aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorkinichiro <kinichiro.inoguchi@gmail.com>2020-10-07 23:35:51 +0900
committerBrent Cook <busterb@gmail.com>2020-10-17 03:15:28 -0500
commit2200d29ad01d8df226adcb8938575dfbd2c2bd10 (patch)
tree256e9f3f919ab1ad3afb09613641b8aadde5faac /ChangeLog
parent8b1dc0df49ab547bbab8f10046c494831c2e52b2 (diff)
downloadportable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.tar.gz
portable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.tar.bz2
portable-2200d29ad01d8df226adcb8938575dfbd2c2bd10.zip
Update ChangeLog
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog174
1 files changed, 39 insertions, 135 deletions
diff --git a/ChangeLog b/ChangeLog
index 24de35e..3d7fda2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,77 +30,18 @@ LibreSSL Portable Release Notes:
30 30
313.2.2 - Stable release 313.2.2 - Stable release
32 32
33 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 33 * Improve the handling of BIO_read()/BIO_write() failures in the
34 34 TLSv1.3 stack.
35 * Start replacing the existing TLSv1.2 record layer.
36
37 * Send alert on ssl_get_prev_session() failure.
38
39 * Simplify return codes for tls1_process_ticket() and
40 tls_decrypt_ticket().
41
42 * Simplify tls_decrypt_ticket() exit path.
43
44 * Copy the session id directly in ssl_get_prev_session() instead of
45 handing it through several functions for copying.
46
47 * Split session retrieval out of ssl_get_prev_session().
48
49 * Zero out variable on the stack to avoid leaving garbage in the tail
50 of short session ids.
51
52 * Remove unnecessary zeroing after recallocarray() in
53 ASN1_BIT_STRING_set_bit().
54
55 * Rewrite X509_INFO_{new,free}() more idiomatically.
56
57 * Import commented versions of the latest OPENSSL_NO_* flags from
58 OpenSSL 1.1.1g.
59
60 * Document return value from EC_KEY_get0_public_key(3).
61
62 * Set alpn_selected_len = 0 whenever alpn_selected is NULL.
63
64 * Add option type OPTION_UL_VALUE_OR to openssl(1) option parser.
65
66 * Convert openssl(1) ocsp option handling.
67
68 * Major style cleanup in ocsp.c.
69
70 * Assorted ciphers related cleanup in ssl_lib.c.
71
72 * Add issuer cache in preparation for changes to the validation code.
73
74 * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
75 code.
76
77 * Rename ssl_cipher_is_permitted() to the more accurate and specific
78 ssl_cipher_allowed_in_version_range().
79
80 * Simplify SSL_get_ciphers().
81
82 * Remove cipher_list_by_id.
83
84 * Add a new implementation of X509 name constraints with regression
85 tests.
86
87 * Fix and re-enable cert and cipher interop tests.
88
89 * Include machine/endian.h gost2814789.c in order to pick up the
90 __STRICT_ALIGNMENT define.
91
92 * Enable the new X509 name constraints verification.
93
94 * Avoid an out-of-bounds write in BN_rand().
95 35
96 * Simplify tls1_set_ec_id(). 36 * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API.
37 This will be finished in an upcoming release.
97 38
98 * Use uint16_t for curve_id. 39 * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not
40 yet public API and will be enabled in a future release.
99 41
100 * Improve the handling of BIO_read()/BIO_write() failures in the 42 * Start replacing the existing TLSv1.2 record layer.
101 TLSv1.3 stack.
102 43
103 * Add a new certificate chain validator. 44 * Add a new X509 certificate chain validator.
104 45
105 The new validator finds multiple validated chains to handle the 46 The new validator finds multiple validated chains to handle the
106 modern PKI cases which may frequently have multiple paths via 47 modern PKI cases which may frequently have multiple paths via
@@ -114,101 +55,64 @@ LibreSSL Portable Release Notes:
114 The new public API is not yet exposed, and will be finalized and 55 The new public API is not yet exposed, and will be finalized and
115 exposed with a man page and a library minor bump later. 56 exposed with a man page and a library minor bump later.
116 57
117 * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not 58 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
118 yet public API and will be enabled in a future release.
119
120 * Enable the use of the new X509 chain validator by default.
121
122 * Fix double frees and a NULL dereference introduced on review of the
123 new validator.
124
125 * Remove various unused variables in the X509 code.
126
127 * Fix memory leaks in x509_constraints_chain() and
128 X509V3_ext_add_alias().
129 59
130 * Add initial manual page for the x509_verify() chain validator which 60 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
131 will be installed once the new API is publically exposed.
132 61
133 * Avoid NULL deref in SSL_{,CTX_}set_ciphersuites(). 62 * Send alert on ssl_get_prev_session() failure.
134 63
135 * Clean up and simplify SSL_set_session(). 64 * Zero out variable on the stack to avoid leaving garbage in the tail
65 of short session ids.
136 66
137 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 67 * Move state initialization from SSL_clear() to ssl3_clear() to ensure
138 that it gets correctly reinitialized across a SSL_set_ssl_method() 68 that it gets correctly reinitialized across a SSL_set_ssl_method()
139 call. 69 call.
140 70
141 * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 71 * Avoid an out-of-bounds write in BN_rand().
142 servers.
143
144 * Mop up the get_ssl_method function pointer.
145
146 * Clean up and simplify SSL_set_ssl_method().
147
148 * Deduplicate the time validation code between the legacy and the new
149 verification code.
150
151 * Set error_depth and current_cert to avoid problems in legacy
152 callbacks that don't do proper error checking.
153
154 * Correct a failure case in tls12_record_layer_seal_record_protected().
155
156 * Do not destroy an existing cipher list when ssl_parse_ciphersuites()
157 fails to match the behavior of ssl_create_cipher_list() and
158 SSL_set_ciphersuites() of OpenSSL.
159
160 * Split the tls12_record_layer_write_mac() for future reuse on the
161 read side.
162
163 * Dedup code in x509_verify_ctx_new_from_xsc().
164 72
165 * Make check in x509_verify_ctx_set_max_signatures() consistent with 73 * Fix numerous leaks in the UI_dup_* functions and simplify and tidy up
166 others. 74 the code in ui_lib.c.
167 75
168 * Avoid memset() before memcpy() for CBS_add_bytes(). 76 * Avoid potential segmentation fault with SSL_get0_alpn_selected
77 by setting alpn_selected_len = 0 whenever alpn_selected is NULL.
169 78
170 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 79 * Include machine/endian.h gost2814789.c in order to pick up the
80 __STRICT_ALIGNMENT define.
171 81
172 * Simplify SSL method lookups. 82 * Simplify SSL method lookups.
173 83
174 * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. 84 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
175 This will be finished in an upcoming release. 85 SSL_set_ssl_method() and several internal functions.
176
177 * Fix an overflow in the CN subject line parsing.
178 86
179 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 87 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
180 88
181 * Fix memory leaks in x509_constraints_extract_names(). 89 * Refactor dtls1_new(), dtls1_hm_fragment_new(),
182 90 dtls1_drain_fragments(), dtls1_clear_queues().
183 * Correct a 1 byte read overflow in x509_constraints_uri().
184 91
185 * Ensure the chain is set on the X509_STORE_CTX before triggering 92 * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
186 callback. 93 code.
187
188 * Release read and write buffers using freezero()
189
190 * Simplify the cleanup of init_buf via an ssl3_release_init_buffer()
191 function.
192 94
193 * Fix numerous leaks in the UI_dup_* functions. 95 * Copy the session id directly in ssl_get_prev_session() instead of
96 handing it through several functions for copying.
194 97
195 * Simplify and tidy up hte code in ui_lib.c. 98 * Avoid memset() before memcpy() for CBS_add_bytes().
196 99
197 * Refactor dtls1_clear_queues() to make it NULL safe. 100 * Rewrite X509_INFO_{new,free}() more idiomatically.
198 101
199 * Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on 102 * Remove unnecessary zeroing after recallocarray() in
200 failure. 103 ASN1_BIT_STRING_set_bit().
201 104
202 * Have dtls1_new() call dtls1_free() on failure. 105 * Convert openssl(1) ocsp new option handling.
203 106
204 * Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix 107 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
205 potential memory leaks.
206 108
207 * Ensure that leaf is set up on X509_STORE_CTX before verification. 109 * Document return value from EC_KEY_get0_public_key(3).
208 110
209 * Document SSL_set1_host(3). 111 * Add initial manual page for the x509_verify() chain validator which
112 will be installed once the new API is publically exposed.
210 113
211 * Document SSL_set_SSL_CTX(3). 114 * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1
115 servers.
212 116
213 * Make pthread_mutex static initialisation work on Windows. 117 * Make pthread_mutex static initialisation work on Windows.
214 118