diff --git a/ChangeLog b/ChangeLog index 24de35e..3d7fda2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,77 +30,18 @@ LibreSSL Portable Release Notes: 3.2.2 - Stable release - * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. - - * Start replacing the existing TLSv1.2 record layer. - - * Send alert on ssl_get_prev_session() failure. - - * Simplify return codes for tls1_process_ticket() and - tls_decrypt_ticket(). - - * Simplify tls_decrypt_ticket() exit path. - - * Copy the session id directly in ssl_get_prev_session() instead of - handing it through several functions for copying. - - * Split session retrieval out of ssl_get_prev_session(). - - * Zero out variable on the stack to avoid leaving garbage in the tail - of short session ids. - - * Remove unnecessary zeroing after recallocarray() in - ASN1_BIT_STRING_set_bit(). - - * Rewrite X509_INFO_{new,free}() more idiomatically. - - * Import commented versions of the latest OPENSSL_NO_* flags from - OpenSSL 1.1.1g. - - * Document return value from EC_KEY_get0_public_key(3). - - * Set alpn_selected_len = 0 whenever alpn_selected is NULL. - - * Add option type OPTION_UL_VALUE_OR to openssl(1) option parser. - - * Convert openssl(1) ocsp option handling. - - * Major style cleanup in ocsp.c. - - * Assorted ciphers related cleanup in ssl_lib.c. - - * Add issuer cache in preparation for changes to the validation code. - - * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3 - code. - - * Rename ssl_cipher_is_permitted() to the more accurate and specific - ssl_cipher_allowed_in_version_range(). - - * Simplify SSL_get_ciphers(). - - * Remove cipher_list_by_id. - - * Add a new implementation of X509 name constraints with regression - tests. - - * Fix and re-enable cert and cipher interop tests. - - * Include machine/endian.h gost2814789.c in order to pick up the - __STRICT_ALIGNMENT define. - - * Enable the new X509 name constraints verification. - - * Avoid an out-of-bounds write in BN_rand(). - - * Simplify tls1_set_ec_id(). - - * Use uint16_t for curve_id. - * Improve the handling of BIO_read()/BIO_write() failures in the TLSv1.3 stack. - * Add a new certificate chain validator. + * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. + This will be finished in an upcoming release. + + * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not + yet public API and will be enabled in a future release. + + * Start replacing the existing TLSv1.2 record layer. + + * Add a new X509 certificate chain validator. The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via @@ -114,101 +55,64 @@ LibreSSL Portable Release Notes: The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later. - * Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not - yet public API and will be enabled in a future release. + * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. - * Enable the use of the new X509 chain validator by default. + * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. - * Fix double frees and a NULL dereference introduced on review of the - new validator. + * Send alert on ssl_get_prev_session() failure. - * Remove various unused variables in the X509 code. - - * Fix memory leaks in x509_constraints_chain() and - X509V3_ext_add_alias(). - - * Add initial manual page for the x509_verify() chain validator which - will be installed once the new API is publically exposed. - - * Avoid NULL deref in SSL_{,CTX_}set_ciphersuites(). - - * Clean up and simplify SSL_set_session(). + * Zero out variable on the stack to avoid leaving garbage in the tail + of short session ids. * Move state initialization from SSL_clear() to ssl3_clear() to ensure that it gets correctly reinitialized across a SSL_set_ssl_method() call. - * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 - servers. + * Avoid an out-of-bounds write in BN_rand(). - * Mop up the get_ssl_method function pointer. + * Fix numerous leaks in the UI_dup_* functions and simplify and tidy up + the code in ui_lib.c. - * Clean up and simplify SSL_set_ssl_method(). + * Avoid potential segmentation fault with SSL_get0_alpn_selected + by setting alpn_selected_len = 0 whenever alpn_selected is NULL. - * Deduplicate the time validation code between the legacy and the new - verification code. - - * Set error_depth and current_cert to avoid problems in legacy - callbacks that don't do proper error checking. - - * Correct a failure case in tls12_record_layer_seal_record_protected(). - - * Do not destroy an existing cipher list when ssl_parse_ciphersuites() - fails to match the behavior of ssl_create_cipher_list() and - SSL_set_ciphersuites() of OpenSSL. - - * Split the tls12_record_layer_write_mac() for future reuse on the - read side. - - * Dedup code in x509_verify_ctx_new_from_xsc(). - - * Make check in x509_verify_ctx_set_max_signatures() consistent with - others. - - * Avoid memset() before memcpy() for CBS_add_bytes(). - - * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. + * Include machine/endian.h gost2814789.c in order to pick up the + __STRICT_ALIGNMENT define. * Simplify SSL method lookups. - * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. - This will be finished in an upcoming release. - - * Fix an overflow in the CN subject line parsing. + * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), + SSL_set_ssl_method() and several internal functions. * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). - * Fix memory leaks in x509_constraints_extract_names(). + * Refactor dtls1_new(), dtls1_hm_fragment_new(), + dtls1_drain_fragments(), dtls1_clear_queues(). - * Correct a 1 byte read overflow in x509_constraints_uri(). + * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3 + code. - * Ensure the chain is set on the X509_STORE_CTX before triggering - callback. + * Copy the session id directly in ssl_get_prev_session() instead of + handing it through several functions for copying. - * Release read and write buffers using freezero() + * Avoid memset() before memcpy() for CBS_add_bytes(). - * Simplify the cleanup of init_buf via an ssl3_release_init_buffer() - function. + * Rewrite X509_INFO_{new,free}() more idiomatically. - * Fix numerous leaks in the UI_dup_* functions. + * Remove unnecessary zeroing after recallocarray() in + ASN1_BIT_STRING_set_bit(). - * Simplify and tidy up hte code in ui_lib.c. + * Convert openssl(1) ocsp new option handling. - * Refactor dtls1_clear_queues() to make it NULL safe. + * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). - * Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on - failure. + * Document return value from EC_KEY_get0_public_key(3). - * Have dtls1_new() call dtls1_free() on failure. + * Add initial manual page for the x509_verify() chain validator which + will be installed once the new API is publically exposed. - * Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix - potential memory leaks. - - * Ensure that leaf is set up on X509_STORE_CTX before verification. - - * Document SSL_set1_host(3). - - * Document SSL_set_SSL_CTX(3). + * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 + servers. * Make pthread_mutex static initialisation work on Windows.