From c5fc3a6735ea623376218c90fbf019095a1b55d8 Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Thu, 20 Aug 2020 13:39:39 +0200 Subject: 3.2.1 ChangeLog --- ChangeLog | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 88a421d..d181daf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,9 +30,105 @@ LibreSSL Portable Release Notes: 3.2.1 - Development release - * Enforce in the TLS 1.3 server that ClientHello messages - following a HelloRetryRequest must match the original ClientHello - as per RFC 8446 section 4.1.2 + * Propagate alerts from the read half of the record layer to I/O + functions. + + * Send a record overflow alert for messages having overlong plaintext + or inner plaintext. + + * Send an illegal parameter alert if a client sends invalid DH key + shares. + + * Document PKCS7_final(3), PKCS7_add_attribute(3). + + * Collapse x509v3 directory into x509. + + * Improve client certificate selection to allow EC certificates + instead of only RSA certificates. + + * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead + of constructing a broken objects that may cause NULL pointer accesses. + + * Add support for additional GOST curves from RFC 7836 and + draft-deremin-rfc4491-bis. + + * Add OIDs for HMAC using the Streebog hash function. + + * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. + + * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. + + * Handle GOST in ssl_cert_dup(). + + * Stop sending GOST R 34.10-94 as a CertificateType. + + * Use IANA allocated GOST ClientCertificateTypes. + + * Add a custom copy handler for AES keywrap to fix a use-after-free. + + * Enforce in the TLSv1.3 server that that ClientHello messages after + a HelloRetryRequest match the original ClientHello as per RFC 8446 + section 4.1.2 + + * Document more PKCS7 attribute functions. + + * Document PKCS7_get_signer_info(3). + + * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). + + * Document PEM_def_callback(3). + + * Document EVP_read_pw_string_min(3). + + * Merge documetnation of X509_get0_serialNumber from OpenSSL 1.1.1. + + * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) + + * Document X509_get0_pubkey_bitstr(3). + + * Fix an off-by-one in the CBS padding removal. From BoringSSL. + + * Enforce restrictions on extensions present in the ClientHello as per + RFC 8446, section 9.2. + + * Add new CMAC_Init(3) and ChaCha(3) manual pages. + + * Fix SSL_shutdown behavior to match the legacy stack. The previous + behaviour could cause a hang. + + * Add initial support for PowerPC64. + + * Make the message type available in the internal tls extensions API + functions. + + * Enable TLSv1.3 for the generic TLS_method(). + + * Convert openssl s_client option handling. + + * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause + use-after-free and double-free issues in calling programs. + + * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). + + * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. + + * Convert openssl(1) s_server to new option handling. + + * Add minimal info callback support for TLSv1.3. + + * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. + + * Correctly handle server requests for an OCSP response. + + * Add the P-521 curve to the list of curves supported by default + in the client. + + * Convert openssl(1) req option handling + + * Avoid calling freezero with a negative size if a server sends a + malformed plaintext of all zeroes. + + * Send an unexpected message alert if no valid content type is found. 3.2.0 - Development release -- cgit v1.2.3-55-g6feb