Automatic conversion of the NetBSD pkgsrc CVS module, use with care
efcd64c341
2.5.1 - Bug and security fixes, new features, documentation updates
* X509_cmp_time() now passes a malformed GeneralizedTime field as an
error. Reported by Theofilos Petsios.
* Detect zero-length encrypted session data early, instead of when
malloc(0) fails or the HMAC check fails. Noted independently by
jsing@ and Kurt Cancemi.
* Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
* Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
* Curve25519 Key Exchange support.
* Support for alternate chains for certificate verification.
* Code cleanups, CBS conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
* Private symbol are now hidden in libssl and libcryto.
* Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
* Added OCSP stapling support to libtls and netcat.
* Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
* Enhanced regression tests and error handling for libtls.
* Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
* Moved many leaked implementation details in public structs behind
opaque pointers.
* Added ticket support to libtls.
* Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names. This also changes the default
list of curves to be X25519, P-256 and P-384. All other curves must
be manually enabled.
* Added -groups option to openssl(1) s_client for specifying the curves
to be used in a colon-separated list.
* Merged client/server version negotiation code paths into one,
reducing much duplicate code.
* Removed error function codes from libssl and libcrypto.
* Fixed an issue where a truncated packet could crash via an OOB read.
* Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
* Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of Technology).
The fix was developed by Cesar Pereida Garcia.
* iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
|
||
|---|---|---|
| archivers | ||
| audio | ||
| benchmarks | ||
| biology | ||
| bootstrap | ||
| cad | ||
| chat | ||
| comms | ||
| converters | ||
| cross | ||
| databases | ||
| devel | ||
| distfiles | ||
| doc | ||
| editors | ||
| emulators | ||
| filesystems | ||
| finance | ||
| fonts | ||
| games | ||
| geography | ||
| graphics | ||
| ham | ||
| inputmethod | ||
| lang | ||
| licenses | ||
| math | ||
| mbone | ||
| meta-pkgs | ||
| misc | ||
| mk | ||
| multimedia | ||
| net | ||
| news | ||
| packages | ||
| parallel | ||
| pkgtools | ||
| regress | ||
| security | ||
| shells | ||
| sysutils | ||
| templates | ||
| textproc | ||
| time | ||
| wm | ||
| www | ||
| x11 | ||
| Makefile | ||
| pkglocate | ||
| README | ||
$NetBSD: README,v 1.18 2005/05/07 22:18:28 wiz Exp $ Please see doc/pkgsrc.txt for information.