1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.2.5 - Bug fix 32 33 * A TLS client using session resumption may cause a use-after-free. 34 353.2.4 - Bug and interoperability fixes 36 37 * Switch back to certificate verification code from LibreSSL 3.1.x. The 38 new verifier is not bug compatible with the old verifier causing issues 39 with applications expecting behavior of the old verifier. 40 41 * Unbreak DTLS retransmissions for flights that include a CCS 42 43 * Only check BIO_should_read() on read and BIO_should_write() on write 44 45 * Implement autochain for the TLSv1.3 server 46 47 * Use the legacy verifier for autochain 48 49 * Implement exporter for TLSv1.3 50 51 * Free alert_data and phh_data in tls13_record_layer_free() 52 53 * Plug leak in x509_verify_chain_dup() 54 55 * Free the policy tree in x509_vfy_check_policy() 56 573.2.3 - Security fix 58 59 * Malformed ASN.1 in a certificate revocation list or a timestamp 60 response token can lead to a NULL pointer dereference. 61 623.2.2 - Stable release 63 64 * This is the first stable release with the new TLSv1.3 65 implementation enabled by default for both client and server. The 66 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 67 in an upcoming release. 68 69 * New X509 certificate chain validator that correctly handles 70 multiple paths through intermediate certificates. Loosely based on 71 Go's X509 validator. 72 73 * New name constraints verification implementation which passes the 74 bettertls.com certificate validation check suite. 75 76 * Improve the handling of BIO_read()/BIO_write() failures in the 77 TLSv1.3 stack. 78 79 * Start replacing the existing TLSv1.2 record layer. 80 81 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 82 83 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 84 85 * Send alert on ssl_get_prev_session() failure. 86 87 * Zero out variable on the stack to avoid leaving garbage in the tail 88 of short session IDs. 89 90 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 91 that it gets correctly reinitialized across a SSL_set_ssl_method() 92 call. 93 94 * Avoid an out-of-bounds write in BN_rand(). 95 96 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 97 the code in ui_lib.c. 98 99 * Correctly track selected ALPN length to avoid a potential segmentation 100 fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 101 102 * Include machine/endian.h gost2814789.c in order to pick up the 103 __STRICT_ALIGNMENT define. 104 105 * Simplify SSL method lookups. 106 107 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 108 SSL_set_ssl_method() and several internal functions. 109 110 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 111 112 * Refactor dtls1_new(), dtls1_hm_fragment_new(), 113 dtls1_drain_fragments(), dtls1_clear_queues(). 114 115 * Copy the session ID directly in ssl_get_prev_session() instead of 116 handing it through several functions for copying. 117 118 * Clean up and refactor ssl_get_prev_session(); simplify 119 tls_decrypt_ticket() and tls1_process_ticket() exit paths. 120 121 * Avoid memset() before memcpy() in CBS_add_bytes(). 122 123 * Rewrite X509_INFO_{new,free}() more idiomatically. 124 125 * Remove unnecessary zeroing after recallocarray() in 126 ASN1_BIT_STRING_set_bit(). 127 128 * Convert openssl(1) ocsp new option handling. 129 130 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 131 132 * Document return value from EC_KEY_get0_public_key(3). 133 134 * Greatly expanded test coverage via the tlsfuzzer test scripts. 135 136 * Expanded test coverage via the bettertls certificate test suite. 137 138 * Test interoperability with the Botan TLS client. 139 140 * Make pthread_mutex static initialisation work on Windows. 141 142 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 143 1443.2.1 - Development release 145 146 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 147 functions. 148 149 * Send a record overflow alert for TLSv1.3 messages having overlong 150 plaintext or inner plaintext. 151 152 * Send an illegal parameter alert if a client sends an invalid DH key 153 share. 154 155 * Document PKCS7_final(3), PKCS7_add_attribute(3). 156 157 * Collapse x509v3 directory into x509. 158 159 * Improve TLSv1.3 client certificate selection to allow EC certificates 160 instead of only RSA certificates. 161 162 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 163 of constructing a broken objects that may cause NULL pointer accesses. 164 165 * Add support for additional GOST curves from RFC 7836 and 166 draft-deremin-rfc4491-bis. 167 168 * Add OIDs for HMAC using the Streebog hash function. 169 170 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 171 172 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 173 174 * Handle GOST in ssl_cert_dup(). 175 176 * Stop sending GOST R 34.10-94 as a CertificateType. 177 178 * Use IANA allocated GOST ClientCertificateTypes. 179 180 * Add a custom copy handler for AES keywrap to fix a use-after-free. 181 182 * Enforce in the TLSv1.3 server that that ClientHello messages after 183 a HelloRetryRequest match the original ClientHello as per RFC 8446 184 section 4.1.2 185 186 * Document more PKCS7 attribute functions. 187 188 * Document PKCS7_get_signer_info(3). 189 190 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 191 192 * Document PEM_def_callback(3). 193 194 * Document EVP_read_pw_string_min(3). 195 196 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 197 198 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 199 200 * Document X509_get0_pubkey_bitstr(3). 201 202 * Fix an off-by-one in the CBC padding removal. From BoringSSL. 203 204 * Enforce restrictions on extensions present in the ClientHello as per 205 RFC 8446, section 9.2. 206 207 * Add new CMAC_Init(3) and ChaCha(3) manual pages. 208 209 * Fix SSL_shutdown behavior to match the legacy stack. The previous 210 behavior could cause a hang. 211 212 * Add initial support for openbsd/powerpc64. 213 214 * Make the message type available in the internal TLS extensions API 215 functions. 216 217 * Enable TLSv1.3 for the generic TLS_method(). 218 219 * Convert openssl(1) s_client option handling. 220 221 * Document openssl(1) certhash. 222 223 * Convert openssl(1) verify option handling. 224 225 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 226 use-after-free and double-free issues in calling programs. 227 228 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 229 230 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 231 232 * Convert openssl(1) s_server option handling. 233 234 * Add minimal info callback support for TLSv1.3. 235 236 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 237 238 * Correctly handle server requests for an OCSP response. 239 240 * Add the P-521 curve to the list of curves supported by default 241 in the client. 242 243 * Convert openssl(1) req option handling. 244 245 * Avoid calling freezero with a negative size if a server sends a 246 malformed plaintext of all zeroes. 247 248 * Send an unexpected message alert if no valid content type is found 249 in a TLSv1.3 record. 250 2513.2.0 - Development release 252 253 * Enable TLS 1.3 server side in addition to client by default. 254 With this change TLS 1.3 is handled entirely on the new stack 255 and state machine, with fallback to the legacy stack and 256 state machine for older versions. Note that the OpenSSL TLS 1.3 257 API is not yet visible/available. 258 259 * Improve length checks in the TLS 1.3 record layer and provide 260 appropriate alerts for violations of record layer limits. 261 262 * Enforce that SNI hostnames received by the TLS server are correctly 263 formed as per RFC 5890 and RFC 6066, responding with illegal parameter 264 for a nonconformant host name. 265 266 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 267 retry of handshake messages. 268 269 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 270 similar to new OpenSSL releases. 271 272 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 273 various commands. 274 275 * Add tlsfuzzer based regression tests. 276 277 * Support sending certificate status requests from the TLS 1.3 278 client to request OCSP staples for leaf certificates. 279 280 * Support sending certificate status replies from the TLS 1.3 server 281 in order to send OCSP staples for leaf certificates. 282 283 * Send correct alerts when handling failed key share extensions 284 on the TLS 1.3 server. 285 286 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 287 switching from the new to legacy stacks. 288 289 * Support TLS 1.3 options in the openssl(1) command. 290 291 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 292 conditions. 293 294 * Modify "openssl x509" to display invalid certificate times as 295 invalid, and correctly deal with the failing return case from 296 X509_cmp_time so that a certificate with an invalid NotAfter does 297 not appear valid. 298 299 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 300 compatibility. 301 302 * Ensure only PSS signatures are used with RSA in TLS 1.3. 303 304 * Ensure that TLS 1.3 clients advertise exactly the "null" compression 305 method in its legacy_compression_methods. 306 307 * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 308 s_client, which could lead to using 14 bytes of stack garbage instead 309 of an IPv6 address in DTLS mode. 310 311 * Use non-expired certificates first when building a certificate chain. 312 3133.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 314 315 * Improve client certificate selection to allow EC certificates 316 instead of only RSA certificates. 317 318 * Do not error out if a TLSv1.3 server requests an OCSP response as 319 part of a certificate request. 320 321 * Fix SSL_shutdown behavior to match the legacy stack. The previous 322 behaviour could cause a hang. 323 324 * Fix a memory leak and add a missing error check in the handling of 325 the key update message. 326 327 * Fix a memory leak in tls13_record_layer_set_traffic_key. 328 329 * Avoid calling freezero with a negative size if a server sends a 330 malformed plaintext of all zeroes. 331 332 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 333 to avoid using PKCS1-based signatures. 334 335 * Add the P-521 curve to the list of curves supported by default 336 in the client. 337 3383.1.3 - Bug fix 339 340 * libcrypto may fail to build a valid certificate chain due to 341 expired untrusted issuer certificates. 342 3433.1.2 - Bug fix 344 345 * A TLS client with peer verification disabled may crash when 346 contacting a server that sends an empty certificate list. 347 3483.1.1 - Stable release 349 350 * Improved cipher suite handling to automatically include TLSv1.3 351 cipher suites when they are not explicitly referred to in the 352 cipher string. 353 354 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 355 state transitions and ensuring that the legacy session identifer 356 retains the same value across the handshake. 357 358 * Provided TLSv1.3 cipher suite aliases to match the names used 359 in RFC 8446. 360 361 * Improved TLSv1.3 client key share handling to allow the use of 362 any groups in our configured NID list. 363 364 * Fixed printing the serialNumber with X509_print_ex() fall back to 365 the colon separated hex bytes in case greater than int value. 366 367 * Fix to disallow setting the AES-GCM IV length to zero. 368 369 * Added -groups option to openssl(1) s_server subcommand. 370 371 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 372 373 * Improved portable builds to support the use of static MSVC runtimes. 374 375 * Fixed portable builds to avoid exporting a sleep() symbol. 376 3773.1.0 - Development release 378 379 * Completed initial TLS 1.3 implementation with a completely new state 380 machine and record layer. TLS 1.3 is now enabled by default for the 381 client side, with the server side to be enabled in a future release. 382 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 383 384 * Many more code cleanups, fixes, and improvements to memory handling 385 and protocol parsing. 386 387 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 388 389 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 390 1.1.1 and enabled by default. 391 392 * Improved compatibility by backporting functionality and documentation 393 from OpenSSL 1.1.1. 394 395 * Added many new additional crypto test vectors. 396 397 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 398 399 * Default CA bundle location is now configurable in portable builds. 400 401 * Added cms subcommand to openssl(1). 402 403 * Added -addext option to openssl(1) req subcommand. 404 4053.0.2 - Stable release 406 407 * Use a valid curve when constructing an EC_KEY that looks like X25519. 408 The recent EC group cofactor change results in stricter validation, 409 which causes the EC_GROUP_set_generator() call to fail. 410 Issue reported and fix tested by rsadowski@ 411 412 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 413 (Note that the CMS code is currently disabled) 414 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 415 416 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 417 or -HTTP options, due to incomplete path check logic. 418 Issue reported and fix tested by Jobert Abma 419 4203.0.1 - Development release 421 422 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 423 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 424 it using Hasse's bound. This works as long as the cofactor is small 425 enough. 426 427 * Fixed a memory leak in error paths for eckey_type2param(). 428 429 * Initial work on supporting Cryptographic Message Syntax (CMS) in 430 libcrypto (not enabled). 431 432 * Various manual page improvements and additions. 433 434 * Added a CMake check for an existing uninstall target, facilitating 435 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 436 4373.0.0 - Development release 438 439 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 440 441 * Documented undescribed options and removed unfunctional options 442 description in openssl(1) manual. 443 444 * A plethora of small fixes due to regular oss-fuzz testing. 445 446 * Various side channels in DSA and ECDSA were addressed. These are some of 447 the many issues found in an extensive systematic analysis of bignum usage 448 by Samuel Weiser, David Schrammel et al. 449 450 * Enabled openssl(1) speed subcommand on Windows platform. 451 452 * Enabled performance optimizations when building with Visual Studio on Windows. 453 454 * Fixed incorrect carry operation in 512 addition for Streebog. 455 456 * Fixed -modulus option with openssl(1) dsa subcommand. 457 458 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 459 4602.9.2 - Bug fixes 461 462 * Fixed portable builds with older versions of MacOS, 463 Android targets < API 21, and Solaris 10 464 465 * Fixed SRTP profile advertisement for DTLS servers. 466 4672.9.1 - Stable release 468 469 * Added support for XChaCha20 and XChaCha20-Poly1305. 470 471 * Added support for AES key wrap constructions via the EVP interface. 472 473 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 474 475 * Added pbkdf2 key derivation support to openssl(1) 476 477 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 478 479 * Changed the default digest type of openssl(1) enc to to sha256. 480 481 * Changed the default digest type of openssl(1) dgst to sha256. 482 483 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 484 485 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 486 487 * Improved Windows, Android, and ARM compatibility, including assembly 488 optimizations on Mingw-w64 targets. 489 4902.9.0 - Development release 491 492 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 493 494 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 495 496 * Fixed CMake builds on systems where getpagesize is defined as an 497 inline function. 498 499 * CRYPTO_LOCK is now automatically initialized, with the legacy 500 callbacks stubbed for compatibility. 501 502 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 503 504 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 505 506 * Added extensive interoperability tests between LibreSSL and OpenSSL 507 1.0 and 1.1. 508 509 * Added additional Wycheproof tests and related bug fixes. 510 511 * Simplified sigalgs option processing and handshake signing algorithm 512 513 * Added the ability to use the RSA PSS algorithm for handshake 514 signatures. 515 516 * Added bn_rand_interval() and use it in code needing ranges of random 517 bn values. 518 519 * Added functionality to derive early, handshake, and application 520 secrets as per RFC8446. 521 522 * Added handshake state machine from RFC8446. 523 524 * Removed some ASN.1 related code from libcrypto that had not been used 525 since around 2000. 526 527 * Unexported internal symbols and internalized more record layer structs. 528 529 * Added support for assembly optimizations on 32-bit ARM ELF targets. 530 531 * Improved protection against timing side channels in ECDSA signature 532 generation. 533 534 * Coordinate blinding was added to some elliptic curves. This is the 535 last bit of the work by Brumley et al. to protect against the 536 Portsmash vulnerability. 537 538 * Ensure transcript handshake is always freed with TLS 1.2. 539 5402.8.2 - Stable release 541 542 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 543 along with test harness fixes. 544 545 * Fixed memory leak in nc(1) 546 5472.8.1 - Test and compatibility improvements 548 549 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 550 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 551 X25519 test vectors. Applied appropriate fixes for errors uncovered 552 by tests. 553 554 * Simplified key exchange signature generation and verification. 555 556 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 557 558 * Converted more code paths to use CBB/CBS. All handshake messages are 559 now created by CBB. 560 561 * Fixed various memory leaks found by Coverity. 562 563 * Simplified session ticket parsing and handling, inspired by 564 BoringSSL. 565 566 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 567 is a no-op in LibreSSL, so this function returns an error to not 568 indicate the (non-)existence of memory leaks. 569 570 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 571 X509_OBJECT_up_ref_count now return an int for error handling, 572 matching OpenSSL. 573 574 * Converted a number of #defines into proper functions, matching 575 OpenSSL's ABI. 576 577 * Added X509_get0_serialNumber from OpenSSL. 578 579 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 580 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 581 OpenSSL. 582 583 * Removed broken pkcs8 formats from openssl(1). 584 585 * Converted more functions in public API to use const arguments. 586 587 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 588 EVP_AEAD interface. 589 590 * Stopped using composite EVP_CIPHER AEADs. 591 592 * Added timing-safe compares for checking results of signature 593 verification. There are no known attacks, this is just inexpensive 594 prudence. 595 596 * Correctly clear the current cipher state, when changing cipher state. 597 This fixed an issue where renegotiation of cipher suites would fail 598 when switched from AEAD to non-AEAD or vice-versa. 599 Issue reported by Bernard Spil. 600 601 * Added more cipher tests to appstest.sh, including all TLSv1.2 602 ciphers. 603 604 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 605 606 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 607 retrieved and set with appropriate validation. 608 6092.8.0 - Bug fixes, security, and compatibility improvements 610 611 * Extensive documentation updates and additional API history. 612 613 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 614 615 * Tighten up checks for various X509_VERIFY_PARAM functions, 616 'poisoning' parameters so that an unverified certificate cannot be 617 used if it fails verification. 618 619 * Fixed a potential memory leak on failure in ASN1_item_digest 620 621 * Fixed a potential memory alignment crash in asn1_item_combine_free 622 623 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 624 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 625 626 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 627 628 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 629 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 630 631 * Added const annotations to many existing APIs from OpenSSL, making 632 interoperability easier for downstream applications. 633 634 * Fixed small timing side-channels in ecdsa_sign_setup and 635 dsa_sign_setup. 636 637 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 638 operation of BN_* functions. 639 640 * Updated BN_clear to use explicit_bzero. 641 642 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 643 644 * More CBS conversions, including simplifications to RSA key exchange, 645 and converted code to use dedicated buffers for secrets. 646 647 * Removed three remaining single DES cipher suites. 648 649 * Fixed a potential leak/incorrect return value in DSA signature 650 generation. 651 652 * Added a blinding value when generating DSA and ECDSA signatures, in 653 order to reduce the possibility of a side-channel attack leaking the 654 private key. 655 656 * Added ECC constant time scalar multiplication support. 657 From Billy Brumley and his team at Tampere University of Technology. 658 659 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 660 specification in RFC 8017. Based on an OpenSSL commit by David 661 Benjamin. 662 663 * Cleaned up BN_* implementations following changes made in OpenSSL by 664 Davide Galassi and others. 665 6662.7.4 - Security fixes 667 668 * Avoid a timing side-channel leak when generating DSA and ECDSA 669 signatures. This is caused by an attempt to do fast modular 670 arithmetic, which introduces branches that leak information 671 regarding secret values. Issue identified and reported by Keegan 672 Ryan of NCC Group. 673 674 * Reject excessively large primes in DH key generation. Problem 675 reported by Guido Vranken to OpenSSL 676 (https://github.com/openssl/openssl/pull/6457) and based on his 677 diff. 678 6792.7.3 - Bug fixes 680 681 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 682 Sury 683 684 * Fixed an issue normalizing CPU architecture in the configure script, 685 which disabled assembly optimizations on platforms that get detected 686 as 'amd64', opposed to 'x86_64' 687 688 * Limited tls_config_clear_keys() to only clear private keys. 689 This was inadvertently clearing the keypair, which includes the OCSP 690 staple and pubkey hash - if an application called tls_configure() 691 followed by tls_config_clear_keys(), this would prevent OCSP staples 692 from working. 693 6942.7.2 - Stable release 695 696 * Updated and added extensive new HISTORY sections to API manuals. 697 698 * Added support for shared library builds with CMake on all supported 699 platforms. Note that some of the CMake options have changed, consult 700 the README for details. 701 7022.7.1 - Bug fixes 703 704 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 705 length provided is 0 to match the OpenSSL behaviour. Issue noticed 706 by Christian Heimes <christian@python.org>. 707 708 * Fixed builds macOS 10.11 and older. 709 7102.7.0 - Bug fixes and improvements 711 712 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 713 observations of real-world usage in applications. These are 714 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 715 changes have not been made to existing structs, allowing code written 716 for older OpenSSL APIs to continue working. 717 718 * Extensive corrections, improvements, and additions to the 719 API documentation, including new public APIs from OpenSSL that had 720 no pre-existing documentation. 721 722 * Added support for automatic library initialization in libcrypto, 723 libssl, and libtls. Support for pthread_once or a compatible 724 equivalent is now required of the target operating system. As a 725 side-effect, minimum Windows support is Vista or higher. 726 727 * Converted more packet handling methods to CBB, which improves 728 resiliency when generating TLS messages. 729 730 * Completed TLS extension handling rewrite, improving consistency of 731 checks for malformed and duplicate extensions. 732 733 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 734 This removes the last remaining use of the old M_ASN1_* macros 735 (asn1_mac.h) from API that needs to continue to exist. 736 737 * Added support for client-side session resumption in libtls. 738 A libtls client can specify a session file descriptor (a regular 739 file with appropriate ownership and permissions) and libtls will 740 manage reading and writing of session data across TLS handshakes. 741 742 * Improved support for strict alignment on ARMv7 architectures, 743 conditionally enabling assembly in those cases. 744 745 * Fixed a memory leak in libtls when reusing a tls_config. 746 747 * Merged more DTLS support into the regular TLS code path, removing 748 duplicated code. 749 750 * Many improvements to Windows Cmake-based builds and tests, 751 especially when targeting Visual Studio. 752 7532.6.4 - Bug fixes 754 755 * Make tls_config_parse_protocols() work correctly when passed a NULL 756 pointer for a protocol string. Issue found by semarie@, who also 757 provided the diff. 758 759 * Correct TLS extensions handling when no extensions are present. 760 If no TLS extensions are present in a client hello or server hello, 761 omit the entire extensions block, rather than including it with a 762 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 763 providing packet captures and testing the fix. 764 765 * Fixed portable builds on older Android systems, and systems with out 766 IPV6_TCLASS support. 767 7682.6.3 - OpenBSD 6.2 Release 769 770 * No core changes from LibreSSL 2.6.2 771 772 * Minor compatibility fixes in portable version. 773 7742.6.2 - Bug fixes 775 776 * Provide a useful error with libtls if there are no OCSP URLs in a 777 peer certificate. 778 779 * Keep track of which keypair is in use by a TLS context, fixing a bug 780 where a TLS server with SNI would only return the OCSP staple for the 781 default keypair. Issue reported by William Graeber and confirmed by 782 Andreas Bartelt. 783 784 * Fixed various issues in the OCSP extension parsing code. 785 The original code incorrectly passes the pointer allocated via 786 CBS_stow() (using malloc()) to a d2i_*() function and then calls 787 free() on the now incremented pointer, most likely resulting in a 788 crash. This issue was reported by Robert Swiecki who found the issue 789 using honggfuzz. 790 791 * If tls_config_parse_protocols() is called with a NULL pointer, 792 return the default protocols instead of crashing - this makes the 793 behaviour more useful and mirrors what we already do in 794 tls_config_set_ciphers() et al. 795 7962.6.1 - Code removal, rewrites 797 798 * Added a "-T tlscompat" option to nc(1), which enables the use of all 799 TLS protocols and "compat" ciphers. This allows for TLS connections 800 to TLS servers that are using less than ideal cipher suites, without 801 having to resort to "-T tlsall" which enables all known cipher 802 suites. Diff from Kyle J. McKay. 803 804 * Added a new TLS extension handling framework, somewhat analogous to 805 BoringSSL, and converted all TLS extensions to use it. Added new TLS 806 extension regression tests. 807 808 * Improved and added many new manpages. Updated *check_private_key 809 manpages with additional cautions regarding their use. 810 811 * Cleaned up the EC key/curve configuration handling. 812 813 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 814 of the eliptical curves that may be used during client and server 815 key exchange to be specified. 816 817 * Converted more code paths to use CBB/CBS. 818 819 * Removed support for DSS/DSA, since we removed the cipher suites a 820 while back. 821 822 * Removed NPN support. NPN was never standardised and the last draft 823 expired in October 2012. ALPN was standardised in July 2014 and has 824 been supported in LibreSSL since December 2014. NPN has also been 825 removed from Chromium in May 2016. 826 827 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 828 CryptoPro clients. 829 830 * Removed support for the TLS padding extension, which was added as a 831 workaround for an old bug in F5's TLS termination. 832 833 * Worked around another bug in F5's TLS termination handling of the 834 elliptical curves extension. RFC 4492 only defines elliptic_curves 835 for ClientHello. However, F5 is sending it in ServerHello. We need 836 to skip over it since our TLS extension parsing code is now more 837 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 838 839 * Added ability to clamp notafter valies in certificates for systems 840 with 32-bit time_t. This is necessary to conform to RFC 5280 841 4.1.2.5. 842 843 * Implemented the SSL_CTX_set_min_proto_version(3) API. 844 845 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 846 847 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 848 8492.6.0 - New APIs, bug fixes and improvements 850 851 * Added support for providing CRLs to libtls. Once a CRL is provided we 852 enable CRL checking for the full certificate chain. Based on a diff 853 from Jack Burton 854 855 * Allow non-compliant clients using IP literal addresses with SNI 856 to connect to a server using libtls. 857 858 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 859 Reported by Robert Swiecki, who found the issue using honggfuzz. 860 861 * Added definitions for three OIDs used in EV certificates. 862 From Kyle J. McKay 863 864 * Added tls_peer_cert_chain_pem to libtls, useful in private 865 certificate validation callbacks such as those in relayd. 866 867 * Converted explicit clear/free sequences to use freezero(3). 868 869 * Reworked TLS certificate name verification code to more strictly 870 follow RFC 6125. 871 872 * Cleaned up and simplified server key exchange EC point handling. 873 874 * Added tls_keypair_clear_key for clearing key material. 875 876 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 877 simplified BIO_get_host_ip and BIO_accept. 878 879 * Fixed the openssl(1) ca command so that is generates certificates 880 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 881 882 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 883 884 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 885 886 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 887 888 * Provided a tls_unload_file() function that frees the memory returned 889 from a tls_load_file() call, ensuring that it the contents become 890 inaccessible. This is specifically needed on platforms where the 891 library allocators may be different from the application allocator. 892 893 * Perform reference counting for tls_config. This allows 894 tls_config_free() to be called as soon as it has been passed to the 895 final tls_configure() call, simplifying lifetime tracking for the 896 application. 897 898 * Moved internal state of SSL and other structures to be opaque. 899 900 * Dropped cipher suites with DSS authentication. 901 902 * nc(1) improvements, including: 903 nc -W to terminate nc after receiving a number of packets 904 nc -Z for saving the peer certificate and chain in a pem file 905 9062.5.5 - Bug fixes 907 908 * Distinguish between self-issued certificates and self-signed 909 certificates. The certificate verification code has special cases 910 for self-signed certificates and without this change, self-issued 911 certificates (which it seems are common place with 912 openvpn/easyrsa) were also being included in this category. 913 914 * Added getpagesize fallback, needed for Android bionic libc. 915 9162.5.4 - Security Updates 917 918 * Revert a previous change that forced consistency between return 919 value and error code when specifing a certificate verification 920 callback, since this breaks the documented API. When a user supplied 921 callback always returns 1, and later code checks the error code to 922 potentially abort post verification, this will result in incorrect 923 successul certificate verification. 924 925 * Switched Linux getrandom() usage to non-blocking mode, continuing to 926 use fallback mechanims if unsuccessful. This works around a design 927 flaw in Linux getrandom(2) where early boot usage in a library makes 928 it impossible to recover if getrandom(2) is not yet initialized. 929 930 * Fixed a bug caused by the return value being set early to signal 931 successful DTLS cookie validation. This can mask a later failure and 932 result in a positive return value being returned from 933 ssl3_get_client_hello(), when it should return a negative value to 934 propagate the error. 935 936 * Fixed a build error on non-x86/x86_64 systems running Solaris. 937 9382.5.3 - OpenBSD 6.1 Release 939 940 * Documentation updates 941 942 * Improved ocspcheck(1) error handling 943 9442.5.2 - Security features and bugfixes 945 946 * Added the recallocarray(3) memory allocation function, and converted 947 various places in the library to use it, such as CBB and BUF_MEM_grow. 948 recallocarray(3) is similar to reallocarray. Newly allocated memory 949 is cleared similar to calloc(3). Memory that becomes unallocated 950 while shrinking or moving existing allocations is explicitly 951 discarded by unmapping or clearing to 0 952 953 * Added new root CAs from SECOM Trust Systems / Security Communication 954 of Japan. 955 956 * Added EVP interface for MD5+SHA1 hashes. 957 958 * Fixed DTLS client failures when the server sends a certificate 959 request. 960 961 * Correct handling of padding when upgrading an SSLv2 challenge into 962 an SSLv3/TLS connection. 963 964 * Allow protocols and ciphers to be set on a TLS config object in 965 libtls. 966 967 * Improved nc(1) TLS handshake CPU usage and server-side error 968 reporting. 969 9702.5.1 - Bug and security fixes, new features, documentation updates 971 972 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 973 error. Reported by Theofilos Petsios. 974 975 * Detect zero-length encrypted session data early, instead of when 976 malloc(0) fails or the HMAC check fails. Noted independently by 977 jsing@ and Kurt Cancemi. 978 979 * Check for and handle failure of HMAC_{Update,Final} or 980 EVP_DecryptUpdate(). 981 982 * Massive update and normalization of manpages, conversion to 983 mandoc format. Many pages were rewritten for clarity and accuracy. 984 Portable doc links are up-to-date with a new conversion tool. 985 986 * Curve25519 Key Exchange support. 987 988 * Support for alternate chains for certificate verification. 989 990 * Code cleanups, CBS conversions, further unification of DTLS/SSL 991 handshake code, further ASN1 macro expansion and removal. 992 993 * Private symbol are now hidden in libssl and libcryto. 994 995 * Friendly certificate verification error messages in libtls, peer 996 verification is now always enabled. 997 998 * Added OCSP stapling support to libtls and netcat. 999 1000 * Added ocspcheck utility to validate a certificate against its OCSP 1001 responder and save the reply for stapling 1002 1003 * Enhanced regression tests and error handling for libtls. 1004 1005 * Added explicit constant and non-constant time BN functions, 1006 defaulting to constant time wherever possible. 1007 1008 * Moved many leaked implementation details in public structs behind 1009 opaque pointers. 1010 1011 * Added ticket support to libtls. 1012 1013 * Added support for setting the supported EC curves via 1014 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 1015 SSL{_CTX}_set1_curves{_list} names. This also changes the default 1016 list of curves to be X25519, P-256 and P-384. All other curves must 1017 be manually enabled. 1018 1019 * Added -groups option to openssl(1) s_client for specifying the curves 1020 to be used in a colon-separated list. 1021 1022 * Merged client/server version negotiation code paths into one, 1023 reducing much duplicate code. 1024 1025 * Removed error function codes from libssl and libcrypto. 1026 1027 * Fixed an issue where a truncated packet could crash via an OOB read. 1028 1029 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 1030 client-initiated renegotiation. This is the default for libtls 1031 servers. 1032 1033 * Avoid a side-channel cache-timing attack that can leak the ECDSA 1034 private keys when signing. This is due to BN_mod_inverse() being 1035 used without the constant time flag being set. Reported by Cesar 1036 Pereida Garcia and Billy Brumley (Tampere University of Technology). 1037 The fix was developed by Cesar Pereida Garcia. 1038 1039 * iOS and MacOS compatibility updates from Simone Basso and Jacob 1040 Berkman. 1041 1042 10432.5.0 - New APIs, bug fixes and improvements 1044 1045 * libtls now supports ALPN and SNI 1046 1047 * libtls adds a new callback interface for integrating custom IO 1048 functions. Thanks to Tobias Pape. 1049 1050 * libtls now handles 4 cipher suite groups: 1051 "secure" (TLSv1.2+AEAD+PFS) 1052 "compat" (HIGH:!aNULL) 1053 "legacy" (HIGH:MEDIUM:!aNULL) 1054 "insecure" (ALL:!aNULL:!eNULL) 1055 1056 This allows for flexibility and finer grained control, rather than 1057 having two extremes (an issue raised by Marko Kreen some time ago). 1058 1059 * Tightened error handling for tls_config_set_ciphers(). 1060 1061 * libtls now always loads CA, key and certificate files at the time the 1062 configuration function is called. This simplifies code and results in 1063 a single memory based code path being used to provide data to libssl. 1064 1065 * Add support for OCSP intermediate certificates. 1066 1067 * Added functions used by stunnel and exim from BoringSSL - this 1068 brings in X509_check_host, X509_check_email, X509_check_ip, and 1069 X509_check_ip_asc. 1070 1071 * Added initial support for iOS, thanks to Jacob Berkman. 1072 1073 * Improved behavior of arc4random on Windows when using memory leak 1074 analysis software. 1075 1076 * Correctly handle an EOF that occurs prior to the TLS handshake 1077 completing. Reported by Vasily Kolobkov, based on a diff from Marko 1078 Kreen. 1079 1080 * Limit the support of the "backward compatible" ssl2 handshake to 1081 only be used if TLS 1.0 is enabled. 1082 1083 * Fix incorrect results in certain cases on 64-bit systems when 1084 BN_mod_word() can return incorrect results. BN_mod_word() now can 1085 return an error condition. Thanks to Brian Smith. 1086 1087 * Added constant-time updates to address CVE-2016-0702 1088 1089 * Fixed undefined behavior in BN_GF2m_mod_arr() 1090 1091 * Removed unused Cryptographic Message Support (CMS) 1092 1093 * More conversions of long long idioms to time_t 1094 1095 * Improved compatibility by avoiding printing NULL strings with 1096 printf. 1097 1098 * Reverted change that cleans up the EVP cipher context in 1099 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 1100 previous behaviour. 1101 1102 * Avoid unbounded memory growth in libssl, which can be triggered by a 1103 TLS client repeatedly renegotiating and sending OCSP Status Request 1104 TLS extensions. 1105 1106 * Avoid falling back to a weak digest for (EC)DH when using SNI with 1107 libssl. 1108 11092.4.2 - Bug fixes and improvements 1110 1111 * Fixed loading default certificate locations with openssl s_client. 1112 1113 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 1114 RFC6960. Also added fixes for OCSP to work with intermediate 1115 certificates provided in responses. 1116 1117 * Improved behavior of arc4random on Windows to not appear to leak 1118 memory in debug tools, reduced privileges of allocated memory. 1119 1120 * Fixed incorrect results from BN_mod_word() when the modulus is too 1121 large, thanks to Brian Smith from BoringSSL. 1122 1123 * Correctly handle an EOF prior to completing the TLS handshake in 1124 libtls. 1125 1126 * Improved libtls ceritificate loading and cipher string validation. 1127 1128 * Updated libtls cipher group suites into four categories: 1129 "secure" (TLSv1.2+AEAD+PFS) 1130 "compat" (HIGH:!aNULL) 1131 "legacy" (HIGH:MEDIUM:!aNULL) 1132 "insecure" (ALL:!aNULL:!eNULL) 1133 This allows for flexibility and finer grained control, rather than 1134 having two extremes. 1135 1136 * Limited support for 'backward compatible' SSLv2 handshake packets to 1137 when TLS 1.0 is enabled, providing more restricted compatibility 1138 with TLS 1.0 clients. 1139 1140 * openssl(1) and other documentation improvements. 1141 1142 * Removed flags for disabling constant-time operations. 1143 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 1144 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 1145 all of these operations unconditionally constant-time. 1146 1147 11482.4.1 - Security fix 1149 1150 * Correct a problem that prevents the DSA signing algorithm from 1151 running in constant time even if the flag BN_FLG_CONSTTIME is set. 1152 This issue was reported by Cesar Pereida (Aalto University), Billy 1153 Brumley (Tampere University of Technology), and Yuval Yarom (The 1154 University of Adelaide and NICTA). The fix was developed by Cesar 1155 Pereida. 1156 11572.4.0 - Build improvements, new features 1158 1159 * Many improvements to the CMake build infrastructure, including 1160 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 1161 Inoguchi for this work. 1162 1163 * Added missing error handling around bn_wexpand() calls. 1164 1165 * Added explicit_bzero calls for freed ASN.1 objects. 1166 1167 * Fixed X509_*set_object functions to return 0 on allocation failure. 1168 1169 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 1170 1171 * Changed default EVP_aead_chacha20_poly1305() implementation to the 1172 IETF version, which is now the default. 1173 1174 * Fixed password prompts from openssl(1) to properly handle ^C. 1175 1176 * Reworked error handling in libtls so that configuration errors are 1177 visible. 1178 1179 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 1180 1181 * Manpage fixes and updates 1182 11832.3.5 - Reliability fix 1184 1185 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 1186 11872.3.4 - Security Update 1188 1189 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 1190 From OpenSSL. 1191 1192 * Minor build fixes 1193 11942.3.3 - OpenBSD 5.9 release branch tagged 1195 1196 * Reworked build scripts to better sync with OpenNTPD-portable 1197 1198 * Fixed broken manpage links 1199 1200 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 1201 1202 * Fixed HP-UX builds 1203 1204 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 1205 binary builds 1206 1207 * cert.pem has been reorganized and synced with Mozilla's certificate store 1208 12092.3.2 - Compatibility and Reliability fixes 1210 1211 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 1212 OPENSSL_VERSION_NUMBER, see: 1213 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 1214 1215 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 1216 construction introduced in RFC 7539, which is different than that 1217 already used in TLS with EVP_aead_chacha20_poly1305() 1218 1219 * Avoid a potential undefined C99+ behavior due to shift overflow in 1220 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 1221 1222 * More man pages converted from pod to mdoc format 1223 1224 * Added COMODO RSA Certification Authority and QuoVadis 1225 root certificates to cert.pem 1226 1227 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 1228 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 1229 certificate from cert.pem 1230 1231 * Added support for building nc(1) on Solaris 1232 1233 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 1234 1235 * Improved console handling with openssl(1) on Windows 1236 1237 * Ensure the network stack is enabled on Windows when running 1238 tls_init() 1239 1240 * Fixed incorrect TLS certificate loading by nc(1) 1241 1242 * Added support for Solaris 11.3's getentropy(2) system call 1243 1244 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 1245 1246 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 1247 1248 * Fixes from OpenSSL 1.0.1q 1249 - CVE-2015-3194 - NULL pointer dereference in client side certificate 1250 validation. 1251 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 1252 1253 * The following OpenSSL CVEs did not apply to LibreSSL 1254 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 1255 squaring procedure. 1256 - CVE-2015-3196 - Double free race condition of the identify hint 1257 data. 1258 1259 See https://marc.info/?l=openbsd-announce&m=144925068504102 1260 12612.3.1 - ASN.1 and time handling cleanups 1262 1263 * ASN.1 cleanups and RFC5280 compliance fixes. 1264 1265 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 1266 now checks if the host OS supports 64-bit time_t. 1267 1268 * Fixed a leak in SSL_new in the error path. 1269 1270 * Support always extracting the peer cipher and version with libtls. 1271 1272 * Added ability to check certificate validity times with libtls, 1273 tls_peer_cert_notbefore and tls_peer_cert_notafter. 1274 1275 * Changed tls_connect_servername to use the first address that resolves with 1276 getaddrinfo(). 1277 1278 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 1279 initial commit in 2004). 1280 1281 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 1282 by Qualys Security. 1283 1284 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 1285 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 1286 1287 * Reject too small bits value in BN_generate_prime_ex(), so that it does 1288 not risk becoming negative in probable_prime_dh_safe(), reported by 1289 Franck Denis. 1290 1291 * Enable nc(1) builds on more platforms. 1292 12932.3.0 - SSLv3 removed, libtls API changes, portability improvements 1294 1295 * SSLv3 is now permanently removed from the tree. 1296 1297 * The libtls API is changed from the 2.2.x series. 1298 1299 The read/write functions work correctly with external event 1300 libraries. See the tls_init man page for examples of using libtls 1301 correctly in asynchronous mode. 1302 1303 Client-side verification is now supported, with the client supplying 1304 the certificate to the server. 1305 1306 Also, when using tls_connect_fds, tls_connect_socket or 1307 tls_accept_fds, libtls no longer implicitly closes the passed in 1308 sockets. The caller is responsible for closing them in this case. 1309 1310 * When loading a DSA key from an raw (without DH parameters) ASN.1 1311 serialization, perform some consistency checks on its `p' and `q' 1312 values, and return an error if the checks failed. 1313 1314 Thanks for Georgi Guninski (guninski at guninski dot com) for 1315 mentioning the possibility of a weak (non prime) q value and 1316 providing a test case. 1317 1318 See 1319 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1320 for a longer discussion. 1321 1322 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1323 of the result key without error. A coding error could cause software 1324 to use much shorter keys than intended. 1325 1326 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1327 longer supported. 1328 1329 * The engine command and parameters are removed from the openssl(1). 1330 Previous releases removed dynamic and builtin engine support 1331 already. 1332 1333 * SHA-0 is removed, which was withdrawn shortly after publication 20 1334 years ago. 1335 1336 * Added Certplus CA root certificate to the default cert.pem file. 1337 1338 * New interface OPENSSL_cpu_caps is provided that does not allow 1339 software to inadvertently modify cpu capability flags. 1340 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1341 1342 * The out_len argument of AEAD changed from ssize_t to size_t. 1343 1344 * Deduplicated DTLS code, sharing bugfixes and improvements with 1345 TLS. 1346 1347 * Converted 'nc' to use libtls for client and server operations; it is 1348 included in the libressl-portable distribution as an example of how 1349 to use the library. 1350 13512.2.3 - Bug fixes, build enhancements 1352 1353 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1354 include TLS extensions, resulting in such handshakes being aborted. 1355 This release corrects the handling of such messages. Thanks to 1356 Ligushka from github for reporting the issue. 1357 1358 * Added install target for cmake builds. Thanks to TheNietsnie from 1359 github. 1360 1361 * Updated pkgconfig files to correctly report the release version 1362 number, not the individual library ABI version numbers. Thanks to 1363 Jan Engelhardt for reporting the issue. 1364 13652.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1366 1367 * Switched 'openssl dhparam' default from 512 to 2048 bits 1368 1369 * Reworked openssl(1) option handling 1370 1371 * More CRYPTO ByteString (CBC) packet parsing conversions 1372 1373 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1374 1375 * Fixed dozens of Coverity issues including dead code, memory leaks, 1376 logic errors and more. 1377 1378 * Ensure that openssl(1) restores terminal echo state after reading a 1379 password. 1380 1381 * Incorporated fix for OpenSSL Issue #3683 1382 1383 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1384 for each portable release. 1385 1386 * Removed workarounds for TLS client padding bugs. 1387 1388 * No longer disable ECDHE-ECDSA on OS X 1389 1390 * Removed SSLv3 support from openssl(1) 1391 1392 * Removed IE 6 SSLv3 workarounds. 1393 1394 * Modified tls_write in libtls to allow partial writes, clarified with 1395 examples in the documentation. 1396 1397 * Removed RSAX engine 1398 1399 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1400 applications that were not ready to build without SSLv3 yet. For 1401 now, building a program that intentionally uses SSLv3 will result in 1402 a linker warning. 1403 1404 * Added TLS_method, TLS_client_method and TLS_server_method as a 1405 replacement for the SSLv23_*method calls. 1406 1407 * Added initial cmake build support, including support for building with 1408 Visual Studio, currently tested with Visual Studio 2013 Community 1409 Edition. 1410 1411 * --with-enginesdir is removed as a configuration parameter 1412 1413 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1414 installed under $sysconfdir/ssl or the directory specified by 1415 --with-openssldir. Previous versions of LibreSSL left these empty. 1416 14172.2.1 - Build fixes, feature added, features removed 1418 1419 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1420 1421 * Initial support for Windows Embedded 2009, Server 2003, XP 1422 1423 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1424 1425 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1426 1427 * Removed Dynamic Engine support 1428 1429 * Removed unused and obsolete MDC-2DES cipher 1430 1431 * Removed workarounds for obsolete SSL implementations 1432 14332.2.0 - Build cleanups and new OS support, Security Updates 1434 1435 * AIX Support - thanks to Michael Felt 1436 1437 * Cygwin Support - thanks to Corinna Vinschen 1438 1439 * Refactored build macros, support packaging libtls independently. 1440 There are more pieces required to support building and using OpenSSL 1441 with libtls, but this is an initial start at providing an 1442 independent package for people to start hacking on. 1443 1444 * Removal of OPENSSL_issetugid and all library getenv calls. 1445 Applications can and should no longer rely on environment variables 1446 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1447 supported with the openssl(1) command. 1448 1449 * libtls API and documentation additions 1450 1451 * Various bug fixes and simplifications to libssl and libcrypto 1452 1453 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1454 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1455 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1456 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1457 1458 * The following CVEs did not apply to LibreSSL or were fixed in 1459 earlier releases: 1460 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1461 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1462 - CVE-2014-8176 - Invalid free in DTLS 1463 1464 * Fixes for the following CVEs are still in review for LibreSSL 1465 - CVE-2015-1791 - Race condition handling NewSessionTicket 1466 14672.1.6 - Security update 1468 1469 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1470 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1471 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1472 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1473 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1474 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1475 1476 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1477 is integrated for safety, but LibreSSL is not vulnerable. 1478 1479 * Libtls is now built by default. The --enable-libtls 1480 configuration option is no longer required. 1481 The libtls API is now stable for the 2.1.x series. 1482 14832.1.5 - Bug fixes and a security update 1484 * Fix incorrect comparison function in openssl(1) certhash command. 1485 Thanks to Christian Neukirchen / Void Linux. 1486 1487 * Windows port improvements and bug fixes. 1488 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1489 - Correct a hang in openssl(1) reading from stdin on an connection. 1490 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1491 any other network-related commands to function properly. 1492 1493 * Reject all server DH keys smaller than 1024 bits. 1494 14952.1.4 - Security and feature updates 1496 * Improvements to libtls: 1497 - a new API for loading CA chains directly from memory instead of a 1498 file, allowing verification with privilege separation in a chroot 1499 without direct access to CA certificate files. 1500 1501 - Ciphers default to TLSv1.2 with AEAD and PFS. 1502 1503 - Improved error handling and message generation 1504 1505 - New APIs and improved documentation 1506 1507 * Added X509_STORE_load_mem API for loading certificates from memory. 1508 This facilitates accessing certificates from a chrooted environment. 1509 1510 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1511 using 'TLSv1.2+AEAD' as the cipher selection string. 1512 1513 * Dead and disabled code removal including MD5, Netscape workarounds, 1514 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1515 1516 * ASN1 macro maze expanded to aid reading and searching the code. 1517 1518 * NULL pointer asserts removed in favor of letting the OS/signal 1519 handler catch them. 1520 1521 * Refactored argument handling in openssl(1) for consistency and 1522 maintainability. 1523 1524 * New openssl(1) command 'certhash' replaces the c_rehash script. 1525 1526 * Support for building with OPENSSL_NO_DEPRECATED 1527 1528 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1529 various auditor and vulnerability scanners. 1530 1531 * Dozens of issues found with the Coverity scanner fixed. 1532 1533 * Security Updates: 1534 1535 - Fix a minor information leak that was introduced in t1_lib.c 1536 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1537 provided to the network. In most cases this is a non-issue since 1538 the memory content is already public. Issue found and reported by 1539 Felix Groebert of the Google Security Team. 1540 1541 - Fixes for the following low-severity issues were integrated into 1542 LibreSSL from OpenSSL 1.0.1k: 1543 1544 CVE-2015-0205 - DH client certificates accepted without 1545 verification 1546 CVE-2014-3570 - Bignum squaring may produce incorrect results 1547 CVE-2014-8275 - Certificate fingerprints can be modified 1548 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1549 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1550 1551 The following CVEs were fixed in earlier LibreSSL releases: 1552 CVE-2015-0206 - Memory leak handling repeated DLTS records 1553 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1554 1555 The following CVEs did not apply to LibreSSL: 1556 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1557 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1558 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1559 15602.1.3 - Security update and OS support improvements 1561 * Fixed various memory leaks in DTLS, including fixes for 1562 CVE-2015-0206. 1563 1564 * Added Application-Layer Protocol Negotiation (ALPN) support. 1565 1566 * Removed GOST R 34.10-94 signature authentication. 1567 1568 * Removed nonfunctional Netscape browser-hang workaround code. 1569 1570 * Simplified and refactored SSL/DTLS handshake code. 1571 1572 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1573 1574 * Hide timing info about padding errors during handshakes. 1575 1576 * Improved libtls support for non-blocking sockets, added randomized 1577 session ID contexts. Work is ongoing with this library - feedback 1578 and potential use-cases are welcome. 1579 1580 * Support building Windows DLLs. 1581 Thanks to Jan Engelhard. 1582 1583 * Packaged config wrapper for better compatibility with OpenSSL-based 1584 build systems. 1585 Thanks to @technion from github 1586 1587 * Ensure the stack is marked non-executable for assembly sections. 1588 Thanks to Anthony G. Bastile. 1589 1590 * Enable extra compiler hardening flags by default, where applicable. 1591 The default set of hardening features can vary by OS to OS, so 1592 feedback is welcome on this. To disable the default hardening flags, 1593 specify '--disable-hardening' during configure. 1594 Thanks to Jim Barlow 1595 1596 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1597 Thanks to Kinichiro Inoguchi 1598 1599 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1600 Imported from OpenNTPD, thanks to @gitisihara from github 1601 16022.1.2 - Many new features and improvements 1603 * Added reworked GOST cipher suite support 1604 thanks to Dmitry Eremin-Solenikov 1605 1606 * Enabled Camellia ciphers due to improved patent situation 1607 1608 * Use builtin arc4random implementation on OS X and FreeBSD 1609 this addresses some deficiencies in the native implementations of 1610 these operating systems, see commit logs for more information 1611 1612 * Added initial Windows mingw-w64 support (32 and 64-bit) 1613 thanks to Song Dongsheng and others for code and feedback 1614 1615 * Enabled assembly optimizations on x86_64 CPUs 1616 supports Linux, *BSD, Solaris and OS X operating systems 1617 thanks to Wouter Clarie for the initial implementation 1618 1619 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1620 1621 * Improved build infrastructure, 'make distcheck' now passes 1622 this simplifies and speeds developer efficiency 1623 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1624 1625 * Allow conditional building of the libtls library 1626 expect the API and ABI of the library to change 1627 feedback is welcome 1628 1629 * Fixes for more memory leaks, cleanups, etc. 1630 16312.1.1 - Security update 1632 * Address POODLE attack by disabling SSLv3 by default 1633 1634 * Fix Eliptical Curve cipher selection bug 1635 (https://github.com/libressl-portable/portable/issues/35) 1636 16372.1.0 - First release from the OpenBSD 5.7 tree 1638 * Added support for automatic ephemeral EC keys 1639 1640 * Fixes for many memory leaks and overflows in error handlers 1641 1642 * The TLS padding extension (that works around bugs in F5 terminators) is 1643 off by default 1644 1645 * support for getrandom(2) on Linux 3.17 1646 1647 * the NO_ASM macro is no longer being set, providing the first bits toward 1648 enabling other assembly offloads. 1649 16502.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1651 * CVE-2014-3506 1652 * CVE-2014-3507 1653 * CVE-2014-3508 (partially vulnerable)he 1654 * CVE-2014-3509 1655 * CVE-2014-3510 1656 * CVE-2014-3511 1657 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1658 16592.0.4 - Portability fixes, deleted unused SRP code 1660 16612.0.3 - Portability fixes, improvements to fork detection 1662 16632.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1664 16652.0.1 - Portability fixes: 1666 * Removed -Werror and and other non-portable compiler flags 1667 1668 * Allow setting OPENSSLDIR and ENGINSDIR 1669 16702.0.0 - First release from the OpenBSD 5.6 tree 1671 * Removal of many obsolete features and coding conventions from the OpenSSL 1672 1.0.1h source 1673