ Split TLSv1.3 record protection from record layer.
+
+ Move the TLSv1.3 handshake struct inside the shared handshake
+ struct.
+
+ Fully initialize rrec in tls12_record_layer_open_record_protected()
+ to avoid confusing some static analyzers.
+
+ Use tls_set_errorx() on OCSP_basic_verify() failure since the latter
+ does not set errno.
+
+ Convert openssl(1) x509 to new option handling and do the usual
+ clean up that goes along with it.
+
+ Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
+
+ Rename new_cipher to cipher to align naming with keyblock or other
+ parts of the handshake data.
+
+ Move the TLSv1.2 record number increment into the new record layer.
+
+ Move finished and peer finished into the handshake struct.
+
+ Remove pointless assignment in SSL_get0_alpn_selected().
+
+ Add some error checking to openssl(1) x509.
+
+
Bug Fixes
- - ...
+
- Move point-on-curve check to set_affine_coordinates to avoid
+ verifying ECDSA signatures with unchecked public keys.
+
+
- Fix SSL_is_server() to behave as documented by re-introducing the
+ client-specific methods.
+
+
- Avoid undefined behavior due to memcpy(NULL, NULL, 0).
+
+
- Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
+
+
- Correct the return value type from ERR_peek_error() to a long.
+
+
- Avoid use of uninitialized in ASN1_time_parse() which could happen
+ on parsing UTCTime if the caller did not initialise the passed
+ struct tm.
+
+
- Destroy the mutex in a tls_config object on tls_config_free().
+
+
- Free alert_data and phh_data in tls13_record_layer_free()
+ these could leak if SSL_shutdown() or tls_close() were called
+ after closing the underlying socket().
+
+
- Gracefully handle root certificates being both trusted and
+ untrusted.
+
+
- Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
+ verifier.
+
+
- Use the legacy verifier when building auto chains for TLS.
+
+
- Search the intermediates only after searching the root certs in the
+ new verifier to avoid problems with the legacy callback.
+
+
- Bail out early after finding a single chain in the new verifier, if
+ we have been called via the legacy verifier API.
+
+
- Set (invalid and likely incomplete) chain on the xsc on chain build
+ failure prior to calling the callback. This is required by various
+ callers, including auto chain.
+
+
- Remove direct assignment of aead_ctx to avoid a leak.
+
+
- Fail early in legacy exporter if the master secret is not available
+ to avoid a segfault if it is called when the handshake is not
+ completed.
+
+
- Only print the certificate file once on verification failure.
+
+
- Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that
+ the new validator checks for EXFLAG_CRITICAL in
+ x509_vfy_check_chain_extension() for all untrusted certs in the
+ chain. Take into account that the root is not necessarily trusted.
+
+
- Avoid passing last and depth to x509_verify_cert_error() on ENOMEM.
+
+
- Fix two bugs in the legacy verifier that resulted from refactoring
+ of X509_verify_cert() for the new verifier: a return value was
+ incorrectly treated as boolean, making it insufficient to decide
+ whether validation should carry on or not.
+
+
- Fix checks for memory caps of constraints names. There are internal
+ caps on the number of name constraints and other names, that the new
+ name constraints code allocates per cert chain. These limits were
+ checked too late, making them only partially effective.
+
+
- Fix a copy-paste error - skid was confused with an akid when
+ checking for EXFLAG_INVALID. This broke OCSP validation with
+ certain mirrors.
+
+
- Avoid a use-after-scope in tls13_cert_add().
+
+
- Avoid mangled output in BIO_debug_callback().
+
+
- Fix client initiated renegotiation by replacing use of s->internal-type
+ with s->server.
+
+
- Avoid transcript initialization when sending a TLS HelloRequest,
+ fixing server initiated renegotiation.
+
+
- Avoid leaking param->name in x509_verify_param_zero().
+
+
- Avoid a leak in an error path in openssl(1) x509.
+
+
- When sending an alert in TLSv1.3, only set its error code when no
+ other error was set previously. Certain clients rely on specific
+ SSL_R_ error codes to identify that they are dealing with a self
+ signed cert.
+
+
- When switching from the TLSv1.3 stack to the legacy stack include
+ a TLS record header. This is necessary if there is more than one
+ handshake message in the TLS plaintext record.
+
+
- Fix resource handling on error in OCSP_request_add0_id().
+
+
- Make sure there is enough room for stashing the handshake message
+ when switching to the legacy TLS stack.
+
+
- Fix a memory leak in the openssl(1) s_client.
+
+
- Unbreak DTLS retransmissions for flights that include a CCS.
+
+
- If x509_verify() fails, ensure that the error is set on both
+ the x509_verify_ctx() and its store context to make some failures
+ visible from SSL_get_verify_result().
+
+
- Use the X509_STORE_CTX get_issuer() callback from the new X.509
+ verifier to fix hashed certificate directories.
+
+
- Only check BIO_should_read() on read and BIO_should_write() on
+ write. Previously, BIO_should_write() was also checked after read
+ and BIO_should_read() after write which could cause stalls in
+ software that uses the same BIO for read and write.
+
+
- In openssl(1) verify, also check for error on the store context
+ since the return value of X509_verify_cert() is unreliable in
+ presence of a callback that returns 1 too often.
+
+
- Handle additional certificate error cases in the new X.509 verifier.
+ Keep track of the errors encountered if a verify callback tells the
+ verifier to continue and report them back via the error on the store
+ context. This mimics the behavior of the old verifier that would
+ persist the first error encountered while building the chain.
+
+
- Report specific failures for "self signed certificates" in a way
+ compatible with the old verifier since software relies on the
+ error code.
+
+
- Plug a large memory leak in the new verifier caused by calling
+ X509_policy_check() repeatedly.
+
+
- Avoid leaking memory in x509_verify_chain_dup().