| version 1.49, 2022/10/03 12:47:04 |
version 1.50, 2022/10/03 14:48:16 |
|
|
| |
|
| <li>LibreSSL version 3.6.0 |
<li>LibreSSL version 3.6.0 |
| <ul> |
<ul> |
| <li>New Features |
<li>New features |
| <ul> |
<ul> |
| <li>... |
<li>EVP API for HKDF ported from OpenSSL and subsequently cleaned up. |
| |
<li>The security level API (SSL_{,CTX}_{get,set}_security_level()) is |
| |
now available. Callbacks and ex_data are not supported. Sane |
| |
software will not be using this. |
| |
<li>Experimental support for the BoringSSL QUIC API. |
| |
<li>Add initial support for TS ESSCertIDv2 verification. |
| |
<li>LibreSSL now uses the Baillie-PSW primality test instead of |
| |
Miller-Rabin. |
| </ul> |
</ul> |
| |
|
| <li>Portable Improvements |
<li>Compatibility changes |
| <ul> |
<ul> |
| <li>... |
<li>The ASN.1 time parser has been refactored and rewritten using CBS. |
| |
It has been made stricter in that it now enforces the rules from |
| |
RFC 5280. |
| |
<li>ASN1_AFLG_BROKEN was removed. |
| |
<li>Error check tls_session_secret_cb() like OpenSSL. |
| |
<li>Added ASN1_INTEGER_{get,set}_{u,}int64() |
| |
<li>Move leaf certificate checks to the last thing after chain |
| |
validation. |
| |
<li>Added -s option to openssl(1) ciphers that only shows the ciphers |
| |
supported by the specified protocol. |
| |
<li>Use TLS_client_method() instead of TLSv1_client_method() in |
| |
the openssl(1) ciphers command. |
| |
<li>Validate the protocols in SSL{_CTX,}_set_alpn_protos(). |
| |
<li>Made TS and PKCS12 opaque. |
| |
<li>Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. |
| |
<li>Align PKCS12_key_gen_uni() with OpenSSL |
| |
<li>Various PKCS12 and TS accessors were added. In particular, the |
| |
TS_RESP_CTX_set_time_cb() function was added back. |
| |
<li>Allow a NULL header in PEM_write{,_bio}() |
| |
<li>Allow empty attribute sets in CSRs. |
| |
<li>Adjust signatures of BIO_ctrl functions. |
| |
<li>Provide additional defines for EVP AEAD. |
| |
<li>Provide OPENSSL_cleanup(). |
| |
<li>Make BIO_info_cb() identical to bio_info_cb(). |
| </ul> |
</ul> |
| |
|
| <li>Compatibility Changes |
|
| <ul> |
|
| <li>... |
|
| </ul> |
|
| |
|
| <li>Bug fixes |
<li>Bug fixes |
| <ul> |
<ul> |
| <li>... |
<li>Avoid use of uninitialized in BN_mod_exp_recp(). |
| |
<li>Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is |
| |
set on X509_get_purpose() failure. |
| |
<li>Fix HMAC() with NULL key. |
| |
<li>Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings(). |
| |
<li>Avoid strict aliasing violations in BN_nist_mod_*(). |
| |
<li>Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). |
| |
No return value of X509_check_ca() indicates failure. Application |
| |
code should therefore issue a checked call to X509_check_purpose() |
| |
before calling X509_check_ca(). |
| |
<li>Rewrite and fix X509v3_asid_subset() to avoid segfaults on some |
| |
valid input. |
| |
<li>Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). |
| |
<li>Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. |
| |
<li>Avoid use of uninitialized in ASN1_STRING_to_UTF8(). |
| |
<li>Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). |
| |
<li>Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy. |
| |
<li>Do not reject primes in trial divisions. |
| |
<li>Error out on negative shifts in BN_{r,l}shift() instead of |
| |
accessing arrays out of bounds. |
| |
<li>Fix URI name constraints, allow for URI's with no host part. |
| |
<li>Fix the legacy verifier callback behaviour for untrusted certs. |
| |
<li>Correct serfver-side handling of TLSv1.3 key updates. |
| |
<li>Plug leak in PKCS12_setup_mac(). |
| |
<li>Plug leak in X509V3_add1_i2d(). |
| |
<li>Only print X.509 versions we know about. |
| |
<li>Avoid signed integer overflow due to unary negation |
| |
<li>Initialize readbytes in BIO_gets(). |
| |
<li>Plug memory leak in CMS_add_simple_smimecap(). |
| |
<li>Plug memory leak in X509_REQ_print_ex(). |
| |
<li>Check HMAC() return value to avoid a later use of uninitialized. |
| |
<li>Avoid potential NULL dereference in ssl_set_pkey(). |
| |
<li>Check return values in ssl_print_tmp_key(). |
| |
<li>Switch loop bounds from size_t to int in check_hosts(). |
| |
<li>Avoid division by zero if no connection was made in s_time.c. |
| |
<li>Check sk_SSL_CIPHER_push() return value |
| |
<li>Avoid out-of-bounds read in ssl_cipher_process_rulestr(). |
| |
<li>Use LONG_MAX as the limit for ciphers with long based APIs. |
| </ul> |
</ul> |
| |
|
| <li>Internal Improvements |
<li>Internal improvements |
| <ul> |
<ul> |
| <li>... |
<li>Avoid expensive RFC 3779 checks during cert verification. |
| </ul> |
<li>The templated ASN.1 decoder has been cleaned up, refactored, |
| |
modernized with parts rewritten using CBB and CBS. |
| <li>Documentation improvements |
<li>The ASN.1 time parser has been rewritten. |
| <ul> |
<li>Rewrite and fix ASN1_STRING_to_UTF8(). |
| <li>... |
<li>Use asn1_abs_set_unused_bits() rather than inlining it. |
| |
<li>Simplify ec_asn1_group2curve(). |
| |
<li>First pass at a clean up of ASN1_item_sign_ctx() |
| |
<li>ssl_txt.c was cleaned up. |
| |
<li>Internal function arguments and struct member have been changed |
| |
to size_t. |
| |
<li>Lots of missing error checks of EVP API were added. |
| |
<li>Clean up and clarify BN_kronecker(). |
| |
<li>Simplify ASN1_INTEGER_cmp() |
| |
<li>Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse |
| |
the ASN1_INTEGER functions for ASN1_ENUMERATED. |
| |
<li>Use ASN1_INTEGER to parse and build {Z,}LONG_it |
| |
<li>Refactored and cleaned up group (elliptic curve) handling in |
| |
t1_lib.c. |
| |
<li>Simplify certificate list handling code in the legacy server. |
| |
<li>Make CBB_finish() fail if *out_data is not NULL. |
| |
<li>Remove tls_buffer_set_data() and remove/revise callers. |
| |
<li>Rewrite SSL{_CTX,}_set_alpn_protos() using CBS. |
| |
<li>Simplify tlsext_supported_groups_server_parse(). |
| |
<li>Remove redundant length checks in tlsext parse functions. |
| |
<li>Simplify tls13_server_encrypted_extensions_recv(). |
| |
<li>Add read and write support to tls_buffer. |
| |
<li>Convert TLS transcript from BUF_MEM to tls_buffer. |
| |
<li>Clear key on exit in PKCS12_gen_mac(). |
| |
<li>Minor fixes in PKCS12_parse(). |
| |
<li>Provide and use a primitive clear function for BIGNUM_it. |
| |
<li>Use ASN1_INTEGER to encode/decode BIGNUM_it. |
| |
<li>Add stack frames to AES-NI x86_64 assembly. |
| |
<li>Use named initialisers for BIGNUMs. |
| |
<li>Tidy up some of BN_nist_mod_*. |
| |
<li>Expand BLOCK_CIPHER_* and related macros. |
| |
<li>Avoid shadowing the cbs function parameter in |
| |
tlsext_alpn_server_parse() |
| |
<li>Deduplicate peer certificate chain processing code. |
| |
<li>Make it possible to signal an error from an i2c_* function. |
| |
<li>Rewrite i2c_ASN1_INTEGER() using CBB/CBS. |
| |
<li>Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20(). |
| |
<li>Remove bogus length checks from EVP_aead_chacha20_poly1305(). |
| |
<li>Reworked DSA_size() and ECDSA_size(). |
| |
<li>Stop using CBIGNUM_it internal to libcrypto. |
| |
<li>Provide c2i_ASN1_ENUMERATED_cbs() and call it from |
| |
asn1_c2i_primitive(). |
| |
<li>Ensure ASN.1 types are appropriately encoded. |
| |
<li>Avoid recycling ASN1_STRINGs when decoding ASN.1. |
| |
<li>Tidy up asn1_c2i_primitive() slightly. |
| |
<li>Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR, |
| |
BLOCK_CIPHER and the looney M_do_cipher macros. |
| |
<li>Use correct length for EVP CFB mode ciphers. |
| |
<li>Provide a version of ssl_msg_callback() that takes a CBS. |
| |
<li>Use CBS to parse TLS alerts in the legacy stack. |
| |
<li>Increment the input and output position for EVP AES CFB1. |
| |
<li>Ensure there is no trailing data for a CCS received by the |
| |
TLSv1.3 stack. |
| |
<li>Use CBS when procesing a CCS message in the legacy stack. |
| |
<li>Be stricter with middlebox compatibility mode in the TLSv1.3 |
| |
server. |
| </ul> |
</ul> |
| </ul> |
</ul> |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to 72.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www