version 1.37, 2021/04/14 21:11:50 |
version 1.38, 2021/04/15 14:06:07 |
|
|
<ul> |
<ul> |
<li>New Features |
<li>New Features |
<ul> |
<ul> |
|
<li>Support for DTLSv1.2. |
|
<li>Continued rewrite of the record layer for the legacy stack. |
|
<li>Numerous bugs and interoperability issues were fixed in the new verifier. |
|
<li>The OpenSSL 1.1 TLSv1.3 API is not yet available. |
|
</ul> |
|
|
<!-- taken from plus.html, not sorted into categories: |
<li>Portable Improvements |
|
<ul> |
|
<li>Added '--enable-libtls-only' build option, which builds and installs a |
|
statically-linked libtls, skipping libcrypto and libssl. This is useful |
|
for systems that ship with OpenSSL but wish to also package libtls. |
|
|
<li>Added a -legacy_verify flag to <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> to force use of the old validator. |
<li>Update getentropy on Windows to use Cryptography Next Generation |
<li>Changed <a href="https://man.openbsd.org/crypto.3">crypto(3)</a> |
(CNG). wincrypt is deprecated and no longer works with newer Windows |
to call its get_issuer() callback to try and find a suitable |
environments, such as in Windows Store apps. |
certificate in cases where it has failed to find a print certificate |
|
from the supplied roots and intermediates. |
|
<li>Corrected an issue where <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> verify might not error on expired certificates. |
|
<li>Fixed an issue in the TLS 1.3 code that caused stalls in haproxy and other software. |
|
<li>Implemented auto chain for the TLSv1.3 server. |
|
<li>Implemented the key material exporter for TLSv1.3. |
|
<li>Fixed problems which could arise with software such as bacula and icinga when a root certificate was specified as both a trusted and an untrusted certificate. |
|
<li>Added support for <a href="https://man.openbsd.org/SSL_get_shared_ciphers.3">SSL_get_shared_ciphers(3)</a> in TLSv1.3 and fixed to correctly return ciphers shared by the client and the server. |
|
<li>Requested client certificate only when required in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>. |
|
<li>Enabled DTLSv1.2. |
|
--> |
|
|
|
</ul> |
</ul> |
|
|
<li>API and Documentation Enhancements |
<li>API and Documentation Enhancements |
<ul> |
<ul> |
<li>... |
<li>Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, |
|
draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. |
|
|
|
<li>Add support for SSL_get_shared_ciphers() with TLSv1.3. |
|
|
|
<li>Add DTLSv1.2 methods. |
|
|
|
<li>Implement SSL_is_dtls() and use it internally in place of the |
|
SSL_IS_DTLS macro. |
|
|
|
<li>Provide EVP_PKEY_new_CMAC_KEY(3). |
|
|
|
<li>Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. |
|
|
|
<li>Add DTLSv1.2 to openssl(1) s_server and s_client protocol message |
|
logging. |
|
|
|
<li>Provide SSL_use_certificate_chain_file(3). |
|
|
|
<li>Provide SSL_set_hostflags(3) and SSL_get0_peername(3). |
|
|
|
<li>Provide various DTLSv1.2 specific functions and defines. |
|
|
|
<li>Document meaning of '*' in the genrsa output. |
|
|
|
<li>Updated documentation for SSL_get_shared_ciphers(3). |
|
|
|
<li>Add documentation for SSL_get_finished(3). |
|
|
|
<li>Document EVP_PKEY_new_CMAC_key(3) |
|
|
|
<li>Document SSL_use_certificate_chain_file(3). |
|
|
|
<li>Document SSL_set_hostflags(3) and SSL_get0_peername(3). |
|
|
|
<li>Update SSL_get_version.3 manual for DTLSv.1.2 support. |
|
|
|
<li>Make supported protocols and options for DHE params more prominent |
|
in tls_config_set_protocols.3. |
|
|
|
<li>Various documentation improvements around TLS methods. |
</ul> |
</ul> |
|
|
<li>Compatibility Changes |
<li>Compatibility Changes |
<ul> |
<ul> |
<li>... |
<li>Make openssl(1) s_server ignore -4 and -6 for compatibility with |
|
OpenSSL. |
|
|
|
<li>Set SO_REUSEADDR on the server socket in the openssl(1) ocsp |
|
command. |
|
|
|
<li>Send a host header with OCSP queries to make openssl(1) ocsp |
|
work with some widely used OCSP responders. |
|
|
|
<li>Add ability to ocspcheck(8) to parse a port in the specified |
|
OCSP URL. |
|
|
|
<li>Implement auto chain for the TLSv1.3 server since some software |
|
relies on this. |
|
|
|
<li>Implement key exporter for TLSv1.3. |
|
<li>Align SSL_get_shared_ciphers() with OpenSSL. This takes into account |
|
that it never returned server ciphers, so now it will fail when |
|
called from the client side. |
|
|
|
<li>Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". |
|
|
|
<li>Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of |
|
zero if the minimum or maximum has been set to zero to match |
|
OpenSSL's behavior. |
|
|
|
<li>Add DTLSv1.2 support to openssl s_client/s_server. |
</ul> |
</ul> |
|
|
<li>Testing and Proactive Security |
<li>Testing and Proactive Security |
<ul> |
<ul> |
<li>... |
<li>Malformed ASN.1 in a certificate revocation list or a timestamp |
|
response token can lead to a NULL pointer dereference. |
|
|
|
<li>Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. |
|
|
|
<li>Use EXFLAG_INVALID to handle out of memory and parse errors in |
|
x509v3_cache_extensions(). |
|
|
|
<li>Refactor and clean up ocspcheck(8) and add regression tests. |
</ul> |
</ul> |
|
|
<li>Internal Improvements |
<li>Internal Improvements |
<ul> |
<ul> |
<li>... |
<li>Further cleanup of the DTLS record handling. |
</ul> |
|
|
|
<li>Portable Improvements |
<li>Continue the replacement of the TLSv1.2 record layer by |
<ul> |
reimplementing the read side of the TLSv1.2 record handling. |
<li>... |
|
</ul> |
|
|
|
|
<li>Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). |
|
|
|
<li>Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. |
|
|
|
<li>Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into |
|
.data.rel.ro and .rodata, respectively. |
|
|
|
<li>Add a const qualifier to srtp_known_profiles. |
|
|
|
<li>Simplify TLS method by removing the client and server specific |
|
methods internally. |
|
|
|
<li>Avoid casting away const in ssl_ctx_make_profiles(). |
|
|
|
<li>Avoid explicitly conditioning an assert on DTLS1_VERSION to make |
|
the assert work for newer DTLS versions. |
|
|
|
<li>Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. |
|
|
|
<li>Add a flag to mark DTLS methods as DTLS to have an easy way to |
|
recognize DTLS methods that avoids inspecting the version number. |
|
|
|
<li>Mark a few more internal static tables const. |
|
|
|
<li>Switch finish{,_peer}_md_len from an int to a size_t. |
|
|
|
<li>Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size |
|
for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 |
|
was a historical artefact. |
|
|
|
<li>Free struct members in tls13_record_layer_free() in their natural |
|
order for reviewability. |
|
|
|
<li>Use consistent names in tls13_{client,server}_finished_{recv,send}(). |
|
|
|
<li>Add tls13_secret_{init,cleanup}() and use them throughout the |
|
TLSv1.3 code base. |
|
|
|
<li>Move the read MAC key into the TLSv1.2 record layer. |
|
|
|
<li>Make tls12_record_layer_free() NULL safe. |
|
|
|
<li>Split the record protection from the TLSv1.2 record layer. |
|
|
|
<li>Clean up sequence number handling in the new TLSv1.2 record layer. |
|
|
|
<li>Clean up sequence number handling in DTLS. |
|
|
|
<li>Clean up dtls1_reset_seq_numbers(). |
|
|
|
<li>Factor out code for explicit IV length, block size and MAC length |
|
from tls12_record_layer_open_record_protected_cipher(). |
|
|
|
<li>Provide record layer overhead for DTLS. |
|
|
|
<li>Provide functions to determine if TLSv1.2 record protection is |
|
engaged. |
|
|
|
<li>Add code to handle change of cipher state in the new TLSv1.2 record |
|
layer. |
|
|
|
<li>Mop up now unused dtls1_build_sequence_numbers() function. |
|
|
|
<li>Allow setting a keypair on a tls context without specifying the |
|
private key, and fake it internally in libtls. This removes the |
|
need for privsep engines like relayd to use bogus keys. |
|
|
|
<li>Skip the private key check for fake private keys. |
|
|
|
<li>Move the private key setup from tls_configure_ssl_keypair() to a |
|
helper function with proper error checking. |
|
|
|
<li>Change the internal tls_configure_ssl_keypair() function to |
|
return -1 instead of 1 on failure. |
|
|
|
<li>Move sequence numbers into the new TLSv1.2 record layer. |
|
|
|
<li>Move AEAD handling into the new TLSv1.2 record layer. |
|
|
|
<li>Factor out legacy stack version checks. |
|
|
|
<li>Correct handshake MAC/PRF for various TLSv1.2 cipher suites which |
|
were originally added with the default handshake MAC and PRF rather |
|
than the SHA256 handshake MAC and PRF. |
|
|
|
<li>Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). |
|
|
|
<li>Use dtls1_record_retrieve_buffered_record() to load buffered |
|
application data. |
|
|
|
<li>Enforce read ahead with DTLS. |
|
|
|
<li>Remove bogus DTLS checks that disabled ECC and OCSP. |
|
|
|
<li>Clean up and simplify dtls1_get_cipher(). |
|
|
|
<li>Group HelloVerifyRequest decoding and add missing check for trailing |
|
data. |
|
|
|
<li>Revise HelloVerifyRequest handling for DTLSv1.2. |
|
|
|
<li>Handle DTLS1_2_VERSION in various places. |
|
|
|
<li>Rename the "truncated" label into "decode_err" and the "f_err" |
|
label into "fatal_err". |
|
|
|
<li>Factor out and change some of the legacy client version code. |
|
|
|
<li>Simplify version checks in the TLSv1.3 client. Ensure that the |
|
server announced TLSv1.3 and nothing higher and check that the |
|
legacy_version is set to TLSv1.2 as required by RFC 8446. |
|
|
|
<li>Only use TLS versions internally rather than both TLS and DTLS |
|
versions since the latter are the one's complement of the human |
|
readable version numbers, which means that newer versions decrease |
|
in value. |
|
|
|
<li>Identify DTLS based on the version major value. |
|
|
|
<li>Move handling of cipher/hash based cipher suites into the new record |
|
layer. |
|
|
|
<li>Add tls12_record_protection_unused() and call it from CCS functions. |
|
|
|
<li>Move key/IV length checks closer to usage sites. Also add explicit |
|
checks against EVP_CIPHER_{iv,key}_length(). |
|
|
|
<li>Replace two handrolled tls12_record_protection_engaged(). |
|
|
|
<li>Improve internal version handling: add handshake fields for our |
|
minimum version, our maximum version and the TLS version negotiated |
|
during the handshake. Convert most of the internal code to use these |
|
version fields. |
|
|
|
<li>Guard against future internal use of TLS1_get_{client,}_version() |
|
macros. |
|
|
|
<li>Remove the internal ssl_downgrade_max_version() function which is no |
|
longer needed. |
|
|
|
<li>Add support for DTLSv1.2 version handling. |
|
|
|
<li>Remove no longer needed read ahead workarounds in the s_client and |
|
s_server. |
|
|
|
<li>Split TLSv1.3 record protection from record layer. |
|
|
|
<li>Move the TLSv1.3 handshake struct inside the shared handshake |
|
struct. |
|
|
|
<li>Fully initialize rrec in tls12_record_layer_open_record_protected() |
|
to avoid confusing some static analyzers. |
|
|
|
<li>Use tls_set_errorx() on OCSP_basic_verify() failure since the latter |
|
does not set errno. |
|
|
|
<li>Convert openssl(1) x509 to new option handling and do the usual |
|
clean up that goes along with it. |
|
|
|
<li>Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. |
|
|
|
<li>Rename new_cipher to cipher to align naming with keyblock or other |
|
parts of the handshake data. |
|
|
|
<li>Move the TLSv1.2 record number increment into the new record layer. |
|
|
|
<li>Move finished and peer finished into the handshake struct. |
|
|
|
<li>Remove pointless assignment in SSL_get0_alpn_selected(). |
|
|
|
<li>Add some error checking to openssl(1) x509. |
|
</ul> |
|
|
<li>Bug Fixes |
<li>Bug Fixes |
<ul> |
<ul> |
<li>... |
<li>Move point-on-curve check to set_affine_coordinates to avoid |
|
verifying ECDSA signatures with unchecked public keys. |
|
|
|
<li>Fix SSL_is_server() to behave as documented by re-introducing the |
|
client-specific methods. |
|
|
|
<li>Avoid undefined behavior due to memcpy(NULL, NULL, 0). |
|
|
|
<li>Make SSL_get{,_peer}_finished() work when used with TLSv1.3. |
|
|
|
<li>Correct the return value type from ERR_peek_error() to a long. |
|
|
|
<li>Avoid use of uninitialized in ASN1_time_parse() which could happen |
|
on parsing UTCTime if the caller did not initialise the passed |
|
struct tm. |
|
|
|
<li>Destroy the mutex in a tls_config object on tls_config_free(). |
|
|
|
<li>Free alert_data and phh_data in tls13_record_layer_free() |
|
these could leak if SSL_shutdown() or tls_close() were called |
|
after closing the underlying socket(). |
|
|
|
<li>Gracefully handle root certificates being both trusted and |
|
untrusted. |
|
|
|
<li>Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new |
|
verifier. |
|
|
|
<li>Use the legacy verifier when building auto chains for TLS. |
|
|
|
<li>Search the intermediates only after searching the root certs in the |
|
new verifier to avoid problems with the legacy callback. |
|
|
|
<li>Bail out early after finding a single chain in the new verifier, if |
|
we have been called via the legacy verifier API. |
|
|
|
<li>Set (invalid and likely incomplete) chain on the xsc on chain build |
|
failure prior to calling the callback. This is required by various |
|
callers, including auto chain. |
|
|
|
<li>Remove direct assignment of aead_ctx to avoid a leak. |
|
|
|
<li>Fail early in legacy exporter if the master secret is not available |
|
to avoid a segfault if it is called when the handshake is not |
|
completed. |
|
|
|
<li>Only print the certificate file once on verification failure. |
|
|
|
<li>Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that |
|
the new validator checks for EXFLAG_CRITICAL in |
|
x509_vfy_check_chain_extension() for all untrusted certs in the |
|
chain. Take into account that the root is not necessarily trusted. |
|
|
|
<li>Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. |
|
|
|
<li>Fix two bugs in the legacy verifier that resulted from refactoring |
|
of X509_verify_cert() for the new verifier: a return value was |
|
incorrectly treated as boolean, making it insufficient to decide |
|
whether validation should carry on or not. |
|
|
|
<li>Fix checks for memory caps of constraints names. There are internal |
|
caps on the number of name constraints and other names, that the new |
|
name constraints code allocates per cert chain. These limits were |
|
checked too late, making them only partially effective. |
|
|
|
<li>Fix a copy-paste error - skid was confused with an akid when |
|
checking for EXFLAG_INVALID. This broke OCSP validation with |
|
certain mirrors. |
|
|
|
<li>Avoid a use-after-scope in tls13_cert_add(). |
|
|
|
<li>Avoid mangled output in BIO_debug_callback(). |
|
|
|
<li>Fix client initiated renegotiation by replacing use of s->internal-type |
|
with s->server. |
|
|
|
<li>Avoid transcript initialization when sending a TLS HelloRequest, |
|
fixing server initiated renegotiation. |
|
|
|
<li>Avoid leaking param->name in x509_verify_param_zero(). |
|
|
|
<li>Avoid a leak in an error path in openssl(1) x509. |
|
|
|
<li>When sending an alert in TLSv1.3, only set its error code when no |
|
other error was set previously. Certain clients rely on specific |
|
SSL_R_ error codes to identify that they are dealing with a self |
|
signed cert. |
|
|
|
<li>When switching from the TLSv1.3 stack to the legacy stack include |
|
a TLS record header. This is necessary if there is more than one |
|
handshake message in the TLS plaintext record. |
|
|
|
<li>Fix resource handling on error in OCSP_request_add0_id(). |
|
|
|
<li>Make sure there is enough room for stashing the handshake message |
|
when switching to the legacy TLS stack. |
|
|
|
<li>Fix a memory leak in the openssl(1) s_client. |
|
|
|
<li>Unbreak DTLS retransmissions for flights that include a CCS. |
|
|
|
<li>If x509_verify() fails, ensure that the error is set on both |
|
the x509_verify_ctx() and its store context to make some failures |
|
visible from SSL_get_verify_result(). |
|
|
|
<li>Use the X509_STORE_CTX get_issuer() callback from the new X.509 |
|
verifier to fix hashed certificate directories. |
|
|
|
<li>Only check BIO_should_read() on read and BIO_should_write() on |
|
write. Previously, BIO_should_write() was also checked after read |
|
and BIO_should_read() after write which could cause stalls in |
|
software that uses the same BIO for read and write. |
|
|
|
<li>In openssl(1) verify, also check for error on the store context |
|
since the return value of X509_verify_cert() is unreliable in |
|
presence of a callback that returns 1 too often. |
|
|
|
<li>Handle additional certificate error cases in the new X.509 verifier. |
|
Keep track of the errors encountered if a verify callback tells the |
|
verifier to continue and report them back via the error on the store |
|
context. This mimics the behavior of the old verifier that would |
|
persist the first error encountered while building the chain. |
|
|
|
<li>Report specific failures for "self signed certificates" in a way |
|
compatible with the old verifier since software relies on the |
|
error code. |
|
|
|
<li>Plug a large memory leak in the new verifier caused by calling |
|
X509_policy_check() repeatedly. |
|
|
|
<li>Avoid leaking memory in x509_verify_chain_dup(). |
</ul> |
</ul> |
</ul> |
</ul> |
|
|