diff options
author | kinichiro <kinichiro.inoguchi@gmail.com> | 2020-10-07 23:35:51 +0900 |
---|---|---|
committer | Brent Cook <busterb@gmail.com> | 2020-10-17 03:15:28 -0500 |
commit | 2200d29ad01d8df226adcb8938575dfbd2c2bd10 (patch) | |
tree | 256e9f3f919ab1ad3afb09613641b8aadde5faac /ChangeLog | |
parent | 8b1dc0df49ab547bbab8f10046c494831c2e52b2 (diff) | |
download | portable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.tar.gz portable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.tar.bz2 portable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.zip |
Update ChangeLog
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 174 |
1 files changed, 39 insertions, 135 deletions
@@ -30,77 +30,18 @@ LibreSSL Portable Release Notes: | |||
30 | 30 | ||
31 | 3.2.2 - Stable release | 31 | 3.2.2 - Stable release |
32 | 32 | ||
33 | * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. | 33 | * Improve the handling of BIO_read()/BIO_write() failures in the |
34 | 34 | TLSv1.3 stack. | |
35 | * Start replacing the existing TLSv1.2 record layer. | ||
36 | |||
37 | * Send alert on ssl_get_prev_session() failure. | ||
38 | |||
39 | * Simplify return codes for tls1_process_ticket() and | ||
40 | tls_decrypt_ticket(). | ||
41 | |||
42 | * Simplify tls_decrypt_ticket() exit path. | ||
43 | |||
44 | * Copy the session id directly in ssl_get_prev_session() instead of | ||
45 | handing it through several functions for copying. | ||
46 | |||
47 | * Split session retrieval out of ssl_get_prev_session(). | ||
48 | |||
49 | * Zero out variable on the stack to avoid leaving garbage in the tail | ||
50 | of short session ids. | ||
51 | |||
52 | * Remove unnecessary zeroing after recallocarray() in | ||
53 | ASN1_BIT_STRING_set_bit(). | ||
54 | |||
55 | * Rewrite X509_INFO_{new,free}() more idiomatically. | ||
56 | |||
57 | * Import commented versions of the latest OPENSSL_NO_* flags from | ||
58 | OpenSSL 1.1.1g. | ||
59 | |||
60 | * Document return value from EC_KEY_get0_public_key(3). | ||
61 | |||
62 | * Set alpn_selected_len = 0 whenever alpn_selected is NULL. | ||
63 | |||
64 | * Add option type OPTION_UL_VALUE_OR to openssl(1) option parser. | ||
65 | |||
66 | * Convert openssl(1) ocsp option handling. | ||
67 | |||
68 | * Major style cleanup in ocsp.c. | ||
69 | |||
70 | * Assorted ciphers related cleanup in ssl_lib.c. | ||
71 | |||
72 | * Add issuer cache in preparation for changes to the validation code. | ||
73 | |||
74 | * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3 | ||
75 | code. | ||
76 | |||
77 | * Rename ssl_cipher_is_permitted() to the more accurate and specific | ||
78 | ssl_cipher_allowed_in_version_range(). | ||
79 | |||
80 | * Simplify SSL_get_ciphers(). | ||
81 | |||
82 | * Remove cipher_list_by_id. | ||
83 | |||
84 | * Add a new implementation of X509 name constraints with regression | ||
85 | tests. | ||
86 | |||
87 | * Fix and re-enable cert and cipher interop tests. | ||
88 | |||
89 | * Include machine/endian.h gost2814789.c in order to pick up the | ||
90 | __STRICT_ALIGNMENT define. | ||
91 | |||
92 | * Enable the new X509 name constraints verification. | ||
93 | |||
94 | * Avoid an out-of-bounds write in BN_rand(). | ||
95 | 35 | ||
96 | * Simplify tls1_set_ec_id(). | 36 | * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. |
37 | This will be finished in an upcoming release. | ||
97 | 38 | ||
98 | * Use uint16_t for curve_id. | 39 | * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not |
40 | yet public API and will be enabled in a future release. | ||
99 | 41 | ||
100 | * Improve the handling of BIO_read()/BIO_write() failures in the | 42 | * Start replacing the existing TLSv1.2 record layer. |
101 | TLSv1.3 stack. | ||
102 | 43 | ||
103 | * Add a new certificate chain validator. | 44 | * Add a new X509 certificate chain validator. |
104 | 45 | ||
105 | The new validator finds multiple validated chains to handle the | 46 | The new validator finds multiple validated chains to handle the |
106 | modern PKI cases which may frequently have multiple paths via | 47 | modern PKI cases which may frequently have multiple paths via |
@@ -114,101 +55,64 @@ LibreSSL Portable Release Notes: | |||
114 | The new public API is not yet exposed, and will be finalized and | 55 | The new public API is not yet exposed, and will be finalized and |
115 | exposed with a man page and a library minor bump later. | 56 | exposed with a man page and a library minor bump later. |
116 | 57 | ||
117 | * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not | 58 | * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. |
118 | yet public API and will be enabled in a future release. | ||
119 | |||
120 | * Enable the use of the new X509 chain validator by default. | ||
121 | |||
122 | * Fix double frees and a NULL dereference introduced on review of the | ||
123 | new validator. | ||
124 | |||
125 | * Remove various unused variables in the X509 code. | ||
126 | |||
127 | * Fix memory leaks in x509_constraints_chain() and | ||
128 | X509V3_ext_add_alias(). | ||
129 | 59 | ||
130 | * Add initial manual page for the x509_verify() chain validator which | 60 | * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. |
131 | will be installed once the new API is publically exposed. | ||
132 | 61 | ||
133 | * Avoid NULL deref in SSL_{,CTX_}set_ciphersuites(). | 62 | * Send alert on ssl_get_prev_session() failure. |
134 | 63 | ||
135 | * Clean up and simplify SSL_set_session(). | 64 | * Zero out variable on the stack to avoid leaving garbage in the tail |
65 | of short session ids. | ||
136 | 66 | ||
137 | * Move state initialization from SSL_clear() to ssl3_clear() to ensure | 67 | * Move state initialization from SSL_clear() to ssl3_clear() to ensure |
138 | that it gets correctly reinitialized across a SSL_set_ssl_method() | 68 | that it gets correctly reinitialized across a SSL_set_ssl_method() |
139 | call. | 69 | call. |
140 | 70 | ||
141 | * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 | 71 | * Avoid an out-of-bounds write in BN_rand(). |
142 | servers. | ||
143 | |||
144 | * Mop up the get_ssl_method function pointer. | ||
145 | |||
146 | * Clean up and simplify SSL_set_ssl_method(). | ||
147 | |||
148 | * Deduplicate the time validation code between the legacy and the new | ||
149 | verification code. | ||
150 | |||
151 | * Set error_depth and current_cert to avoid problems in legacy | ||
152 | callbacks that don't do proper error checking. | ||
153 | |||
154 | * Correct a failure case in tls12_record_layer_seal_record_protected(). | ||
155 | |||
156 | * Do not destroy an existing cipher list when ssl_parse_ciphersuites() | ||
157 | fails to match the behavior of ssl_create_cipher_list() and | ||
158 | SSL_set_ciphersuites() of OpenSSL. | ||
159 | |||
160 | * Split the tls12_record_layer_write_mac() for future reuse on the | ||
161 | read side. | ||
162 | |||
163 | * Dedup code in x509_verify_ctx_new_from_xsc(). | ||
164 | 72 | ||
165 | * Make check in x509_verify_ctx_set_max_signatures() consistent with | 73 | * Fix numerous leaks in the UI_dup_* functions and simplify and tidy up |
166 | others. | 74 | the code in ui_lib.c. |
167 | 75 | ||
168 | * Avoid memset() before memcpy() for CBS_add_bytes(). | 76 | * Avoid potential segmentation fault with SSL_get0_alpn_selected |
77 | by setting alpn_selected_len = 0 whenever alpn_selected is NULL. | ||
169 | 78 | ||
170 | * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. | 79 | * Include machine/endian.h gost2814789.c in order to pick up the |
80 | __STRICT_ALIGNMENT define. | ||
171 | 81 | ||
172 | * Simplify SSL method lookups. | 82 | * Simplify SSL method lookups. |
173 | 83 | ||
174 | * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. | 84 | * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), |
175 | This will be finished in an upcoming release. | 85 | SSL_set_ssl_method() and several internal functions. |
176 | |||
177 | * Fix an overflow in the CN subject line parsing. | ||
178 | 86 | ||
179 | * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). | 87 | * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). |
180 | 88 | ||
181 | * Fix memory leaks in x509_constraints_extract_names(). | 89 | * Refactor dtls1_new(), dtls1_hm_fragment_new(), |
182 | 90 | dtls1_drain_fragments(), dtls1_clear_queues(). | |
183 | * Correct a 1 byte read overflow in x509_constraints_uri(). | ||
184 | 91 | ||
185 | * Ensure the chain is set on the X509_STORE_CTX before triggering | 92 | * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3 |
186 | callback. | 93 | code. |
187 | |||
188 | * Release read and write buffers using freezero() | ||
189 | |||
190 | * Simplify the cleanup of init_buf via an ssl3_release_init_buffer() | ||
191 | function. | ||
192 | 94 | ||
193 | * Fix numerous leaks in the UI_dup_* functions. | 95 | * Copy the session id directly in ssl_get_prev_session() instead of |
96 | handing it through several functions for copying. | ||
194 | 97 | ||
195 | * Simplify and tidy up hte code in ui_lib.c. | 98 | * Avoid memset() before memcpy() for CBS_add_bytes(). |
196 | 99 | ||
197 | * Refactor dtls1_clear_queues() to make it NULL safe. | 100 | * Rewrite X509_INFO_{new,free}() more idiomatically. |
198 | 101 | ||
199 | * Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on | 102 | * Remove unnecessary zeroing after recallocarray() in |
200 | failure. | 103 | ASN1_BIT_STRING_set_bit(). |
201 | 104 | ||
202 | * Have dtls1_new() call dtls1_free() on failure. | 105 | * Convert openssl(1) ocsp new option handling. |
203 | 106 | ||
204 | * Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix | 107 | * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). |
205 | potential memory leaks. | ||
206 | 108 | ||
207 | * Ensure that leaf is set up on X509_STORE_CTX before verification. | 109 | * Document return value from EC_KEY_get0_public_key(3). |
208 | 110 | ||
209 | * Document SSL_set1_host(3). | 111 | * Add initial manual page for the x509_verify() chain validator which |
112 | will be installed once the new API is publically exposed. | ||
210 | 113 | ||
211 | * Document SSL_set_SSL_CTX(3). | 114 | * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 |
115 | servers. | ||
212 | 116 | ||
213 | * Make pthread_mutex static initialisation work on Windows. | 117 | * Make pthread_mutex static initialisation work on Windows. |
214 | 118 | ||