version 1.110, 2023/10/16 12:52:19 |
version 1.111, 2023/10/16 13:40:30 |
|
|
<ul> |
<ul> |
<li>Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer |
<li>Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no longer |
be selected for use. |
be selected for use. |
<li>BN_is_prime{,_fasttest}_ex() refuse to check numbers larger than |
<li><a href="https://man.openbsd.org/BN_is_prime_ex.3">BN_is_prime_ex(3)</a> |
|
and BN_is_prime_fasttest_ex(3) refuse to check numbers larger than |
32 kbits for primality. This mitigates various DoS vectors. |
32 kbits for primality. This mitigates various DoS vectors. |
<li>Restricted the RFC 3779 code to IPv4 and IPv6. It was not written |
<li>Restricted the RFC 3779 code to IPv4 and IPv6. It was not written |
to be able to deal with anything else. |
to be able to deal with anything else. |
|
|
<li>Adapted more tests to the portable framework. |
<li>Adapted more tests to the portable framework. |
<li>Internal tools are now statically linked. |
<li>Internal tools are now statically linked. |
<li>Applications bundled as part of the LibreSSL package internally, |
<li>Applications bundled as part of the LibreSSL package internally, |
nc(1) and openssl(1), now are linked statically if static libraries |
<a href="https://man.openbsd.org/nc.1">nc(1)</a> and |
are built. |
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>, |
|
now are linked statically if static libraries are built. |
<li>Internal compatibility function symbols are no longer exported from |
<li>Internal compatibility function symbols are no longer exported from |
libcrypto. Instead, the libcompat library is linked to libcrypto, |
libcrypto. Instead, the libcompat library is linked to libcrypto, |
libssl, and libtls separately. This increases size a little, but |
libssl, and libtls separately. This increases size a little, but |
|
|
</ul> |
</ul> |
<li>New features |
<li>New features |
<ul> |
<ul> |
<li>Added support for truncated SHA-2 and for SHA-3. |
<li>Added support for |
|
<a href="https://man.openbsd.org/EVP_sha512_224.3">truncated SHA-2</a> |
|
and for <a href="https://man.openbsd.org/EVP_sha3_224.3">SHA-3</a>. |
<li>The BPSW primality test performs additional Miller-Rabin rounds |
<li>The BPSW primality test performs additional Miller-Rabin rounds |
with random bases to reduce the likelihood of composites passing. |
with random bases to reduce the likelihood of composites passing. |
<li>Allow testing of ciphers and digests using badly aligned buffers |
<li>Allow testing of ciphers and digests using badly aligned buffers |
in openssl speed using -unalign. |
in openssl speed using -unalign. |
<li>Ed25519 certificates are now supported in openssl(1) ca and req. |
<li>Ed25519 certificates are now supported in openssl(1) |
|
<a href="https://man.openbsd.org/openssl.1#ca">ca</a> and |
|
<a href="https://man.openbsd.org/openssl.1#req">req</a>. |
Prepared Ed25519 support in libssl. |
Prepared Ed25519 support in libssl. |
<li>Add branch target information (BTI) support to amd64 and arm64 |
<li>Add branch target information (BTI) support to amd64 and arm64 |
assembly. |
assembly. |
|
|
of this, some stub functions are provided to avoid patching some |
of this, some stub functions are provided to avoid patching some |
applications that do not honor OPENSSL_NO_ENGINE. |
applications that do not honor OPENSSL_NO_ENGINE. |
<li>The POLICY_TREE and its related structures and API were removed. |
<li>The POLICY_TREE and its related structures and API were removed. |
<li>In X509_VERIFY_PARAM_inherit() copy hostflags independently of the |
<li>In <a href="https://man.openbsd.org/X509_VERIFY_PARAM_inherit.3" |
|
>X509_VERIFY_PARAM_inherit(3)</a>, copy hostflags independently of the |
host list. |
host list. |
<li>Made CRYPTO_get_ex_new_index() not return 0 to allow applications |
<li>Made <a href="https://man.openbsd.org/CRYPTO_get_ex_new_index.3" |
|
>CRYPTO_get_ex_new_index(3)</a> not return 0 to allow applications |
to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside |
to use *_{get,set}_app_data() and *_{get,set}_ex_data() alongside |
each other. |
each other. |
<li>X509_NAME_get_text_by_{NID,OBJ}() now only succeed if they contain |
<li><a href="https://man.openbsd.org/X509_NAME_get_text_by_NID.3" |
|
>X509_NAME_get_text_by_NID(3)</a> and |
|
<a href="https://man.openbsd.org/X509_NAME_get_text_by_OBJ.3" |
|
>X509_NAME_get_text_by_OBJ(3)</a> now only succeed if they contain |
valid UTF-8 without embedded NUL. |
valid UTF-8 without embedded NUL. |
<li>The explicitText user notice uses UTF8String instead of VisibleString |
<li>The explicitText user notice uses UTF8String instead of VisibleString |
to reduce the risk of emitting certificates with invalid DER-encoding. |
to reduce the risk of emitting certificates with invalid DER-encoding. |
<li>Initial fixes for RSA-PSS support to make the TLSv1.3 stack more |
<li>Initial fixes for RSA-PSS support to make the TLSv1.3 stack more |
compliant with RFC 8446. |
compliant with RFC 8446. |
<li>Fixed EVP_CIPHER_CTX_iv_length() to return what was set with |
<li>Fixed <a href="https://man.openbsd.org/EVP_CIPHER_CTX_iv_length.3" |
|
>EVP_CIPHER_CTX_iv_length(3)</a> to return what was set with |
EVP_CTRL_AEAD_SET_IVLEN or one of its aliases. |
EVP_CTRL_AEAD_SET_IVLEN or one of its aliases. |
</ul> |
</ul> |
<li>Internal improvements |
<li>Internal improvements |
|
|
are now less confused. |
are now less confused. |
<li>Improved BIGNUM internals and performance. |
<li>Improved BIGNUM internals and performance. |
<li>Significantly simplified the BN_BLINDING internals used in RSA. |
<li>Significantly simplified the BN_BLINDING internals used in RSA. |
<li>Made BN_num_bits() independent of bn->top. |
<li>Made <a href="https://man.openbsd.org/BN_num_bits.3">BN_num_bits(3)</a> |
|
independent of bn->top. |
<li>Rewrote and simplified bn_sqr(). |
<li>Rewrote and simplified bn_sqr(). |
<li>Significantly improved Montgomery multiplication performance. |
<li>Significantly improved Montgomery multiplication performance. |
<li>Rewrote and improved BN_exp() and BN_copy(). |
<li>Rewrote and improved |
<li>Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work with |
<a href="https://man.openbsd.org/BN_exp.3">BN_exp(3)</a> and |
|
<a href="https://man.openbsd.org/BN_copy.3">BN_copy(3)</a>. |
|
<li>Changed <a href="https://man.openbsd.org/ASN1_item_sign_ctx.3" |
|
>ASN1_item_sign_ctx(3)</a> and |
|
<a href="https://man.openbsd.org/ASN1_item_verify.3" |
|
>ASN1_item_verify(3)</a> to work with |
Ed25519 and fixed a few bugs in there. |
Ed25519 and fixed a few bugs in there. |
<li>Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous |
<li>Lots of cleanup for DH, DSA, EC, RSA internals. Plugged numerous |
memory leaks, fixed logic errors and inconsistencies. |
memory leaks, fixed logic errors and inconsistencies. |
<li>Cleaned up and simplified various ECDH and ECDSA internals. |
<li>Cleaned up and simplified various ECDH and ECDSA internals. |
<li>Removed EC_GROUP precomp machinery. |
<li>Removed EC_GROUP precomp machinery. |
<li>Fixed various issues with EVP_PKEY_CTX_{new,dup}(). |
<li>Fixed various issues with |
<li>Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs(). |
<a href="https://man.openbsd.org/EVP_PKEY_CTX_new.3" |
|
>EVP_PKEY_CTX_new(3)</a> and EVP_PKEY_CTX_dup(3). |
|
<li>Rewrote <a href="https://man.openbsd.org/OBJ_find_sigid_algs" |
|
>OBJ_find_sigid_algs(3)</a> and OBJ_find_sigid_by_algs(3). |
<li>Improved X.509 certificate version checks. |
<li>Improved X.509 certificate version checks. |
<li>Ensure no X.509v3 extensions appear more than once in certificates. |
<li>Ensure no X.509v3 extensions appear more than once in certificates. |
<li>Replaced ASN1_bn_print with a cleaner internal implementation. |
<li>Replaced ASN1_bn_print with a cleaner internal implementation. |
<li>Fix OPENSSL_cpuid_setup() invocations on arm/aarch64. |
<li>Fix OPENSSL_cpuid_setup() invocations on arm/aarch64. |
<li>Improved checks for commonName in libtls. |
<li>Improved checks for commonName in libtls. |
<li>Fixed error check for X509_get_ext_d2i() failure in libtls. |
<li>Fixed error check for |
|
<a href="https://man.openbsd.org/X509_get_ext_d2i.3" |
|
>X509_get_ext_d2i(3)</a> failure in libtls. |
<li>Removed code guarded by #ifdef ZLIB. |
<li>Removed code guarded by #ifdef ZLIB. |
<li>Plug a potential memory leak in ASN1_TIME_normalize(). |
<li>Plug a potential memory leak in |
|
<a href="https://man.openbsd.org/ASN1_TIME_normalize.3" |
|
>ASN1_TIME_normalize(3)</a>. |
<li>Fixed a use of uninitialized in i2r_IPAddrBlocks(). |
<li>Fixed a use of uninitialized in i2r_IPAddrBlocks(). |
<li>Rewrote CMS_SignerInfo_{sign,verify}(). |
<li>Rewrote <a href="https://man.openbsd.org/CMS_SignerInfo_sign.3" |
|
>CMS_SignerInfo_sign(3)</a> and CMS_SignerInfo_verify(3). |
</ul> |
</ul> |
<li>Bug fixes |
<li>Bug fixes |
<ul> |
<ul> |
<li>Correctly handle negative input to various BIGNUM functions. |
<li>Correctly handle negative input to various BIGNUM functions. |
<li>Ensure ERR_load_ERR_strings() does not set errno unexpectedly. |
<li>Ensure ERR_load_ERR_strings() does not set errno unexpectedly. |
<li>Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign(). |
<li>Fix error checking of |
<li>Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing of result |
<a href="https://man.openbsd.org/i2d_ECDSA_SIG.3">i2d_ECDSA_SIG(3)</a> |
|
in ossl_ecdsa_sign(). |
|
<li>Fixed aliasing issue in |
|
<a href="https://man.openbsd.org/BN_mod_inverse.3" |
|
>BN_mod_inverse(3)</a>. Disallowed aliasing of result |
and modulus in various BN_mod_* functions. |
and modulus in various BN_mod_* functions. |
<li>Fixed detection of extended operations (XOP) on AMD hardware. |
<li>Fixed detection of extended operations (XOP) on AMD hardware. |
<li>Ensure Montgomery exponentiation is used for the initial RSA blinding. |
<li>Ensure Montgomery exponentiation is used for the initial RSA blinding. |
<li>Policy is always checked in X509 validation. Critical policy extensions |
<li>Policy is always checked in X509 validation. Critical policy extensions |
are no longer silently ignored. |
are no longer silently ignored. |
<li>Fixed error handling in tls_check_common_name(). |
<li>Fixed error handling in tls_check_common_name(). |
<li>Add missing pointer invalidation in SSL_free(). |
<li>Add missing pointer invalidation in |
|
<a href="https://man.openbsd.org/SSL_free.3">SSL_free(3)</a>. |
<li>Fixed X509err() and X509V3err() and their internal versions. |
<li>Fixed X509err() and X509V3err() and their internal versions. |
<li>Ensure that OBJ_obj2txt() always returns a C string again. |
<li>Ensure that |
<li>Made EVP_PKEY_set1_hkdf_key() fail on a NULL key. |
<a href="https://man.openbsd.org/OBJ_obj2txt.3">OBJ_obj2txt(3)</a> |
|
always returns a C string again. |
|
<li>Made <a href="https://man.openbsd.org/EVP_PKEY_CTX_set1_hkdf_key" |
|
>EVP_PKEY_CTX_set1_hkdf_key(3)</a> fail on a NULL key. |
<li>On socket errors in the poll loop, netcat could issue system calls |
<li>On socket errors in the poll loop, netcat could issue system calls |
on invalidated file descriptors. |
on invalidated file descriptors. |
<li>Allow IP addresses to be specified in a URI. |
<li>Allow IP addresses to be specified in a URI. |
<li>Fixed a copy-paste error in ASN1_TIME_compare() that could lead |
<li>Fixed a copy-paste error in |
to two UTCTimes or two GeneralizedTimes incorrectly being compared |
<a href="https://man.openbsd.org/ASN1_TIME_compare.3" |
as equal. |
>ASN1_TIME_compare(3)</a> that could lead to two UTCTimes |
|
or two GeneralizedTimes incorrectly being compared as equal. |
</ul> |
</ul> |
<li>Documentation improvements |
<li>Documentation improvements |
<ul> |
<ul> |
|
|
</ul> |
</ul> |
<li>Testing and Proactive Security |
<li>Testing and Proactive Security |
<ul> |
<ul> |
<li>Significantly improved test coverage of BN_mod_sqrt() and GCD. |
<li>Significantly improved test coverage of |
|
<a href="https://man.openbsd.org/BN_mod_sqrt.3">BN_mod_sqrt(3)</a> |
|
and GCD. |
<li>As always, new test coverage is added as bugs are fixed and subsystems |
<li>As always, new test coverage is added as bugs are fixed and subsystems |
are cleaned up. |
are cleaned up. |
</ul> |
</ul> |