Updated libressl to 2.5.1.
2.5.1 - Bug and security fixes, new features, documentation updates
* X509_cmp_time() now passes a malformed GeneralizedTime field as an
error. Reported by Theofilos Petsios.
* Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails. Noted independently by
jsing@ and Kurt Cancemi.
* Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
* Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
* Curve25519 Key Exchange support.
* Support for alternate chains for certificate verification.
* Code cleanups, CBS conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
* Private symbol are now hidden in libssl and libcryto.
* Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
* Added OCSP stapling support to libtls and netcat.
* Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
* Enhanced regression tests and error handling for libtls.
* Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
* Moved many leaked implementation details in public structs behind
opaque pointers.
* Added ticket support to libtls.
* Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names. This also changes the default
list of curves to be X25519, P-256 and P-384. All other curves must
be manually enabled.
* Added -groups option to openssl(1) s_client for specifying the curves
to be used in a colon-separated list.
* Merged client/server version negotiation code paths into one,
reducing much duplicate code.
* Removed error function codes from libssl and libcrypto.
* Fixed an issue where a truncated packet could crash via an OOB read.
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of Technology).
The fix was developed by Cesar Pereida Garcia.
* iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
This commit is contained in:
wiz
parent
88b147d19d
commit
efcd64c341
3 changed files with 998 additions and 54 deletions
|
|
@ -1,6 +1,6 @@
|
|||
# $NetBSD: Makefile,v 1.9 2016/10/04 11:39:23 wiz Exp $
|
||||
# $NetBSD: Makefile,v 1.10 2017/02/02 15:31:16 wiz Exp $
|
||||
|
||||
DISTNAME= libressl-2.5.0
|
||||
DISTNAME= libressl-2.5.1
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= ${MASTER_SITE_OPENBSD:=LibreSSL/}
|
||||
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -1,6 +1,6 @@
|
|||
$NetBSD: distinfo,v 1.6 2016/10/04 11:39:23 wiz Exp $
|
||||
$NetBSD: distinfo,v 1.7 2017/02/02 15:31:16 wiz Exp $
|
||||
|
||||
SHA1 (libressl-2.5.0.tar.gz) = e103ed6dc366060c5104bad15270cf7a1b9b9bc4
|
||||
RMD160 (libressl-2.5.0.tar.gz) = a3e63495c8ae20f920fba9f2ffa323e2c609e6d6
|
||||
SHA512 (libressl-2.5.0.tar.gz) = 6372b27f1696e957389646a05b0572ad6936443b34fee0e57153b063831e00318fa1b434e3e0369f0c3df872e15ad3bee2f85db0851021444612f2a6f266a332
|
||||
Size (libressl-2.5.0.tar.gz) = 3012855 bytes
|
||||
SHA1 (libressl-2.5.1.tar.gz) = b3e8b7b8d70aa27459add8ee4ab5078b366923d2
|
||||
RMD160 (libressl-2.5.1.tar.gz) = 6b97c8aaf5131d921ee72e8105b37f5c1270166f
|
||||
SHA512 (libressl-2.5.1.tar.gz) = 44557c7c3e6bc9c0af9ae83b26765be9707d53708a32a5a945108a49ea20503afa4197919801830d27821c069b87e0e0edd284bd1b8a85340dbc0da2c162c2f9
|
||||
Size (libressl-2.5.1.tar.gz) = 3266271 bytes
|
||||
|
|
|
|||
Loading…
Reference in a new issue