------------------------------------------------------------------------
- OpenBSD 6.1 RELEASED -------------------------------------------------

April 11, 2017.

We are pleased to announce the official release of OpenBSD 6.1.
This is our 42nd release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.1 provides significant improvements,
including new features, in nearly all areas of the system:

- New/extended platforms:
o New arm64 platform, using clang(1) as the base system compiler.
o The loongson platform now supports systems with Loongson 3A CPU
and RS780E chipset.
o The following platforms were retired: armish, sparc, zaurus.

- Improved hardware support, including:
o New acpials(4) driver for ACPI ambient light sensor devices.
o New acpihve(4) driver for feeding Hyper-V entropy into the kernel
pool.
o New acpisbs(4) driver for ACPI Smart Battery devices.
o New dwge(4) driver for Designware GMAC 10/100/Gigabit Ethernet
devices.
o New htb(4) driver for Loongson 3A PCI host bridges.
o New hvn(4) driver for Hyper-V networking interfaces.
o New hyperv(4) driver for the Hyper-V guest nexus device.
o New iatp(4) driver for the Atmel maXTouch touchpad and
touchscreen.
o New imxtemp(4) driver for Freescale i.MX6 temperature sensors.
o New leioc(4) driver for the Loongson 3A low-end IO controller.
o New octmmc(4) driver for the OCTEON MMC host controller.
o New ompinmux(4) driver for OMAP pin multiplexing.
o New omwugen(4) driver for OMAP wake-up generators.
o New psci(4) driver for the ARM Power State Coordination Interface.
o New simplefb(4) driver for the simple frame buffer on systems
using a device tree.
o New sximmc(4) driver for Allwinner A1X/A20 MMC/SD/SDIO
controllers.
o New tpm(4) driver for Trusted Platform Module devices.
o New uwacom(4) driver for Wacom USB tablets.
o New vmmci(4) VMM control interface.
o New xbf(4) driver for Xen Blkfront virtual disks.
o New xp(4) driver for the LUNA-88K HD647180X I/O processor.
o Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219
PHYs has been added to the em(4) driver.
o Support for RTL8153 USB 3.0 Gigabit Ethernet based devices has
been added to the ure(4) driver.
o Improved ACPI support for modern Apple hardware, including S3
suspend and resume.
o Support for X550 family of 10 Gigabit Ethernet based devices has
been added to the ix(4) driver.

- New vmm(4)/ vmd(8):
o Support was partially integrated in 6.0, but disabled.
o Support for amd64 and i386 hosts.
o BIOS payload provided via vmm-firmware, delivered via
fw_update(1).
o Support for Linux guest VMs.
o Better interrupt handling and legacy device emulation.
o vmm(4) no longer requires VMX unrestricted guest capability
(Nehalem and later CPUs are sufficient).
o Removed bounce buffers previously used by vmd(8) for vio(4) and
vioblk(4) devices.
o Support VMs with > 2GB RAM.
o vmd(8) uses pledge(2) and the fork+exec model.
o vm.conf(5) expanded to include VM ownership rules (uid/gid).
o vmd(8)/ vm.conf(5) supports automatic bridge(4) and switch(4)
configuration for VM network interfaces.
o vmctl(8) supports graceful VM shutdown via vmmci(4).

- IEEE 802.11 wireless stack improvements:
o The ral(4) driver now supports Ralink RT3900E (RT5390, RT3292)
devices.
o The iwm(4) and iwn(4) drivers now support the short guard interval
(SGI) in 11n mode.
o Added a new implementation of MiRa, a rate adapation algorithm
designed for 802.11n.
o The iwm(4) driver now supports 802.11n MIMO (MCS 0-15).
o The athn(4) driver now supports 802.11n, featuring MIMO (MCS 0-15)
and hostap mode.
o The iwn(4) driver now receives MIMO frames in monitor mode.
o The rtwn(4) and urtwn(4) drivers now use AMRR rate adaptation
(8188EU and 8188CE devices only).
o TKIP/WPA1 was disabled by default because of inherent weaknesses
in this protocol.

- Generic network stack improvements:
o New switch(4) pseudo-device together with new switchd(8) and
switchctl(8) programs.
o New mobileip(4) operation mode for the gre(4) pseudo-device.
o Multipoint-to-multipoint mode in vxlan(4).
o route(8) and netstat -r display all routing flags correctly and
they are completely documented in the netstat(1) man page.
o When sending TCP streams they are locally stored in large mbuf
clusters to improve memory management. The maximum TCP send and
receive buffer size has been increased from 256KB to 2MB. Note
that this results in a different pf(4) OS fingerprint for OpenBSD.
The default limit for mbuf clusters has been increased. You can
check the values with netstat(1) -m and adjust them with sysctl(8)
kern.maxclusters.
o Make the TCP_NOPUSH flag work for listen(2) sockets. It is
inherited by the socket returned from accept(2).
o A lot of code has been removed or simplified to make the
transition to multi-processor easier. Redesign the interrupt and
multi-processor locks in the network stack.
o When passing packets from the network stack to the interface
layer, make sure that they have no pointers to pf(4) which could
result in a memory free operation at the wrong protection level.
o Fix checksum calculation in pf(4) af-to ICMP packet conversions.
Simplify af-to processing in and fix path MTU discovery in some
corner cases.
o Improve IPv6 fragment processing. Drop empty atomic fragments
early. Be more paranoid when IPv6 hop-by-hop headers appear after
fragment headers. Follow RFC 5722 "Handling of Overlapping IPv6
Fragments" more strictly in pf(4). RFC 8021 "IPv6 Atomic Fragments
Considered Harmful" deprecates generating atomic fragments, so do
not send them anymore.
o Depending on the addresses, ipsecctl(8) may automatically group SA
bundles together. To make clear what is going on, the kernel
provides this information and ipsecctl -s sa prints IPsec SA
bundles.
o A new routing socket message type, RTM_PROPOSAL, was added to
facilitate future improvements to the network configuration
process.

- Installer improvements:
o The installer now uses privilege separation for fetching and
verifying the install sets.
o Install sets are now fetched over an HTTPS connection by default
when using a mirror that supports it.
o The installer now considers all of the DHCP information in
filename, bootfile-name, server-name, tftp-server-name, and
next-server when attempting to do automatic installs or upgrades.
o The installer no longer adds a route to an alias IP via 127.0.0.1,
due to improvements in the kernel routing components.

- Routing daemons and other userland network improvements:
o ping(8) and ping6(8) are now the same binary and share the engine.
o ripd(8) now supports p2p links with addresses in different
subnets.
o UDP speakers can specify an IPv4 source address using
IP_SENDSRCADDR. iked(8) and snmpd(8) now use the proper source
address when sending replies.
o iked(8) now supports ECDSA and RFC 7427 signatures for
authentication.
o iked(8) now supports replying to IKEv2 responder cookies.
o Many fixes and improvements for iked(8) and ikectl(8), including
various fixes for rekeying.
o ospfd(8) and ospf6d(8) now cope with interface MTU change at
runtime.
o bgpd(8) now supports BGP Large Communities (RFC 8092).
o bgpd(8) now supports BGP Administrative Shutdown Communication
(draft-ietf-idr-shutdown).

- Security improvements:
o Enforcement of userland W^X on OCTEON Plus and later.
o All shared libraries, all dynamic and static-PIE executables, and
ld.so(1) itself use the RELRO ("read-only after relocation")
design such that more of the initial data is protected as
read-only.
o The size of user virtual address space has been increased from 2GB
to 1TB on mips64.
o PIE and -static -pie on arm.
o route6d(8) now runs with fewer privileges.
o For incoming TLS connections syslogd(8) can validate client
certificates with a given CA file.
o The privileged parent process of syslogd(8) calls exec(2) to
reshuffle its random memory layout.
o New function recallocarray(3) to reduce the risk of incorrect
clearing of memory before and after reallocarray(3).
o SHA512_256 family of functions added to libc.
o arm added to the list of archs where the setjmp(3) family of
functions apply XOR cookies to stack and return-address values in
the jmpbuf.
o printf(3) family of formatting functions now report to syslog when
the %s format is used with a NULL pointer.
o Heap buffer overflow detection has been improved when the C
malloc(3) option is used. The existing S option now includes C.
o Support for permitting non-root users to mount(8) filesystems has
been removed.
o bioctl(8) now uses bcrypt PBKDF to derive keys for crypto volumes.

- dhclient(8)/ dhcpd(8)/ dhcrelay(8) improvements:
o Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested
by default.
o Add support for RFC 6842 (Client Identifier Option in DHCP Server
Replies).
o Stop leaking option data received on the udp socket.
o Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
o Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options
in the effective lease.
o Use only leases from no SSID or the current SSID when restarting.
o Reduce default values for various timeouts to something more
appropriate to modern networks.
o Fix issues with redundant dhcpd servers and CARP'd interfaces.
o Switch to standard logging functions
o Fix vis/unvis of strings in dhclient(8) leases files.

- Assorted improvements:
o New syspatch(8) utility for security and reliability binary
updates to the base system.
o acme-client(1), a privilege separated Automatic Certificate
Management Environment (ACME) client written by Kristaps Dzonsons
has been imported.
o New, simplified xenodm(1) X11 display manager forked from xdm(1).
o Unicode version 8 character properties in the C library.
o Partial UTF-8 line editing support for ksh(1) Vi input mode.
o UTF-8 support in column(1).
o The performance and concurrency of the malloc(3) family in
multi-threaded processes has been improved.
o Estonian keyboard support.
o read(2) on directories now fails instead of returning 0.
o Support for the RES_USE_EDNS0 and RES_USE_DNSSEC flags has been
added to the resolver(3) implementation.
o syslogd(8) limits the socket buffer for TCP and TLS connections to
64K to avoid wasting kernel memory.
o syslogd(8) supports the option -Z to print the timestamp in RFC
5424 ISO format. This logs everything in UTC including the year,
timezone and fractions of seconds. The default is still RFC 3164
BSD syslog time format.
o When log files are rotated, newsyslog(8) writes the creation time
in UTC ISO format into the first line.
o The syslogd(8) options -a, -T, and -U can be given more than once
to specify multiple input sources.
o Improve the syslogd(8) output and diagnostics in case the klog
buffer overflows.
o Make SIGHUP handling in syslogd(8) more reliable.
o Let syslogd(8) tolerate most errors on startup. Keep running and
receive messages from all working subsystems, but do not die.
o The syslog(3) priority of fatal and warning messages of various
daemons has been adjusted.
o An NMI sends the amd64 kernel into ddb(4) more reliably.
o ld.so(1) now supports the DT_PREINITARRAY, DT_INITARRAY,
DT_FINIARRAY, DT_FLAGS, and DT_RUNPATH dynamic tags.
o kdump(1) now dumps the fds returned by pipe(2) and socketpair(2).
o Added support to doas(1) for session-locked persistent
authentication.
o Use a hardware register for the thread pointer on arm for improved
performance in multi-threaded processes.
o SGI boot blocks now consult the OpenBSD disklabel(5) to locate the
root filesystem. This reduces constraints on disk partitioning.
o iec(4) no longer hangs when its transmit ring gets full.
o sq(4) has been fixed to accept broadcast frames in non-promiscuous
mode when no IP address is configured. This lets the interface
work with DHCP.
o Multiprocessor-safe PCI interrupt handlers are run without the
kernel lock on OpenBSD/sgi.
o fdisk(8) now unconditionally sets the size of the protective MBR's
EFI GPT partition to UINT32_MAX.
o fdisk(8) now respects the current MBR or GPT format when
initializing a disk.
o softraid(4) now uses sufficient parallel i/o's to efficiently
rebuild RAID5 volumes.
o asr now accepts UDP packets of up to 4096 bytes to account for
broken DNS servers.
o umass(4) no longer assumes that ATAPI or UFI devices have only 1
LUN.
o scsi(4) now correctly detects end of tape on LTO5 devices.
o httpd(8) supports SNI via libtls to allow for multiple https sites
on a single IP address.
o ocspheck(8) has been added, and can be used to check the OCSP
status of certificates. The corresponding responses can be saved
for later use in OCSP stapling.
o httpd(8) supports OCSP stapling via libtls to permit OCSP
responses to be stapled to the tls handshake
o nc(1) now also supports OCSP stapling server side, and will show
the stapling information client side.
o Both relayd(8) and httpd(8) support now TLS session resumption
using TLS session tickets. See the respective configuration man
page for more information.
o With the -f option sensorsd(8) can use an alternative config file.

- OpenSMTPD 6.0.0
o Added support for providing an alternate subaddressing delimiter.
o Made the daemon less verbose in logs when exiting.
o Improved the io layer to simplify code accross the daemon.
o Added support for matching authenticated sessions in the ruleset.
o Assorted code and documentation cleanups.

- OpenSSH 7.4
o Security:
- ssh-agent(1): Will now refuse to load PKCS#11 modules from
paths outside a trusted whitelist (run-time configurable).
Requests to load modules could be passed via agent forwarding
and an attacker could attempt to load a hostile PKCS#11
module across the forwarded agent channel: PKCS#11 modules
are shared libraries, so this would result in code execution
on the system running the ssh-agent if the attacker has
control of the forwarded agent-socket (on the host running
the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the
ssh client).
- sshd(8): When privilege separation is disabled, forwarded
Unix- domain sockets would be created by sshd(8) with the
privileges of 'root' instead of the authenticated user. This
release refuses Unix-domain socket forwarding when privilege
separation is disabled (Privilege separation has been enabled
by default for 14 years).
- sshd(8): Avoid theoretical leak of host private key material
to privilege-separated child processes via realloc() when
reading keys. No such leak was observed in practice for
normal-sized keys, nor does a leak to the child processes
directly expose key material to unprivileged users.
- sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided
by some optimising compilers. Additionally, this memory
manager was incorrectly accessible when pre-authentication
compression was disabled. This could potentially allow
attacks against the privileged monitor process from the
sandboxed privilege-separation process (a compromise of the
latter would be required first). This release removes support
for pre-authentication compression from sshd(8).
- sshd(8): Fix denial-of-service condition where an attacker
who sends multiple KEXINIT messages may consume up to 128MB
per connection.
- sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept
invalid ones. It was previously possible to specify invalid
CIDR address ranges (e.g. user@127.1.2.3/55) and these would
always match, possibly resulting in granting access where it
was not intended.
- ssh(1), sshd(8): Fix weakness in CBC padding oracle
countermeasures that allowed a variant of the attack fixed in
OpenSSH 7.3 to proceed.
o New/changed features:
- Server support for the SSH v.1 protocol has been removed.
- ssh(1): Remove 3des-cbc from the client's default proposal.
64-bit block ciphers are not safe in 2016 and we don't want
to wait until attacks like SWEET32 are extended to SSH. As
3des-cbc was the only mandatory cipher in the SSH RFCs, this
may cause problems connecting to older devices using the
default configuration, but it's highly likely that such
devices already need explicit configuration for key exchange
and hostkey algorithms already anyway.
- sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed
reasonable in the 1990s, but today it's clearly a bad idea in
terms of both cryptography (cf. multiple compression oracle
attacks in TLS) and attack surface. Pre-auth compression
support has been disabled by default for >10 years. Support
remains in the client.
- ssh-agent will refuse to load PKCS#11 modules outside a
whitelist of trusted paths by default. The path whitelist may
be specified at run-time.
- sshd(8): When a forced-command appears in both a certificate
and an authorized keys/principals command= restriction, sshd
will now refuse to accept the certificate unless they are
identical. The previous (documented) behaviour of having the
certificate forced-command override the other could be a bit
confusing and error-prone.
- sshd(8): Remove the UseLogin configuration directive and
support for having /bin/login manage login sessions.
- ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by
the version in PuTTY by Simon Tatham. This allows a
multiplexing client to communicate with the master process
using a subset of the SSH packet and channels protocol over a
Unix-domain socket, with the main process acting as a proxy
that translates channel IDs, etc. This allows multiplexing
mode to run on systems that lack file- descriptor passing
(used by current multiplexing code) and potentially, in
conjunction with Unix-domain socket forwarding, with the
client and multiplexing master process on different machines.
Multiplexing proxy mode may be invoked using "ssh -O proxy
..."
- sshd(8): Add a sshd_config DisableForwarding option that
disables X11, agent, TCP, tunnel and Unix domain socket
forwarding, as well as anything else we might implement in
the future. Like the 'restrict' authorized_keys flag, this is
intended to be a simple and future-proof way of restricting
an account.
- sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method
named "curve25519-sha256@libssh.org".
- sshd(8): Improve handling of SIGHUP by checking to see if
sshd is already daemonised at startup and skipping the call
to daemon(3) if it is. This ensures that a SIGHUP restart of
sshd(8) will retain the same process-ID as the initial
execution. sshd(8) will also now unlink the PidFile prior to
SIGHUP restart and re-create it after a successful restart,
rather than leaving a stale file in the case of a
configuration error.
- sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
- sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to
match those supported by AuthorizedKeysCommand (key, key
type, fingerprint, etc.) and a few more to provide access to
the contents of the certificate being offered.
- Added regression tests for string matching, address matching
and string sanitisation functions.
- Improved the key exchange fuzzer harness.
- Deprecate the sshd_config UsePrivilegeSeparation option,
thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
- ssh(1), sshd(8): Support "=-" syntax to easily remove methods
from algorithm lists, e.g. Ciphers=-*cbc.
o The following significant bugs have been fixed in this release:
- ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key.
certificate id_rsa-cert.pub (and no id_rsa.pub).
- ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted.
- ssh-agent(1), ssh(1): improve reporting when attempting to
load keys from PKCS#11 tokens with fewer useless log messages
and more detail in debug messages.
- ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
- sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the
terminal mode correctly if suspended during a password
prompt.
- ssh(1): Avoid busy-wait when ssh(1) is suspended during a
password prompt.
- ssh(1), sshd(8): Correctly report errors during sending of
ext- info messages.
- sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
- sshd(8): Correct list of supported signature algorithms sent
in the server-sig-algs extension.
- sshd(8): Fix sending ext_info message if privsep is disabled.
- sshd(8): more strictly enforce the expected ordering of
privilege separation monitor calls used for authentication
and allow them only when their respective authentication
methods are enabled in the configuration
- sshd(8): Fix uninitialised optlen in getsockopt() call;
harmless on Unix/BSD but potentially crashy on Cygwin.
- Fix false positive reports caused by explicit_bzero(3) not
being recognised as a memory initialiser when compiled with
-fsanitize-memory.
- sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet
for configuration examples.
- sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
- ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
- sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods
were not being correctly advertised.
- ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs
in known_hosts processing.
- ssh(1): Allow ssh to use certificates accompanied by a
private key file but no corresponding plain *.pub public key.
- ssh(1): When updating hostkeys using the UpdateHostKeys
option, accept RSA keys if HostkeyAlgorithms contains any RSA
keytype. Previously, ssh could ignore RSA keys when only the
ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and
not the old ssh-rsa method.
- ssh(1): Detect and report excessively long configuration file
lines.
- Merge a number of fixes found by Coverity and reported via
Redhat and FreeBSD. Includes fixes for some memory and file
descriptor leaks in error paths.
- ssh-keyscan(1): Correctly hash hosts with a port number.
- ssh(1), sshd(8): When logging long messages to stderr, don't
truncate "\r\n" if the length of the message exceeds the
buffer.
- ssh(1): Fully quote [host]:port in generated ProxyJump/-J
command- line; avoid confusion over IPv6 addresses and shells
that treat square bracket characters specially.
- ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed
entries.
- Fix various fallout and sharp edges caused by removing SSH
protocol 1 support from the server, including the server
banner string being incorrectly terminated with only \n
(instead of \r\n), confusing error messages from ssh-keyscan
a segfault in sshd if protocol v.1 was enabled for the client
and sshd_config contained references to legacy keys.
- ssh(1), sshd(8): Free fd_set on connection timeout.
- sshd(8): Fix Unix domain socket forwarding for root
(regression in OpenSSH 7.4).
- sftp(1): Fix division by zero crash in "df" output when
server returns zero total filesystem blocks/inodes.
- ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL
errors encountered during key loading to more meaningful
error codes.
- ssh-keygen(1): Sanitise escape sequences in key comments sent
to printf but preserve valid UTF-8 when the locale supports
it.
- ssh(1), sshd(8): Return reason for port forwarding failures
where feasible rather than always "administratively
prohibited".
- sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a
key is matched early.
- ssh(1): Fix typo in ~C error message for bad port forward
cancellation.
- ssh(1): Show a useful error message when included config
files can't be opened.
- sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the
manual page (previously incorrectly) advertised.
- sshd_config(5): Repair accidentally-deleted mention of %k
token in AuthorizedKeysCommand.
- sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
- ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
- sftp-client(1): Fix non-exploitable integer overflow in
SSH2_FXP_NAME response handling.
- ssh-agent(1): Fix regression in 7.4 of deleting
PKCS#11-hosted keys. It was not possible to delete them
except by specifying their full physical path.

- LibreSSL 2.5.3
o libtls now supports ALPN and SNI
o libtls adds a new callback interface for integrating custom IO
functions. Thanks to Tobias Pape.
o libtls now handles 4 cipher suite groups:
- "secure" (TLSv1.2+AEAD+PFS)
- "compat" (HIGH:!aNULL)
- "legacy" (HIGH:MEDIUM:!aNULL)
- "insecure" (ALL:!aNULL:!eNULL)
This allows for flexibility and finer grained control, rather than
having two extremes (an issue raised by Marko Kreen some time
ago).
o Tightened error handling for tls_config_set_ciphers().
o libtls now always loads CA, key and certificate files at the time
the configuration function is called. This simplifies code and
results in a single memory based code path being used to provide
data to libssl.
o Added support for OCSP intermediate certificates.
o Added X509_check_host(), X509_check_email(), X509_check_ip(), and
X509_check_ip_asc() functions, via BoringSSL.
o Added initial support for iOS, thanks to Jacob Berkman.
o Improved behavior of arc4random on Windows when using memory leak
analysis software.
o Correctly handle an EOF that occurs prior to the TLS handshake
completing. Reported by Vasily Kolobkov, based on a diff from
Marko Kreen.
o Limit the support of the "backward compatible" SSLv2 handshake to
only be used if TLS 1.0 is enabled.
o Fix incorrect results in certain cases on 64-bit systems when
BN_mod_word() can return incorrect results. BN_mod_word() now can
return an error condition. Thanks to Brian Smith.
o Added constant-time updates to address CVE-2016-0702.
o Fixed undefined behavior in BN_GF2m_mod_arr().
o Removed unused Cryptographic Message Support (CMS).
o More conversions of long long idioms to time_t.
o Improved compatibility by avoiding printing NULL strings with
printf.
o Reverted change that cleans up the EVP cipher context in
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on
the previous behaviour.
o Avoid unbounded memory growth in libssl, which can be triggered by
a TLS client repeatedly renegotiating and sending OCSP Status
Request TLS extensions.
o Avoid falling back to a weak digest for (EC)DH when using SNI with
libssl.
o X509_cmp_time() now passes a malformed GeneralizedTime field as an
error. Reported by Theofilos Petsios.
o Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
o Massive update and normalization of manpages, conversion to mandoc
format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
o Curve25519 and TLS X25519 Key Exchange support.
o Support for alternate chains for certificate verification.
o Code cleanups, CBB conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
o Private symbols are now hidden in libssl and libcrypto.
o Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
o Added OCSP stapling support to libtls and nc.
o Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
o Enhanced regression tests and error handling for libtls.
o Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
o Moved many leaked implementation details in public structs behind
opaque pointers.
o Added ticket support to libtls.
o Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the
previous SSL{_CTX}_set1_curves{_list} names. This also changes the
default list of curves to be X25519, P-256 and P-384. All other
curves must be manually enabled.
o Added -groups option to openssl(1) s_client for specifying the
curves to be used in a colon-separated list.

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)