1 files changed, 198 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index e4dc7ad..f382601 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,204 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
+3.7.0 - Development release
+        * Internal improvements
+          - Remove dependency on system timegm() and gmtime() by replacing
+            traditional Julian date conversion with POSIX epoch-seconds date
+            conversion from BoringSSL.
+          - Clean old and unused BN code dealing with primes.
+          - Start rewriting name constraints code using CBS.
+          - Remove support for the HMAC PRIVATE KEY.
+          - Rework DSA signing and verifying internals.
+          - First few passes on cleaning up the BN code.
+          - Internal headers coming from OpenSSL are all called *_local.h now.
+          - Rewrite TLSv1.2 key exporter.
+          - Cleaned up and refactored various aspects of the legacy TLS stack.
+        * Compatibility changes
+          - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
+            various corner cases. More work is needed here.
+        * Bug fixes
+          - Add EVP_chacha20_poly1305() to the list of all ciphers.
+          - Fix potential leaks of EVP_PKEY in various printing functions
+          - Fix potential leak in OBJ_NAME_add().
+          - Avoid signed overflow in i2c_ASN1_BIT_STRING().
+          - Clean up EVP_PKEY_ASN1_METHOD related tables and code.
+          - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
+          - Fix segfaults in BN_{dec,hex}2bn().
+          - Fix NULL dereference in x509_constraints_uri_host() reachable only
+            in the process of generating certificates.
+          - Fixed a variety of memory corruption issues in BIO chains coming
+            from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
+          - Avoid potential divide by zero in BIO_dump_indent_cb()
+        * Documentation improvements
+          - Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
+          - The BN documentation is now considered to be complete.
+        * Testing and Proactive Security
+          - As always, new test coverage is added as bugs are fixed and
+            subsystems are cleaned up.
+          - Many old tests rewritten, cleaned up and extended.
+        * New features
+          - Added Ed25519 support both as a primitive and via OpenSSL's EVP
+            interfaces.
+          - X25519 is now also supported via EVP.
+          - The OpenSSL 1.1 raw public and private key API is available with
+            support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
+            Poly1305 is not currently supported via this interface.
+3.6.1 - Stable release
+        * Bug fixes
+          - Custom verification callbacks could cause the X.509 verifier to
+            fail to store errors resulting from leaf certificate verification.
+            Reported by Ilya Shipitsin.
+          - Unbreak ASN.1 indefinite length encoding.
+            Reported by Niklas Hallqvist.
+3.6.0 - Development release
+        * Internal improvements
+          - Avoid expensive RFC 3779 checks during cert verification.
+          - The templated ASN.1 decoder has been cleaned up, refactored,
+            modernized with parts rewritten using CBB and CBS.
+          - The ASN.1 time parser has been rewritten.
+          - Rewrite and fix ASN1_STRING_to_UTF8().
+          - Use asn1_abs_set_unused_bits() rather than inlining it.
+          - Simplify ec_asn1_group2curve().
+          - First pass at a clean up of ASN1_item_sign_ctx()
+          - ssl_txt.c was cleaned up.
+          - Internal function arguments and struct member have been changed
+            to size_t.
+          - Lots of missing error checks of EVP API were added.
+          - Clean up and clarify BN_kronecker().
+          - Simplify ASN1_INTEGER_cmp()
+          - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
+            the ASN1_INTEGER functions for ASN1_ENUMERATED.
+          - Use ASN1_INTEGER to parse and build {Z,}LONG_it
+          - Refactored and cleaned up group (elliptic curve) handling in
+            t1_lib.c.
+          - Simplify certificate list handling code in the legacy server.
+          - Make CBB_finish() fail if *out_data is not NULL.
+          - Remove tls_buffer_set_data() and remove/revise callers.
+          - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
+          - Simplify tlsext_supported_groups_server_parse().
+          - Remove redundant length checks in tlsext parse functions.
+          - Simplify tls13_server_encrypted_extensions_recv().
+          - Add read and write support to tls_buffer.
+          - Convert TLS transcript from BUF_MEM to tls_buffer.
+          - Clear key on exit in PKCS12_gen_mac().
+          - Minor fixes in PKCS12_parse().
+          - Provide and use a primitive clear function for BIGNUM_it.
+          - Use ASN1_INTEGER to encode/decode BIGNUM_it.
+          - Add stack frames to AES-NI x86_64 assembly.
+          - Use named initialisers for BIGNUMs.
+          - Tidy up some of BN_nist_mod_*.
+          - Expand BLOCK_CIPHER_* and related macros.
+          - Avoid shadowing the cbs function parameter in
+            tlsext_alpn_server_parse()
+          - Deduplicate peer certificate chain processing code.
+          - Make it possible to signal an error from an i2c_* function.
+          - Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
+          - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
+          - Remove bogus length checks from EVP_aead_chacha20_poly1305().
+          - Reworked DSA_size() and ECDSA_size().
+          - Stop using CBIGNUM_it internal to libcrypto.
+          - Provide c2i_ASN1_ENUMERATED_cbs() and call it from
+            asn1_c2i_primitive().
+          - Ensure ASN.1 types are appropriately encoded.
+          - Avoid recycling ASN1_STRINGs when decoding ASN.1.
+          - Tidy up asn1_c2i_primitive() slightly.
+          - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
+            BLOCK_CIPHER and the looney M_do_cipher macros.
+          - Use correct length for EVP CFB mode ciphers.
+          - Provide a version of ssl_msg_callback() that takes a CBS.
+          - Use CBS to parse TLS alerts in the legacy stack.
+          - Increment the input and output position for EVP AES CFB1.
+          - Ensure there is no trailing data for a CCS received by the
+            TLSv1.3 stack.
+          - Use CBS when procesing a CCS message in the legacy stack.
+          - Be stricter with middlebox compatibility mode in the TLSv1.3
+            server.
+        * Compatibility changes
+          - The ASN.1 time parser has been refactored and rewritten using CBS.
+            It has been made stricter in that it now enforces the rules from
+            RFC 5280.
+          - ASN1_AFLG_BROKEN was removed.
+          - Error check tls_session_secret_cb() like OpenSSL.
+          - Added ASN1_INTEGER_{get,set}_{u,}int64()
+          - Move leaf certificate checks to the last thing after chain
+            validation.
+          - Added -s option to openssl(1) ciphers that only shows the ciphers
+            supported by the specified protocol.
+          - Use TLS_client_method() instead of TLSv1_client_method() in
+            the openssl(1) ciphers command.
+          - Validate the protocols in SSL{_CTX,}_set_alpn_protos().
+          - Made TS and PKCS12 opaque.
+          - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
+          - Align PKCS12_key_gen_uni() with OpenSSL
+          - Various PKCS12 and TS accessors were added. In particular, the
+            TS_RESP_CTX_set_time_cb() function was added back.
+          - Allow a NULL header in PEM_write{,_bio}()
+          - Allow empty attribute sets in CSRs.
+          - Adjust signatures of BIO_ctrl functions.
+          - Provide additional defines for EVP AEAD.
+          - Provide OPENSSL_cleanup().
+          - Make BIO_info_cb() identical to bio_info_cb().
+        * Bug fixes
+          - Avoid use of uninitialized in BN_mod_exp_recp().
+          - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
+            set on X509_get_purpose() failure.
+          - Fix HMAC() with NULL key.
+          - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
+          - Avoid strict aliasing violations in BN_nist_mod_*().
+          - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
+            No return value of X509_check_ca() indicates failure. Application
+            code should therefore issue a checked call to X509_check_purpose()
+            before calling X509_check_ca().
+          - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
+            valid input.
+          - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
+          - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
+          - Avoid use of uninitialized in ASN1_STRING_to_UTF8().
+          - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
+          - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
+          - Do not reject primes in trial divisions.
+          - Error out on negative shifts in BN_{r,l}shift() instead of
+            accessing arrays out of bounds.
+          - Fix URI name constraints, allow for URI's with no host part.
+          - Fix the legacy verifier callback behaviour for untrusted certs.
+          - Correct serfver-side handling of TLSv1.3 key updates.
+          - Plug leak in PKCS12_setup_mac().
+          - Plug leak in X509V3_add1_i2d().
+          - Only print X.509 versions we know about.
+          - Avoid signed integer overflow due to unary negation
+          - Initialize readbytes in BIO_gets().
+          - Plug memory leak in CMS_add_simple_smimecap().
+          - Plug memory leak in X509_REQ_print_ex().
+          - Check HMAC() return value to avoid a later use of uninitialized.
+          - Avoid potential NULL dereference in ssl_set_pkey().
+          - Check return values in ssl_print_tmp_key().
+          - Switch loop bounds from size_t to int in check_hosts().
+          - Avoid division by zero if no connection was made in s_time.c.
+          - Check sk_SSL_CIPHER_push() return value
+          - Avoid out-of-bounds read in ssl_cipher_process_rulestr().
+          - Use LONG_MAX as the limit for ciphers with long based APIs.
+        * New features
+          - EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
+          - The security level API (SSL_{,CTX}_{get,set}_security_level()) is
+            now available. Callbacks and ex_data are not supported. Sane
+            software will not be using this.
+          - Experimental support for the BoringSSL QUIC API.
+          - Add initial support for TS ESSCertIDv2 verification.
+          - LibreSSL now uses the Baillie-PSW primality test instead of
+            Miller-Rabin .
+3.5.3 - Reliability fix
+        * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
+          the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
+          reporting the issue and testing the fix.
 3.5.2 - Stable release
        * Bug fixes

diff --git a/ChangeLog b/ChangeLog index e4dc7ad..f382601 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -28,6 +28,204 @@ history is also available from Git.
28		28
29	LibreSSL Portable Release Notes:	29	LibreSSL Portable Release Notes:
30		30
		31	3.7.0 - Development release
		32
		33	* Internal improvements
		34	- Remove dependency on system timegm() and gmtime() by replacing
		35	traditional Julian date conversion with POSIX epoch-seconds date
		36	conversion from BoringSSL.
		37	- Clean old and unused BN code dealing with primes.
		38	- Start rewriting name constraints code using CBS.
		39	- Remove support for the HMAC PRIVATE KEY.
		40	- Rework DSA signing and verifying internals.
		41	- First few passes on cleaning up the BN code.
		42	- Internal headers coming from OpenSSL are all called *_local.h now.
		43	- Rewrite TLSv1.2 key exporter.
		44	- Cleaned up and refactored various aspects of the legacy TLS stack.
		45	* Compatibility changes
		46	- BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
		47	various corner cases. More work is needed here.
		48	* Bug fixes
		49	- Add EVP_chacha20_poly1305() to the list of all ciphers.
		50	- Fix potential leaks of EVP_PKEY in various printing functions
		51	- Fix potential leak in OBJ_NAME_add().
		52	- Avoid signed overflow in i2c_ASN1_BIT_STRING().
		53	- Clean up EVP_PKEY_ASN1_METHOD related tables and code.
		54	- Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
		55	- Fix segfaults in BN_{dec,hex}2bn().
		56	- Fix NULL dereference in x509_constraints_uri_host() reachable only
		57	in the process of generating certificates.
		58	- Fixed a variety of memory corruption issues in BIO chains coming
		59	from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
		60	- Avoid potential divide by zero in BIO_dump_indent_cb()
		61	* Documentation improvements
		62	- Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
		63	- The BN documentation is now considered to be complete.
		64	* Testing and Proactive Security
		65	- As always, new test coverage is added as bugs are fixed and
		66	subsystems are cleaned up.
		67	- Many old tests rewritten, cleaned up and extended.
		68	* New features
		69	- Added Ed25519 support both as a primitive and via OpenSSL's EVP
		70	interfaces.
		71	- X25519 is now also supported via EVP.
		72	- The OpenSSL 1.1 raw public and private key API is available with
		73	support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519.
		74	Poly1305 is not currently supported via this interface.
		75
		76	3.6.1 - Stable release
		77
		78	* Bug fixes
		79	- Custom verification callbacks could cause the X.509 verifier to
		80	fail to store errors resulting from leaf certificate verification.
		81	Reported by Ilya Shipitsin.
		82	- Unbreak ASN.1 indefinite length encoding.
		83	Reported by Niklas Hallqvist.
		84
		85	3.6.0 - Development release
		86
		87	* Internal improvements
		88	- Avoid expensive RFC 3779 checks during cert verification.
		89	- The templated ASN.1 decoder has been cleaned up, refactored,
		90	modernized with parts rewritten using CBB and CBS.
		91	- The ASN.1 time parser has been rewritten.
		92	- Rewrite and fix ASN1_STRING_to_UTF8().
		93	- Use asn1_abs_set_unused_bits() rather than inlining it.
		94	- Simplify ec_asn1_group2curve().
		95	- First pass at a clean up of ASN1_item_sign_ctx()
		96	- ssl_txt.c was cleaned up.
		97	- Internal function arguments and struct member have been changed
		98	to size_t.
		99	- Lots of missing error checks of EVP API were added.
		100	- Clean up and clarify BN_kronecker().
		101	- Simplify ASN1_INTEGER_cmp()
		102	- Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
		103	the ASN1_INTEGER functions for ASN1_ENUMERATED.
		104	- Use ASN1_INTEGER to parse and build {Z,}LONG_it
		105	- Refactored and cleaned up group (elliptic curve) handling in
		106	t1_lib.c.
		107	- Simplify certificate list handling code in the legacy server.
		108	- Make CBB_finish() fail if *out_data is not NULL.
		109	- Remove tls_buffer_set_data() and remove/revise callers.
		110	- Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
		111	- Simplify tlsext_supported_groups_server_parse().
		112	- Remove redundant length checks in tlsext parse functions.
		113	- Simplify tls13_server_encrypted_extensions_recv().
		114	- Add read and write support to tls_buffer.
		115	- Convert TLS transcript from BUF_MEM to tls_buffer.
		116	- Clear key on exit in PKCS12_gen_mac().
		117	- Minor fixes in PKCS12_parse().
		118	- Provide and use a primitive clear function for BIGNUM_it.
		119	- Use ASN1_INTEGER to encode/decode BIGNUM_it.
		120	- Add stack frames to AES-NI x86_64 assembly.
		121	- Use named initialisers for BIGNUMs.
		122	- Tidy up some of BN_nist_mod_*.
		123	- Expand BLOCK_CIPHER_* and related macros.
		124	- Avoid shadowing the cbs function parameter in
		125	tlsext_alpn_server_parse()
		126	- Deduplicate peer certificate chain processing code.
		127	- Make it possible to signal an error from an i2c_* function.
		128	- Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
		129	- Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20().
		130	- Remove bogus length checks from EVP_aead_chacha20_poly1305().
		131	- Reworked DSA_size() and ECDSA_size().
		132	- Stop using CBIGNUM_it internal to libcrypto.
		133	- Provide c2i_ASN1_ENUMERATED_cbs() and call it from
		134	asn1_c2i_primitive().
		135	- Ensure ASN.1 types are appropriately encoded.
		136	- Avoid recycling ASN1_STRINGs when decoding ASN.1.
		137	- Tidy up asn1_c2i_primitive() slightly.
		138	- Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
		139	BLOCK_CIPHER and the looney M_do_cipher macros.
		140	- Use correct length for EVP CFB mode ciphers.
		141	- Provide a version of ssl_msg_callback() that takes a CBS.
		142	- Use CBS to parse TLS alerts in the legacy stack.
		143	- Increment the input and output position for EVP AES CFB1.
		144	- Ensure there is no trailing data for a CCS received by the
		145	TLSv1.3 stack.
		146	- Use CBS when procesing a CCS message in the legacy stack.
		147	- Be stricter with middlebox compatibility mode in the TLSv1.3
		148	server.
		149	* Compatibility changes
		150	- The ASN.1 time parser has been refactored and rewritten using CBS.
		151	It has been made stricter in that it now enforces the rules from
		152	RFC 5280.
		153	- ASN1_AFLG_BROKEN was removed.
		154	- Error check tls_session_secret_cb() like OpenSSL.
		155	- Added ASN1_INTEGER_{get,set}_{u,}int64()
		156	- Move leaf certificate checks to the last thing after chain
		157	validation.
		158	- Added -s option to openssl(1) ciphers that only shows the ciphers
		159	supported by the specified protocol.
		160	- Use TLS_client_method() instead of TLSv1_client_method() in
		161	the openssl(1) ciphers command.
		162	- Validate the protocols in SSL{_CTX,}_set_alpn_protos().
		163	- Made TS and PKCS12 opaque.
		164	- Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
		165	- Align PKCS12_key_gen_uni() with OpenSSL
		166	- Various PKCS12 and TS accessors were added. In particular, the
		167	TS_RESP_CTX_set_time_cb() function was added back.
		168	- Allow a NULL header in PEM_write{,_bio}()
		169	- Allow empty attribute sets in CSRs.
		170	- Adjust signatures of BIO_ctrl functions.
		171	- Provide additional defines for EVP AEAD.
		172	- Provide OPENSSL_cleanup().
		173	- Make BIO_info_cb() identical to bio_info_cb().
		174	* Bug fixes
		175	- Avoid use of uninitialized in BN_mod_exp_recp().
		176	- Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is
		177	set on X509_get_purpose() failure.
		178	- Fix HMAC() with NULL key.
		179	- Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings().
		180	- Avoid strict aliasing violations in BN_nist_mod_*().
		181	- Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca().
		182	No return value of X509_check_ca() indicates failure. Application
		183	code should therefore issue a checked call to X509_check_purpose()
		184	before calling X509_check_ca().
		185	- Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
		186	valid input.
		187	- Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
		188	- Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
		189	- Avoid use of uninitialized in ASN1_STRING_to_UTF8().
		190	- Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
		191	- Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy.
		192	- Do not reject primes in trial divisions.
		193	- Error out on negative shifts in BN_{r,l}shift() instead of
		194	accessing arrays out of bounds.
		195	- Fix URI name constraints, allow for URI's with no host part.
		196	- Fix the legacy verifier callback behaviour for untrusted certs.
		197	- Correct serfver-side handling of TLSv1.3 key updates.
		198	- Plug leak in PKCS12_setup_mac().
		199	- Plug leak in X509V3_add1_i2d().
		200	- Only print X.509 versions we know about.
		201	- Avoid signed integer overflow due to unary negation
		202	- Initialize readbytes in BIO_gets().
		203	- Plug memory leak in CMS_add_simple_smimecap().
		204	- Plug memory leak in X509_REQ_print_ex().
		205	- Check HMAC() return value to avoid a later use of uninitialized.
		206	- Avoid potential NULL dereference in ssl_set_pkey().
		207	- Check return values in ssl_print_tmp_key().
		208	- Switch loop bounds from size_t to int in check_hosts().
		209	- Avoid division by zero if no connection was made in s_time.c.
		210	- Check sk_SSL_CIPHER_push() return value
		211	- Avoid out-of-bounds read in ssl_cipher_process_rulestr().
		212	- Use LONG_MAX as the limit for ciphers with long based APIs.
		213	* New features
		214	- EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
		215	- The security level API (SSL_{,CTX}_{get,set}_security_level()) is
		216	now available. Callbacks and ex_data are not supported. Sane
		217	software will not be using this.
		218	- Experimental support for the BoringSSL QUIC API.
		219	- Add initial support for TS ESSCertIDv2 verification.
		220	- LibreSSL now uses the Baillie-PSW primality test instead of
		221	Miller-Rabin .
		222
		223	3.5.3 - Reliability fix
		224
		225	* Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing
		226	the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for
		227	reporting the issue and testing the fix.
		228
31	3.5.2 - Stable release	229	3.5.2 - Stable release
32		230
33	* Bug fixes	231	* Bug fixes