1 files changed, 320 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index cba5873..24de35e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,11 +28,298 @@ history is also available from Git.
 LibreSSL Portable Release Notes:
+3.2.2 - Stable release
+        * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
+        * Start replacing the existing TLSv1.2 record layer.
+        * Send alert on ssl_get_prev_session() failure.
+        * Simplify return codes for tls1_process_ticket() and
+          tls_decrypt_ticket().
+        * Simplify tls_decrypt_ticket() exit path.
+        * Copy the session id directly in ssl_get_prev_session() instead of
+          handing it through several functions for copying.
+        * Split session retrieval out of ssl_get_prev_session().
+        * Zero out variable on the stack to avoid leaving garbage in the tail
+          of short session ids.
+        * Remove unnecessary zeroing after recallocarray() in
+          ASN1_BIT_STRING_set_bit().
+        * Rewrite X509_INFO_{new,free}() more idiomatically.
+        * Import commented versions of the latest OPENSSL_NO_* flags from
+          OpenSSL 1.1.1g.
+        * Document return value from EC_KEY_get0_public_key(3).
+        * Set alpn_selected_len = 0 whenever alpn_selected is NULL.
+        * Add option type OPTION_UL_VALUE_OR to openssl(1) option parser.
+        * Convert openssl(1) ocsp option handling.
+        * Major style cleanup in ocsp.c.
+        * Assorted ciphers related cleanup in ssl_lib.c.
+        * Add issuer cache in preparation for changes to the validation code.
+        * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
+          code.
+        * Rename ssl_cipher_is_permitted() to the more accurate and specific
+          ssl_cipher_allowed_in_version_range().
+        * Simplify SSL_get_ciphers().
+        * Remove cipher_list_by_id.
+        * Add a new implementation of X509 name constraints with regression
+          tests.
+        * Fix and re-enable cert and cipher interop tests.
+        * Include machine/endian.h gost2814789.c in order to pick up the
+          __STRICT_ALIGNMENT define.
+        * Enable the new X509 name constraints verification.
+        * Avoid an out-of-bounds write in BN_rand().
+        * Simplify tls1_set_ec_id().
+        * Use uint16_t for curve_id.
+        * Improve the handling of BIO_read()/BIO_write() failures in the
+          TLSv1.3 stack.
+        * Add a new certificate chain validator.
+          The new validator finds multiple validated chains to handle the
+          modern PKI cases which may frequently have multiple paths via
+          different intermediates to different roots. It is loosely based on
+          golang's X509 validator.
+          This includes integration so that the new validator can be used via
+          X509_verify_cert() as well as a new API x509_verify() which will
+          return multiple chains (similar to go).
+          The new public API is not yet exposed, and will be finalized and
+          exposed with a man page and a library minor bump later.
+        * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not
+          yet public API and will be enabled in a future release.
+        * Enable the use of the new X509 chain validator by default.
+        * Fix double frees and a NULL dereference introduced on review of the
+          new validator.
+        * Remove various unused variables in the X509 code.
+        * Fix memory leaks in x509_constraints_chain() and
+          X509V3_ext_add_alias().
+        * Add initial manual page for the x509_verify() chain validator which
+          will be installed once the new API is publically exposed.
+        * Avoid NULL deref in SSL_{,CTX_}set_ciphersuites().
+        * Clean up and simplify SSL_set_session().
+        * Move state initialization from SSL_clear() to ssl3_clear() to ensure
+          that it gets correctly reinitialized across a SSL_set_ssl_method()
+          call.
+        * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1
+          servers.
+        * Mop up the get_ssl_method function pointer.
+        * Clean up and simplify SSL_set_ssl_method().
+        * Deduplicate the time validation code between the legacy and the new
+          verification code.
+        * Set error_depth and current_cert to avoid problems in legacy
+          callbacks that don't do proper error checking.
+        * Correct a failure case in tls12_record_layer_seal_record_protected().
+        * Do not destroy an existing cipher list when ssl_parse_ciphersuites()
+          fails to match the behavior of ssl_create_cipher_list() and
+          SSL_set_ciphersuites() of OpenSSL.
+        * Split the tls12_record_layer_write_mac() for future reuse on the
+          read side.
+        * Dedup code in x509_verify_ctx_new_from_xsc().
+        * Make check in x509_verify_ctx_set_max_signatures() consistent with
+          others.
+        * Avoid memset() before memcpy() for CBS_add_bytes().
+        * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
+        * Simplify SSL method lookups.
+        * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API.
+          This will be finished in an upcoming release.
+        * Fix an overflow in the CN subject line parsing.
+        * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
+        * Fix memory leaks in x509_constraints_extract_names().
+        * Correct a 1 byte read overflow in x509_constraints_uri().
+        * Ensure the chain is set on the X509_STORE_CTX before triggering
+          callback.
+        * Release read and write buffers using freezero()
+        * Simplify the cleanup of init_buf via an ssl3_release_init_buffer()
+          function.
+        * Fix numerous leaks in the UI_dup_* functions.
+        * Simplify and tidy up hte code in ui_lib.c.
+        * Refactor dtls1_clear_queues() to make it NULL safe.
+        * Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on
+          failure.
+        * Have dtls1_new() call dtls1_free() on failure.
+        * Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix
+          potential memory leaks.
+        * Ensure that leaf is set up on X509_STORE_CTX before verification.
+        * Document SSL_set1_host(3).
+        * Document SSL_set_SSL_CTX(3).
+        * Make pthread_mutex static initialisation work on Windows.
+        * Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
 3.2.1 - Development release
-        * Enforce in the TLS 1.3 server that ClientHello messages
+        * Propagate alerts from the read half of the TLSv1.3 record layer to I/O
-        following a HelloRetryRequest must match the original ClientHello
+          functions.
-        as per RFC 8446 section 4.1.2
+        * Send a record overflow alert for TLSv1.3 messages having overlong
+          plaintext or inner plaintext.
+        * Send an illegal parameter alert if a client sends an invalid DH key
+          share.
+        * Document PKCS7_final(3), PKCS7_add_attribute(3).
+        * Collapse x509v3 directory into x509.
+        * Improve TLSv1.3 client certificate selection to allow EC certificates
+          instead of only RSA certificates.
+        * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
+          of constructing a broken objects that may cause NULL pointer accesses.
+        * Add support for additional GOST curves from RFC 7836 and
+          draft-deremin-rfc4491-bis.
+        * Add OIDs for HMAC using the Streebog hash function.
+        * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
+        * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
+        * Handle GOST in ssl_cert_dup().
+        * Stop sending GOST R 34.10-94 as a CertificateType.
+        * Use IANA allocated GOST ClientCertificateTypes.
+        * Add a custom copy handler for AES keywrap to fix a use-after-free.
+        * Enforce in the TLSv1.3 server that that ClientHello messages after
+          a HelloRetryRequest match the original ClientHello as per RFC 8446
+          section 4.1.2
+        * Document more PKCS7 attribute functions.
+        * Document PKCS7_get_signer_info(3).
+        * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
+        * Document PEM_def_callback(3).
+        * Document EVP_read_pw_string_min(3).
+        * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
+        * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
+        * Document X509_get0_pubkey_bitstr(3).
+        * Fix an off-by-one in the CBS padding removal. From BoringSSL.
+        * Enforce restrictions on extensions present in the ClientHello as per
+          RFC 8446, section 9.2.
+        * Add new CMAC_Init(3) and ChaCha(3) manual pages.
+        * Fix SSL_shutdown behavior to match the legacy stack.  The previous
+          behavior could cause a hang.
+        * Add initial support for openbsd/powerpc64.
+        * Make the message type available in the internal TLS extensions API
+          functions.
+        * Enable TLSv1.3 for the generic TLS_method().
+        * Convert openssl(1) s_client option handling.
+        * Document openssl(1) certhash.
+        * Convert openssl(1) verify option handling.
+        * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
+          use-after-free and double-free issues in calling programs.
+        * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
+        * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
+        * Convert openssl(1) s_server option handling.
+        * Add minimal info callback support for TLSv1.3.
+        * Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
+        * Correctly handle server requests for an OCSP response.
+        * Add the P-521 curve to the list of curves supported by default
+          in the client.
+        * Convert openssl(1) req option handling.
+        * Avoid calling freezero with a negative size if a server sends a
+          malformed plaintext of all zeroes.
+        * Send an unexpected message alert if no valid content type is found
+          in a TLSv1.3 record.
 3.2.0 - Development release
@@ -96,6 +383,36 @@ LibreSSL Portable Release Notes:
        * Use non-expired certificates first when building a certificate chain.
+3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
+        * Improve client certificate selection to allow EC certificates
+          instead of only RSA certificates.
+        * Do not error out if a TLSv1.3 server requests an OCSP response as
+          part of a certificate request.
+        * Fix SSL_shutdown behavior to match the legacy stack.  The previous
+          behaviour could cause a hang.
+        * Fix a memory leak and add a missing error check in the handling of
+          the key update message.
+        * Fix a memory leak in tls13_record_layer_set_traffic_key.
+        * Avoid calling freezero with a negative size if a server sends a
+          malformed plaintext of all zeroes.
+        * Ensure that only PSS may be used with RSA in TLSv1.3 in order
+          to avoid using PKCS1-based signatures.
+        * Add the P-521 curve to the list of curves supported by default
+          in the client.
+3.1.3 - Bug fix
+        * libcrypto may fail to build a valid certificate chain due to
+          expired untrusted issuer certificates.
 3.1.2 - Bug fix
        * A TLS client with peer verification disabled may crash when

diff --git a/ChangeLog b/ChangeLog index cba5873..24de35e 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -28,11 +28,298 @@ history is also available from Git.
28		28
29	LibreSSL Portable Release Notes:	29	LibreSSL Portable Release Notes:
30		30
		31	3.2.2 - Stable release
		32
		33	* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
		34
		35	* Start replacing the existing TLSv1.2 record layer.
		36
		37	* Send alert on ssl_get_prev_session() failure.
		38
		39	* Simplify return codes for tls1_process_ticket() and
		40	tls_decrypt_ticket().
		41
		42	* Simplify tls_decrypt_ticket() exit path.
		43
		44	* Copy the session id directly in ssl_get_prev_session() instead of
		45	handing it through several functions for copying.
		46
		47	* Split session retrieval out of ssl_get_prev_session().
		48
		49	* Zero out variable on the stack to avoid leaving garbage in the tail
		50	of short session ids.
		51
		52	* Remove unnecessary zeroing after recallocarray() in
		53	ASN1_BIT_STRING_set_bit().
		54
		55	* Rewrite X509_INFO_{new,free}() more idiomatically.
		56
		57	* Import commented versions of the latest OPENSSL_NO_* flags from
		58	OpenSSL 1.1.1g.
		59
		60	* Document return value from EC_KEY_get0_public_key(3).
		61
		62	* Set alpn_selected_len = 0 whenever alpn_selected is NULL.
		63
		64	* Add option type OPTION_UL_VALUE_OR to openssl(1) option parser.
		65
		66	* Convert openssl(1) ocsp option handling.
		67
		68	* Major style cleanup in ocsp.c.
		69
		70	* Assorted ciphers related cleanup in ssl_lib.c.
		71
		72	* Add issuer cache in preparation for changes to the validation code.
		73
		74	* Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
		75	code.
		76
		77	* Rename ssl_cipher_is_permitted() to the more accurate and specific
		78	ssl_cipher_allowed_in_version_range().
		79
		80	* Simplify SSL_get_ciphers().
		81
		82	* Remove cipher_list_by_id.
		83
		84	* Add a new implementation of X509 name constraints with regression
		85	tests.
		86
		87	* Fix and re-enable cert and cipher interop tests.
		88
		89	* Include machine/endian.h gost2814789.c in order to pick up the
		90	__STRICT_ALIGNMENT define.
		91
		92	* Enable the new X509 name constraints verification.
		93
		94	* Avoid an out-of-bounds write in BN_rand().
		95
		96	* Simplify tls1_set_ec_id().
		97
		98	* Use uint16_t for curve_id.
		99
		100	* Improve the handling of BIO_read()/BIO_write() failures in the
		101	TLSv1.3 stack.
		102
		103	* Add a new certificate chain validator.
		104
		105	The new validator finds multiple validated chains to handle the
		106	modern PKI cases which may frequently have multiple paths via
		107	different intermediates to different roots. It is loosely based on
		108	golang's X509 validator.
		109
		110	This includes integration so that the new validator can be used via
		111	X509_verify_cert() as well as a new API x509_verify() which will
		112	return multiple chains (similar to go).
		113
		114	The new public API is not yet exposed, and will be finalized and
		115	exposed with a man page and a library minor bump later.
		116
		117	* Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not
		118	yet public API and will be enabled in a future release.
		119
		120	* Enable the use of the new X509 chain validator by default.
		121
		122	* Fix double frees and a NULL dereference introduced on review of the
		123	new validator.
		124
		125	* Remove various unused variables in the X509 code.
		126
		127	* Fix memory leaks in x509_constraints_chain() and
		128	X509V3_ext_add_alias().
		129
		130	* Add initial manual page for the x509_verify() chain validator which
		131	will be installed once the new API is publically exposed.
		132
		133	* Avoid NULL deref in SSL_{,CTX_}set_ciphersuites().
		134
		135	* Clean up and simplify SSL_set_session().
		136
		137	* Move state initialization from SSL_clear() to ssl3_clear() to ensure
		138	that it gets correctly reinitialized across a SSL_set_ssl_method()
		139	call.
		140
		141	* Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1
		142	servers.
		143
		144	* Mop up the get_ssl_method function pointer.
		145
		146	* Clean up and simplify SSL_set_ssl_method().
		147
		148	* Deduplicate the time validation code between the legacy and the new
		149	verification code.
		150
		151	* Set error_depth and current_cert to avoid problems in legacy
		152	callbacks that don't do proper error checking.
		153
		154	* Correct a failure case in tls12_record_layer_seal_record_protected().
		155
		156	* Do not destroy an existing cipher list when ssl_parse_ciphersuites()
		157	fails to match the behavior of ssl_create_cipher_list() and
		158	SSL_set_ciphersuites() of OpenSSL.
		159
		160	* Split the tls12_record_layer_write_mac() for future reuse on the
		161	read side.
		162
		163	* Dedup code in x509_verify_ctx_new_from_xsc().
		164
		165	* Make check in x509_verify_ctx_set_max_signatures() consistent with
		166	others.
		167
		168	* Avoid memset() before memcpy() for CBS_add_bytes().
		169
		170	* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
		171
		172	* Simplify SSL method lookups.
		173
		174	* Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API.
		175	This will be finished in an upcoming release.
		176
		177	* Fix an overflow in the CN subject line parsing.
		178
		179	* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
		180
		181	* Fix memory leaks in x509_constraints_extract_names().
		182
		183	* Correct a 1 byte read overflow in x509_constraints_uri().
		184
		185	* Ensure the chain is set on the X509_STORE_CTX before triggering
		186	callback.
		187
		188	* Release read and write buffers using freezero()
		189
		190	* Simplify the cleanup of init_buf via an ssl3_release_init_buffer()
		191	function.
		192
		193	* Fix numerous leaks in the UI_dup_* functions.
		194
		195	* Simplify and tidy up hte code in ui_lib.c.
		196
		197	* Refactor dtls1_clear_queues() to make it NULL safe.
		198
		199	* Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on
		200	failure.
		201
		202	* Have dtls1_new() call dtls1_free() on failure.
		203
		204	* Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix
		205	potential memory leaks.
		206
		207	* Ensure that leaf is set up on X509_STORE_CTX before verification.
		208
		209	* Document SSL_set1_host(3).
		210
		211	* Document SSL_set_SSL_CTX(3).
		212
		213	* Make pthread_mutex static initialisation work on Windows.
		214
		215	* Get __STRICT_ALIGNMENT from machine/endian.h with portable build.
		216
31	3.2.1 - Development release	217	3.2.1 - Development release
32		218
33	* Enforce in the TLS 1.3 server that ClientHello messages	219	* Propagate alerts from the read half of the TLSv1.3 record layer to I/O
34	following a HelloRetryRequest must match the original ClientHello	220	functions.
35	as per RFC 8446 section 4.1.2	221
		222	* Send a record overflow alert for TLSv1.3 messages having overlong
		223	plaintext or inner plaintext.
		224
		225	* Send an illegal parameter alert if a client sends an invalid DH key
		226	share.
		227
		228	* Document PKCS7_final(3), PKCS7_add_attribute(3).
		229
		230	* Collapse x509v3 directory into x509.
		231
		232	* Improve TLSv1.3 client certificate selection to allow EC certificates
		233	instead of only RSA certificates.
		234
		235	* Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead
		236	of constructing a broken objects that may cause NULL pointer accesses.
		237
		238	* Add support for additional GOST curves from RFC 7836 and
		239	draft-deremin-rfc4491-bis.
		240
		241	* Add OIDs for HMAC using the Streebog hash function.
		242
		243	* Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
		244
		245	* Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures.
		246
		247	* Handle GOST in ssl_cert_dup().
		248
		249	* Stop sending GOST R 34.10-94 as a CertificateType.
		250
		251	* Use IANA allocated GOST ClientCertificateTypes.
		252
		253	* Add a custom copy handler for AES keywrap to fix a use-after-free.
		254
		255	* Enforce in the TLSv1.3 server that that ClientHello messages after
		256	a HelloRetryRequest match the original ClientHello as per RFC 8446
		257	section 4.1.2
		258
		259	* Document more PKCS7 attribute functions.
		260
		261	* Document PKCS7_get_signer_info(3).
		262
		263	* Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
		264
		265	* Document PEM_def_callback(3).
		266
		267	* Document EVP_read_pw_string_min(3).
		268
		269	* Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1.
		270
		271	* Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3)
		272
		273	* Document X509_get0_pubkey_bitstr(3).
		274
		275	* Fix an off-by-one in the CBS padding removal. From BoringSSL.
		276
		277	* Enforce restrictions on extensions present in the ClientHello as per
		278	RFC 8446, section 9.2.
		279
		280	* Add new CMAC_Init(3) and ChaCha(3) manual pages.
		281
		282	* Fix SSL_shutdown behavior to match the legacy stack. The previous
		283	behavior could cause a hang.
		284
		285	* Add initial support for openbsd/powerpc64.
		286
		287	* Make the message type available in the internal TLS extensions API
		288	functions.
		289
		290	* Enable TLSv1.3 for the generic TLS_method().
		291
		292	* Convert openssl(1) s_client option handling.
		293
		294	* Document openssl(1) certhash.
		295
		296	* Convert openssl(1) verify option handling.
		297
		298	* Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause
		299	use-after-free and double-free issues in calling programs.
		300
		301	* Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
		302
		303	* Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session.
		304
		305	* Convert openssl(1) s_server option handling.
		306
		307	* Add minimal info callback support for TLSv1.3.
		308
		309	* Refactor, clean up and simplify some SSL3/DTLS1 record writing code.
		310
		311	* Correctly handle server requests for an OCSP response.
		312
		313	* Add the P-521 curve to the list of curves supported by default
		314	in the client.
		315
		316	* Convert openssl(1) req option handling.
		317
		318	* Avoid calling freezero with a negative size if a server sends a
		319	malformed plaintext of all zeroes.
		320
		321	* Send an unexpected message alert if no valid content type is found
		322	in a TLSv1.3 record.
36		323
37	3.2.0 - Development release	324	3.2.0 - Development release
38		325
@@ -96,6 +383,36 @@ LibreSSL Portable Release Notes:
96		383
97	* Use non-expired certificates first when building a certificate chain.	384	* Use non-expired certificates first when building a certificate chain.
98		385
		386	3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:
		387
		388	* Improve client certificate selection to allow EC certificates
		389	instead of only RSA certificates.
		390
		391	* Do not error out if a TLSv1.3 server requests an OCSP response as
		392	part of a certificate request.
		393
		394	* Fix SSL_shutdown behavior to match the legacy stack. The previous
		395	behaviour could cause a hang.
		396
		397	* Fix a memory leak and add a missing error check in the handling of
		398	the key update message.
		399
		400	* Fix a memory leak in tls13_record_layer_set_traffic_key.
		401
		402	* Avoid calling freezero with a negative size if a server sends a
		403	malformed plaintext of all zeroes.
		404
		405	* Ensure that only PSS may be used with RSA in TLSv1.3 in order
		406	to avoid using PKCS1-based signatures.
		407
		408	* Add the P-521 curve to the list of curves supported by default
		409	in the client.
		410
		411	3.1.3 - Bug fix
		412
		413	* libcrypto may fail to build a valid certificate chain due to
		414	expired untrusted issuer certificates.
		415
99	3.1.2 - Bug fix	416	3.1.2 - Bug fix
100		417
101	* A TLS client with peer verification disabled may crash when	418	* A TLS client with peer verification disabled may crash when