factotum/libressl-portable
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update ChangeLog

Browse Source
This commit is contained in:
kinichiro 2020-10-07 23:35:51 +09:00
parent db7afc7e98
commit 81a936c342
1 changed files with 40 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
ChangeLog
View File

@ -30,77 +30,18 @@ LibreSSL Portable Release Notes:
3.2.2 - Stable release 3.2.2 - Stable release
* Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
* Start replacing the existing TLSv1.2 record layer.
* Send alert on ssl_get_prev_session() failure.
* Simplify return codes for tls1_process_ticket() and
tls_decrypt_ticket().
* Simplify tls_decrypt_ticket() exit path.
* Copy the session id directly in ssl_get_prev_session() instead of
handing it through several functions for copying.
* Split session retrieval out of ssl_get_prev_session().
* Zero out variable on the stack to avoid leaving garbage in the tail
of short session ids.
* Remove unnecessary zeroing after recallocarray() in
ASN1_BIT_STRING_set_bit().
* Rewrite X509_INFO_{new,free}() more idiomatically.
* Import commented versions of the latest OPENSSL_NO_* flags from
OpenSSL 1.1.1g.
* Document return value from EC_KEY_get0_public_key(3).
* Set alpn_selected_len = 0 whenever alpn_selected is NULL.
* Add option type OPTION_UL_VALUE_OR to openssl(1) option parser.
* Convert openssl(1) ocsp option handling.
* Major style cleanup in ocsp.c.
* Assorted ciphers related cleanup in ssl_lib.c.
* Add issuer cache in preparation for changes to the validation code.
* Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
code.
* Rename ssl_cipher_is_permitted() to the more accurate and specific
ssl_cipher_allowed_in_version_range().
* Simplify SSL_get_ciphers().
* Remove cipher_list_by_id.
* Add a new implementation of X509 name constraints with regression
tests.
* Fix and re-enable cert and cipher interop tests.
* Include machine/endian.h gost2814789.c in order to pick up the
__STRICT_ALIGNMENT define.
* Enable the new X509 name constraints verification.
* Avoid an out-of-bounds write in BN_rand().
* Simplify tls1_set_ec_id().
* Use uint16_t for curve_id.
* Improve the handling of BIO_read()/BIO_write() failures in the * Improve the handling of BIO_read()/BIO_write() failures in the
TLSv1.3 stack. TLSv1.3 stack.
* Add a new certificate chain validator. * Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API.
This will be finished in an upcoming release.
* Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not
yet public API and will be enabled in a future release.
* Start replacing the existing TLSv1.2 record layer.
* Add a new X509 certificate chain validator.
The new validator finds multiple validated chains to handle the The new validator finds multiple validated chains to handle the
modern PKI cases which may frequently have multiple paths via modern PKI cases which may frequently have multiple paths via
@ -114,101 +55,64 @@ LibreSSL Portable Release Notes:
The new public API is not yet exposed, and will be finalized and The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later. exposed with a man page and a library minor bump later.
* Implement SSL_{CTX_,}set_ciphersuites() and add regress. This is not * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
yet public API and will be enabled in a future release.
* Enable the use of the new X509 chain validator by default. * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
* Fix double frees and a NULL dereference introduced on review of the * Send alert on ssl_get_prev_session() failure.
new validator.
* Remove various unused variables in the X509 code. * Zero out variable on the stack to avoid leaving garbage in the tail
of short session ids.
* Fix memory leaks in x509_constraints_chain() and
X509V3_ext_add_alias().
* Add initial manual page for the x509_verify() chain validator which
will be installed once the new API is publically exposed.
* Avoid NULL deref in SSL_{,CTX_}set_ciphersuites().
* Clean up and simplify SSL_set_session().
* Move state initialization from SSL_clear() to ssl3_clear() to ensure * Move state initialization from SSL_clear() to ssl3_clear() to ensure
that it gets correctly reinitialized across a SSL_set_ssl_method() that it gets correctly reinitialized across a SSL_set_ssl_method()
call. call.
* Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1 * Avoid an out-of-bounds write in BN_rand().
servers.
* Mop up the get_ssl_method function pointer. * Fix numerous leaks in the UI_dup_* functions and simplify and tidy up
the code in ui_lib.c.
* Clean up and simplify SSL_set_ssl_method(). * Avoid potential segmentation fault with SSL_get0_alpn_selected
by setting alpn_selected_len = 0 whenever alpn_selected is NULL.
* Deduplicate the time validation code between the legacy and the new * Include machine/endian.h gost2814789.c in order to pick up the
verification code. __STRICT_ALIGNMENT define.
* Set error_depth and current_cert to avoid problems in legacy
callbacks that don't do proper error checking.
* Correct a failure case in tls12_record_layer_seal_record_protected().
* Do not destroy an existing cipher list when ssl_parse_ciphersuites()
fails to match the behavior of ssl_create_cipher_list() and
SSL_set_ciphersuites() of OpenSSL.
* Split the tls12_record_layer_write_mac() for future reuse on the
read side.
* Dedup code in x509_verify_ctx_new_from_xsc().
* Make check in x509_verify_ctx_set_max_signatures() consistent with
others.
* Avoid memset() before memcpy() for CBS_add_bytes().
* Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
* Simplify SSL method lookups. * Simplify SSL method lookups.
* Prepare to provide most of the TLSv1.3-related OpenSSL 1.1.1 API. * Clean up and simplify SSL_get_ciphers(), SSL_set_session(),
This will be finished in an upcoming release. SSL_set_ssl_method() and several internal functions.
* Fix an overflow in the CN subject line parsing.
* Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX().
* Fix memory leaks in x509_constraints_extract_names(). * Refactor dtls1_new(), dtls1_hm_fragment_new(),
dtls1_drain_fragments(), dtls1_clear_queues().
* Correct a 1 byte read overflow in x509_constraints_uri(). * Replace some SSL_AD_* with TLS13_ALERT_* defines in the new TLSv1.3
code.
* Ensure the chain is set on the X509_STORE_CTX before triggering * Copy the session id directly in ssl_get_prev_session() instead of
callback. handing it through several functions for copying.
* Release read and write buffers using freezero() * Avoid memset() before memcpy() for CBS_add_bytes().
* Simplify the cleanup of init_buf via an ssl3_release_init_buffer() * Rewrite X509_INFO_{new,free}() more idiomatically.
function.
* Fix numerous leaks in the UI_dup_* functions. * Remove unnecessary zeroing after recallocarray() in
ASN1_BIT_STRING_set_bit().
* Simplify and tidy up hte code in ui_lib.c. * Convert openssl(1) ocsp new option handling.
* Refactor dtls1_clear_queues() to make it NULL safe. * Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
* Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on * Document return value from EC_KEY_get0_public_key(3).
failure.
* Have dtls1_new() call dtls1_free() on failure. * Add initial manual page for the x509_verify() chain validator which
will be installed once the new API is publically exposed.
* Call dtls1_hm_fragment_free() from dtls1_drain_fragments() to fix * Test the Botan TLS client with LibreSSL, OpenSSL 1.0.2 and 1.1.1
potential memory leaks. servers.
* Ensure that leaf is set up on X509_STORE_CTX before verification.
* Document SSL_set1_host(3).
* Document SSL_set_SSL_CTX(3).
* Make pthread_mutex static initialisation work on Windows. * Make pthread_mutex static initialisation work on Windows.