Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
9a5e2f1686 | ||
|
|
c4ebe2518c | ||
|
|
1d36474726 | ||
|
|
48ecc2d05d | ||
|
|
7f322bfe7e | ||
|
|
47d4f7109f | ||
|
|
12348e6f64 |
@@ -144,7 +144,7 @@ if(HAVE_STRNDUP)
|
||||
endif()
|
||||
|
||||
if(MSVC)
|
||||
set(HAVE_STRNLEN)
|
||||
set(HAVE_STRNLEN true)
|
||||
add_definitions(-DHAVE_STRNLEN)
|
||||
else()
|
||||
check_function_exists(strnlen HAVE_STRNLEN)
|
||||
|
||||
73
ChangeLog
73
ChangeLog
@@ -28,6 +28,79 @@ history is also available from Git.
|
||||
|
||||
LibreSSL Portable Release Notes:
|
||||
|
||||
2.4.4 - Reliability improvements
|
||||
|
||||
* Avoid continual processing of an unlimited number of TLS records,
|
||||
which can cause a denial-of-service condition.
|
||||
|
||||
* In X509_cmp_time(), pass asn1_time_parse() the tag of the field
|
||||
being parsed so that a malformed GeneralizedTime field is recognized as
|
||||
an error instead of potentially being interpreted as if it was a valid
|
||||
UTCTime.
|
||||
|
||||
* Improve ticket validity checking when tlsext_ticket_key_cb()
|
||||
callback chooses a different HMAC algorithm.
|
||||
|
||||
* Check for packets with a truncated DTLS cookie.
|
||||
|
||||
* Detect zero-length encrypted session data early, instead of when
|
||||
malloc(0) fails or the HMAC check fails.
|
||||
|
||||
* Check for and handle failure of HMAC_{Update,Final} or
|
||||
EVP_DecryptUpdate()
|
||||
|
||||
2.4.3 - Bug fixes and reliability improvements
|
||||
|
||||
* Reverted change that cleans up the EVP cipher context in
|
||||
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
|
||||
previous behaviour.
|
||||
|
||||
* Avoid unbounded memory growth in libssl, which can be triggered by a
|
||||
TLS client repeatedly renegotiating and sending OCSP Status Request
|
||||
TLS extensions.
|
||||
|
||||
* Avoid falling back to a weak digest for (EC)DH when using SNI with
|
||||
libssl.
|
||||
|
||||
2.4.2 - Bug fixes and improvements
|
||||
|
||||
* Fixed loading default certificate locations with openssl s_client.
|
||||
|
||||
* Ensured OSCP only uses and compares GENERALIZEDTIME values as per
|
||||
RFC6960. Also added fixes for OCSP to work with intermediate
|
||||
certificates provided in responses.
|
||||
|
||||
* Improved behavior of arc4random on Windows to not appear to leak
|
||||
memory in debug tools, reduced privileges of allocated memory.
|
||||
|
||||
* Fixed incorrect results from BN_mod_word() when the modulus is too
|
||||
large, thanks to Brian Smith from BoringSSL.
|
||||
|
||||
* Correctly handle an EOF prior to completing the TLS handshake in
|
||||
libtls.
|
||||
|
||||
* Improved libtls ceritificate loading and cipher string validation.
|
||||
|
||||
* Updated libtls cipher group suites into four categories:
|
||||
"secure" (TLSv1.2+AEAD+PFS)
|
||||
"compat" (HIGH:!aNULL)
|
||||
"legacy" (HIGH:MEDIUM:!aNULL)
|
||||
"insecure" (ALL:!aNULL:!eNULL)
|
||||
This allows for flexibility and finer grained control, rather than
|
||||
having two extremes.
|
||||
|
||||
* Limited support for 'backward compatible' SSLv2 handshake packets to
|
||||
when TLS 1.0 is enabled, providing more restricted compatibility
|
||||
with TLS 1.0 clients.
|
||||
|
||||
* openssl(1) and other documentation improvements.
|
||||
|
||||
* Removed flags for disabling constant-time operations.
|
||||
This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
|
||||
DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
|
||||
all of these operations unconditionally constant-time.
|
||||
|
||||
|
||||
2.4.1 - Security fix
|
||||
|
||||
* Correct a problem that prevents the DSA signing algorithm from
|
||||
|
||||
@@ -1 +1 @@
|
||||
master
|
||||
OPENBSD_6_0
|
||||
|
||||
@@ -752,6 +752,9 @@ if (BUILD_SHARED)
|
||||
add_library(crypto-objects OBJECT ${CRYPTO_SRC})
|
||||
add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
|
||||
add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(crypto-shared crypto Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
|
||||
set_target_properties(crypto-shared PROPERTIES VERSION
|
||||
${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
|
||||
|
||||
@@ -52,6 +52,9 @@ if (BUILD_SHARED)
|
||||
add_library(ssl-objects OBJECT ${SSL_SRC})
|
||||
add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
|
||||
add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
|
||||
set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
|
||||
SOVERSION ${SSL_MAJOR_VERSION})
|
||||
|
||||
@@ -196,6 +196,11 @@ add_test(mont mont)
|
||||
|
||||
# ocsp_test
|
||||
if(ENABLE_EXTRATESTS)
|
||||
if(NOT "${OPENSSLDIR}" STREQUAL "")
|
||||
add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\")
|
||||
else()
|
||||
add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\")
|
||||
endif()
|
||||
add_executable(ocsp_test ocsp_test.c)
|
||||
target_link_libraries(ocsp_test ${OPENSSL_LIBS})
|
||||
add_test(ocsptest ${CMAKE_CURRENT_SOURCE_DIR}/ocsptest.sh)
|
||||
|
||||
@@ -31,6 +31,9 @@ if (BUILD_SHARED)
|
||||
add_library(tls-objects OBJECT ${TLS_SRC})
|
||||
add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
|
||||
add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
|
||||
set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
|
||||
SOVERSION ${TLS_MAJOR_VERSION})
|
||||
|
||||
Reference in New Issue
Block a user