3.2.1 ChangeLog

author: Theo Buehler <tb@openbsd.org> 2020-08-20 13:39:39 +0200
committer: Theo Buehler <tb@openbsd.org> 2020-08-21 21:11:20 +0200
commit: c5fc3a6735ea623376218c90fbf019095a1b55d8 (patch)
tree: 88de8186afeb646342b0a6f0c57f8b64bd1686a3 /ChangeLog
parent: 2be32881b63192043be8603f926688caf2966a37 (diff)
download: portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.tar.gz
portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.tar.bz2
portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.zip
1 files changed, 99 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 88a421d..d181daf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,9 +30,105 @@ LibreSSL Portable Release Notes:
 3.2.1 - Development release
-        * Enforce in the TLS 1.3 server that ClientHello messages
+        * Propagate alerts from the read half of the record layer to I/O
-        following a HelloRetryRequest must match the original ClientHello
+          functions.
-        as per RFC 8446 section 4.1.2
+        * Send a record overflow alert for messages having overlong plaintext
+          or inner plaintext.
+        * Send an illegal parameter alert if a client sends invalid DH key
+          shares.
+        * Document PKCS7_final(3), PKCS7_add_attribute(3).
+        * Collapse x509v3 directory into x509.
+        * Improve client certificate selection to allow EC certificates
+          instead of only RSA certificates.
+        * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
+          of constructing a broken objects that may cause NULL pointer accesses.
+        * Add support for additional GOST curves from RFC 7836 and
+          draft-deremin-rfc4491-bis.
+        * Add OIDs for HMAC using the Streebog hash function.
+        * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
+        * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
+        * Handle GOST in ssl_cert_dup().
+        * Stop sending GOST R 34.10-94 as a CertificateType.
+        * Use IANA allocated GOST ClientCertificateTypes.
+        * Add a custom copy handler for AES keywrap to fix a use-after-free.
+        * Enforce in the TLSv1.3 server that that ClientHello messages after
+          a HelloRetryRequest match the original ClientHello as per RFC 8446
+          section 4.1.2
+        * Document more PKCS7 attribute functions.
+        * Document PKCS7_get_signer_info(3).
+        * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
+        * Document PEM_def_callback(3).
+        * Document EVP_read_pw_string_min(3).
+        * Merge documetnation of X509_get0_serialNumber from OpenSSL 1.1.1.
+        * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
+        * Document X509_get0_pubkey_bitstr(3).
+        * Fix an off-by-one in the CBS padding removal. From BoringSSL.
+        * Enforce restrictions on extensions present in the ClientHello as per
+          RFC 8446, section 9.2.
+        * Add new CMAC_Init(3) and ChaCha(3) manual pages.
+        * Fix SSL_shutdown behavior to match the legacy stack.  The previous
+          behaviour could cause a hang.
+        * Add initial support for PowerPC64.
+        * Make the message type available in the internal tls extensions API
+          functions.
+        * Enable TLSv1.3 for the generic TLS_method().
+        * Convert openssl s_client option handling.
+        * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
+          use-after-free and double-free issues in calling programs.
+        * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
+        * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
+        * Convert openssl(1) s_server to new option handling.
+        * Add minimal info callback support for TLSv1.3.
+        * Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
+        * Correctly handle server requests for an OCSP response.
+        * Add the P-521 curve to the list of curves supported by default
+          in the client.
+        * Convert openssl(1) req option handling
+        * Avoid calling freezero with a negative size if a server sends a
+          malformed plaintext of all zeroes.
+        * Send an unexpected message alert if no valid content type is found.
 3.2.0 - Development release
author	Theo Buehler <tb@openbsd.org>	2020-08-20 13:39:39 +0200
committer	Theo Buehler <tb@openbsd.org>	2020-08-21 21:11:20 +0200
commit	c5fc3a6735ea623376218c90fbf019095a1b55d8 (patch)
tree	88de8186afeb646342b0a6f0c57f8b64bd1686a3 /ChangeLog
parent	2be32881b63192043be8603f926688caf2966a37 (diff)
download	portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.tar.gz portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.tar.bz2 portable-c5fc3a6735ea623376218c90fbf019095a1b55d8.zip

diff --git a/ChangeLog b/ChangeLog index 88a421d..d181daf 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,9 +30,105 @@ LibreSSL Portable Release Notes:
30		30
31	3.2.1 - Development release	31	3.2.1 - Development release
32		32
33	* Enforce in the TLS 1.3 server that ClientHello messages	33	* Propagate alerts from the read half of the record layer to I/O
34	following a HelloRetryRequest must match the original ClientHello	34	functions.
35	as per RFC 8446 section 4.1.2	35
		36	* Send a record overflow alert for messages having overlong plaintext
		37	or inner plaintext.
		38
		39	* Send an illegal parameter alert if a client sends invalid DH key
		40	shares.
		41
		42	* Document PKCS7_final(3), PKCS7_add_attribute(3).
		43
		44	* Collapse x509v3 directory into x509.
		45
		46	* Improve client certificate selection to allow EC certificates
		47	instead of only RSA certificates.
		48
		49	* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
		50	of constructing a broken objects that may cause NULL pointer accesses.
		51
		52	* Add support for additional GOST curves from RFC 7836 and
		53	draft-deremin-rfc4491-bis.
		54
		55	* Add OIDs for HMAC using the Streebog hash function.
		56
		57	* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
		58
		59	* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
		60
		61	* Handle GOST in ssl_cert_dup().
		62
		63	* Stop sending GOST R 34.10-94 as a CertificateType.
		64
		65	* Use IANA allocated GOST ClientCertificateTypes.
		66
		67	* Add a custom copy handler for AES keywrap to fix a use-after-free.
		68
		69	* Enforce in the TLSv1.3 server that that ClientHello messages after
		70	a HelloRetryRequest match the original ClientHello as per RFC 8446
		71	section 4.1.2
		72
		73	* Document more PKCS7 attribute functions.
		74
		75	* Document PKCS7_get_signer_info(3).
		76
		77	* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
		78
		79	* Document PEM_def_callback(3).
		80
		81	* Document EVP_read_pw_string_min(3).
		82
		83	* Merge documetnation of X509_get0_serialNumber from OpenSSL 1.1.1.
		84
		85	* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
		86
		87	* Document X509_get0_pubkey_bitstr(3).
		88
		89	* Fix an off-by-one in the CBS padding removal. From BoringSSL.
		90
		91	* Enforce restrictions on extensions present in the ClientHello as per
		92	RFC 8446, section 9.2.
		93
		94	* Add new CMAC_Init(3) and ChaCha(3) manual pages.
		95
		96	* Fix SSL_shutdown behavior to match the legacy stack. The previous
		97	behaviour could cause a hang.
		98
		99	* Add initial support for PowerPC64.
		100
		101	* Make the message type available in the internal tls extensions API
		102	functions.
		103
		104	* Enable TLSv1.3 for the generic TLS_method().
		105
		106	* Convert openssl s_client option handling.
		107
		108	* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
		109	use-after-free and double-free issues in calling programs.
		110
		111	* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
		112
		113	* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
		114
		115	* Convert openssl(1) s_server to new option handling.
		116
		117	* Add minimal info callback support for TLSv1.3.
		118
		119	* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
		120
		121	* Correctly handle server requests for an OCSP response.
		122
		123	* Add the P-521 curve to the list of curves supported by default
		124	in the client.
		125
		126	* Convert openssl(1) req option handling
		127
		128	* Avoid calling freezero with a negative size if a server sends a
		129	malformed plaintext of all zeroes.
		130
		131	* Send an unexpected message alert if no valid content type is found.
36		132
37	3.2.0 - Development release	133	3.2.0 - Development release
38		134