1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.4.1 - Stable release 32 33 * New Features 34 - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. 35 - Enabled the new X.509 validator to allow verification of 36 modern certificate chains. 37 * Portable Improvements 38 - Ported continuous integration and test infrastructure to Github 39 actions. 40 - Added Universal Windows Platform (UWP) build support. 41 - Fixed mingw-w64 builds on newer versions with missing SSP support. 42 - Added non-executable stack annotations for CMake builds. 43 * API and Documentation Enhancements 44 - Added the following APIs from OpenSSL 45 BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve 46 EC_GROUP_order_bits EC_GROUP_set_curve 47 EC_POINT_get_affine_coordinates 48 EC_POINT_set_affine_coordinates 49 EC_POINT_set_compressed_coordinates EVP_DigestSign 50 EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey 51 SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method 52 SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data 53 SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher 54 SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable 55 SSL_SESSION_set_max_early_data SSL_get_early_data_status 56 SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio 57 SSL_set_ciphersuites SSL_set_max_early_data 58 SSL_set_post_handshake_auth 59 SSL_set_psk_use_session_callback 60 SSL_verify_client_post_handshake SSL_write_early_data 61 - Added AES-GCM constants from RFC 7714 for SRTP. 62 * Compatibility Changes 63 - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache. 64 - Call the info callback on connect/accept exit in TLSv1.3, 65 needed for p5-Net-SSLeay. 66 - Default to using named curve parameter encoding from 67 pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. 68 - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. 69 * Testing and Proactive Security 70 - Added additional state machine test coverage. 71 - Improved integration test support with ruby/openssl tests. 72 - Error codes and callback support in new X.509 validator made 73 compatible with p5-Net_SSLeay tests. 74 * Internal Improvements 75 - Numerous fixes and improvements to the new X.509 validator to 76 ensure compatible error codes and callback support compatible 77 with the legacy OpenSSL validator. 78 793.4.0 - Development release 80 81 * Add support for OpenSSL 1.1.1 TLSv1.3 APIs. 82 83 * Enable new x509 validator. 84 85 * More details to come, testing is appreciated. 86 873.3.5 - Security fix 88 89 * A stack overread could occur when checking X.509 name constraints. 90 From GoldBinocle on GitHub. 91 92 * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. 93 This compensates for the expiry of the DST Root X3 certificate. 94 953.3.4 - Security fix 96 97 * In LibreSSL, printing a certificate can result in a crash in 98 X509_CERT_AUX_print(). 99 From Ingo Schwarze 100 101 * Ensure GNU-stack is set on ELF platforms when building with CMake to 102 enable non-executable stack annotations for the GNU toolchain. 103 From Tobias Heider 104 1053.3.3 - Stable release 106 107 * This is the first stable release from the 3.3.x series. 108 There are no changes from 3.3.2. 109 1103.3.2 - Development release 111 112 * This release adds support for DTLSv1.2 and continues the rewrite 113 of the record layer for the legacy stack. Numerous bugs and 114 interoperability issues were fixed in the new verifier. A few bugs 115 and incompatibilities remain, so this release uses the old verifier 116 by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. 117 118 * Switch finish{,_peer}_md_len from an int to a size_t. 119 120 * Make SSL_get{,_peer}_finished() work when used with TLSv1.3. 121 122 * Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size 123 for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 124 was a historical artefact. 125 126 * Correct the return value type from ERR_peek_error() to a long. 127 128 * Avoid use of uninitialized in ASN1_time_parse() which could happen 129 on parsing UTCTime if the caller did not initialise the passed 130 struct tm. 131 132 * Destroy the mutex in a tls_config object on tls_config_free(). 133 134 * Free alert_data and phh_data in tls13_record_layer_free() 135 these could leak if SSL_shutdown() or tls_close() were called 136 after closing the underlying socket(). 137 138 * Free struct members in tls13_record_layer_free() in their natural 139 order for reviewability. 140 141 * Gracefully handle root certificates being both trusted and 142 untrusted. 143 144 * Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new 145 verifier. 146 147 * Use the legacy verifier when building auto chains for TLS. 148 149 * Use consistent names in tls13_{client,server}_finished_{recv,send}(). 150 151 * Add tls13_secret_{init,cleanup}() and use them throughout the 152 TLSv1.3 code base. 153 154 * Move the read MAC key into the TLSv1.2 record layer. 155 156 * Make tls12_record_layer_free() NULL safe. 157 158 * Search the intermediates only after searching the root certs in the 159 new verifier to avoid problems with the legacy callback. 160 161 * Bail out early after finding a single chain in the new verifier, if 162 we have been called via the legacy verifier API. 163 164 * Set (invalid and likely incomplete) chain on the xsc on chain build 165 failure prior to calling the callback. This is required by various 166 callers, including auto chain. 167 168 * Align SSL_get_shared_ciphers() with OpenSSL. This takes into account 169 that it never returned server ciphers, so now it will fail when 170 called from the client side. 171 172 * Add support for SSL_get_shared_ciphers() with TLSv1.3. 173 174 * Split the record protection from the TLSv1.2 record layer. 175 176 * Clean up sequence number handling in the new TLSv1.2 record layer. 177 178 * Clean up sequence number handling in DTLS. 179 180 * Clean up dtls1_reset_seq_numbers(). 181 182 * Factor out code for explicit IV length, block size and MAC length 183 from tls12_record_layer_open_record_protected_cipher(). 184 185 * Provide record layer overhead for DTLS. 186 187 * Provide functions to determine if TLSv1.2 record protection is 188 engaged. 189 190 * Add code to handle change of cipher state in the new TLSv1.2 record 191 layer. 192 193 * Mop up now unused dtls1_build_sequence_numbers() function. 194 195 * Allow setting a keypair on a tls context without specifying the 196 private key, and fake it internally in libtls. This removes the 197 need for privsep engines like relayd to use bogus keys. 198 199 * Skip the private key check for fake private keys. 200 201 * Move the private key setup from tls_configure_ssl_keypair() to a 202 helper function with proper error checking. 203 204 * Change the internal tls_configure_ssl_keypair() function to 205 return -1 instead of 1 on failure. 206 207 * Move sequence numbers into the new TLSv1.2 record layer. 208 209 * Move AEAD handling into the new TLSv1.2 record layer. 210 211 * Remove direct assignment of aead_ctx to avoid a leak. 212 213 * Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, 214 draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. 215 216 * Fail early in legacy exporter if the master secret is not available 217 to avoid a segfault if it is called when the handshake is not 218 completed. 219 220 * Factor out legacy stack version checks. 221 222 * Correct handshake MAC/PRF for various TLSv1.2 cipher suites which 223 were originally added with the default handshake MAC and PRF rather 224 than the SHA256 handshake MAC and PRF. 225 226 * Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). 227 228 * Use dtls1_record_retrieve_buffered_record() to load buffered 229 application data. 230 231 * Enforce read ahead with DTLS. 232 233 * Remove bogus DTLS checks that disabled ECC and OCSP. 234 235 * Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". 236 237 * Only print the certificate file once on verification failure. 238 239 * Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. 240 241 * Clean up and simplify dtls1_get_cipher(). 242 243 * Group HelloVerifyRequest decoding and add missing check for trailing 244 data. 245 246 * Revise HelloVerifyRequest handling for DTLSv1.2. 247 248 * Handle DTLS1_2_VERSION in various places. 249 250 * Add DTLSv1.2 methods. 251 252 * Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of 253 zero if the minimum or maximum has been set to zero to match 254 OpenSSL's behavior. 255 256 * Rename the "truncated" label into "decode_err" and the "f_err" 257 label into "fatal_err". 258 259 * Factor out and change some of the legacy client version code. 260 261 * Simplify version checks in the TLSv1.3 client. Ensure that the 262 server announced TLSv1.3 and nothing higher and check that the 263 legacy_version is set to TLSv1.2 as required by RFC 8446. 264 265 * Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that 266 the new validator checks for EXFLAG_CRITICAL in 267 x509_vfy_check_chain_extension() for all untrusted certs in the 268 chain. Take into account that the root is not necessarily trusted. 269 270 * Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. 271 272 * Rename depth to num_untrusted. 273 274 * Only use TLS versions internally rather than both TLS and DTLS 275 versions since the latter are the one's complement of the human 276 readable version numbers, which means that newer versions decrease 277 in value. 278 279 * Fix two bugs in the legacy verifier that resulted from refactoring 280 of X509_verify_cert() for the new verifier: a return value was 281 incorrectly treated as boolean, making it insufficient to decide 282 whether validation should carry on or not. 283 284 * Identify DTLS based on the version major value. 285 286 * Move handling of cipher/hash based cipher suites into the new record 287 layer. 288 289 * Add tls12_record_protection_unused() and call it from CCS functions. 290 291 * Move key/IV length checks closer to usage sites. Also add explicit 292 checks against EVP_CIPHER_{iv,key}_length(). 293 294 * Replace two handrolled tls12_record_protection_engaged(). 295 296 * Improve internal version handling: add handshake fields for our 297 minimum version, our maximum version and the TLS version negotiated 298 during the handshake. Convert most of the internal code to use these 299 version fields. 300 301 * Guard against future internal use of TLS1_get_{client,}_version() 302 macros. 303 304 * Remove the internal ssl_downgrade_max_version() function which is no 305 longer needed. 306 307 * Fix checks for memory caps of constraints names. There are internal 308 caps on the number of name constraints and other names, that the new 309 name constraints code allocates per cert chain. These limits were 310 checked too late, making them only partially effective. 311 312 * Use EXFLAG_INVALID to handle out of memory and parse errors in 313 x509v3_cache_extensions(). 314 315 * Add support for DTLSv1.2 version handling. 316 317 * Enable DTLSv1.2 support. 318 319 * Add DTLSv1.2 support to openssl s_client/s_server. 320 321 * Remove no longer needed read ahead workarounds in the s_client and 322 s_server. 323 324 * Fix a copy-paste error - skid was confused with an akid when 325 checking for EXFLAG_INVALID. This broke OCSP validation with 326 certain mirrors. 327 328 * Make supported protocols and options for DHE params more prominent 329 in tls_config_set_protocols.3. 330 331 * Avoid a use-after-scope in tls13_cert_add(). 332 333 * Split TLSv1.3 record protection from record layer. 334 335 * Move the TLSv1.3 handshake struct inside the shared handshake 336 struct. 337 338 * Fully initialize rrec in tls12_record_layer_open_record_protected() 339 to avoid confusing some static analyzers. 340 341 * Use tls_set_errorx() on OCSP_basic_verify() failure since the latter 342 does not set errno. 343 344 * Convert openssl(1) x509 to new option handling and do the usual 345 clean up that goes along with it. 346 347 * Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. 348 349 * Rename new_cipher to cipher to align naming with keyblock or other 350 parts of the handshake data. 351 352 * Avoid mangled output in BIO_debug_callback(). 353 354 * Fix client initiated renegotiation by replacing use of s->internal-type 355 with s->server. 356 357 * Move the TLSv1.2 record number increment into the new record layer. 358 359 * Move finished and peer finished into the handshake struct. 360 361 * Avoid transcript initialization when sending a TLS HelloRequest, 362 fixing server initiated renegotiation. 363 364 * Remove pointless assignment in SSL_get0_alpn_selected(). 365 366 * Provide EVP_PKEY_new_CMAC_KEY(3). 367 368 * Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. 369 370 * Add DTLSv1.2 to openssl(1) s_server and s_client protocol message 371 logging. 372 373 * Avoid leaking param->name in x509_verify_param_zero(). 374 375 * Avoid a leak in an error path in openssl(1) x509. 376 377 * Add some error checking to openssl(1) x509. 378 379 * When sending an alert in TLSv1.3, only set its error code when no 380 other error was set previously. Certain clients rely on specific 381 SSL_R_ error codes to identify that they are dealing with a self 382 signed cert. 383 384 * Switch to the legacy verifier for the stable release. 385 386 * Provide SSL_use_certificate_chain_file(3). 387 388 * Provide SSL_set_hostflags(3) and SSL_get0_peername(3). 389 390 * Provide various DTLSv1.2 specific functions and defines. 391 392 * Document meaning of '*' in the genrsa output. 393 394 * Updated documentation for SSL_get_shared_ciphers(3). 395 396 * Add documentation for SSL_get_finished(3). 397 398 * Document EVP_PKEY_new_CMAC_key(3) 399 400 * Document SSL_use_certificate_chain_file(3). 401 402 * Document SSL_set_hostflags(3) and SSL_get0_peername(3). 403 404 * Update SSL_get_version.3 manual for DTLSv.1.2 support. 405 406 * Added '--enable-libtls-only' build option, which builds and installs a 407 statically-linked libtls, skipping libcrypto and libssl. This is useful 408 for systems that ship with OpenSSL but wish to also package libtls. 409 4103.3.1 - Security fix 411 412 * Malformed ASN.1 in a certificate revocation list or a timestamp 413 response token can lead to a NULL pointer dereference. 414 415 Bug fixes 416 417 * Move point-on-curve check to set_affine_coordinates to avoid 418 verifying ECDSA signatures with unchecked public keys. 419 420 * Fix SSL_is_server() to behave as documented by re-introducing the 421 client-specific methods. 422 423 * Avoid undefined behavior due to memcpy(NULL, NULL, 0). 424 425 * Mark a few more internal static tables const. 426 4273.3.0 - Development release 428 429 * Make openssl(1) s_server ignore -4 and -6 for compatibility with 430 OpenSSL. 431 432 * Further cleanup of the DTLS record handling. 433 434 * Continue the replacement of the TLSv1.2 record layer by 435 reimplementing the read side of the TLSv1.2 record handling. 436 437 * Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). 438 439 * Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. 440 441 * When switching from the TLSv1.3 stack to the legacy stack include 442 a TLS record header. This is necessary if there is more than one 443 handshake message in the TLS plaintext record. 444 445 * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp 446 command. 447 448 * Fix resource handling on error in OCSP_request_add0_id(). 449 450 * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into 451 .data.rel.ro and .rodata, respectively. 452 453 * Add a const qualifier to srtp_known_profiles. 454 455 * Simplify TLS method by removing the client and server specific 456 methods internally. 457 458 * Avoid casting away const in ssl_ctx_make_profiles(). 459 460 * Make sure there is enough room for stashing the handshake message 461 when switching to the legacy TLS stack. 462 463 * Avoid explicitly conditioning an assert on DTLS1_VERSION to make 464 the assert work for newer DTLS versions. 465 466 * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. 467 468 * Send a host header with OCSP queries to make openssl(1) ocsp 469 work with some widely used OCSP responders. 470 471 * Fix a memory leak in the openssl(1) s_client. 472 473 * Add a flag to mark DTLS methods as DTLS to have an easy way to 474 recognize DTLS methods that avoids inspecting the version number. 475 476 * Implement SSL_is_dtls() and use it internally in place of the 477 SSL_IS_DTLS macro. 478 479 * Unbreak DTLS retransmissions for flights that include a CCS. 480 481 * Add ability to ocspcheck(8) to parse a port in the specified 482 OCSP URL. 483 484 * Refactor and clean up ocspcheck(8) and add regression tests. 485 486 * If x509_verify() fails, ensure that the error is set on both 487 the x509_verify_ctx() and its store context to make some failures 488 visible from SSL_get_verify_result(). 489 490 * Use the X509_STORE_CTX get_issuer() callback from the new X.509 491 verifier to fix hashed certificate directories. 492 493 * Only check BIO_should_read() on read and BIO_should_write() on 494 write. Previously, BIO_should_write() was also checked after read 495 and BIO_should_read() after write which could cause stalls in 496 software that uses the same BIO for read and write. 497 498 * In openssl(1) verify, also check for error on the store context 499 since the return value of X509_verify_cert() is unreliable in 500 presence of a callback that returns 1 too often. 501 502 * Update getentropy on Windows to use Cryptography Next Generation 503 (CNG). wincrypt is deprecated and no longer works with newer Windows 504 environments, such as in Windows Store apps. 505 506 * Implement auto chain for the TLSv1.3 server since some software 507 relies on this. 508 509 * Handle additional certificate error cases in the new X.509 verifier. 510 Keep track of the errors encountered if a verify callback tells the 511 verifier to continue and report them back via the error on the store 512 context. This mimics the behavior of the old verifier that would 513 persist the first error encountered while building the chain. 514 515 * Report specific failures for "self signed certificates" in a way 516 compatible with the old verifier since software relies on the 517 error code. 518 519 * Implement key exporter for TLSv1.3. 520 521 * Plug a large memory leak in the new verifier caused by calling 522 X509_policy_check() repeatedly. 523 524 * Avoid leaking memory in x509_verify_chain_dup(). 525 526 * Various documentation improvements, particularly around TLS methods. 527 5283.2.3 - Security fix 529 530 * Malformed ASN.1 in a certificate revocation list or a timestamp 531 response token can lead to a NULL pointer dereference. 532 5333.2.2 - Stable release 534 535 * This is the first stable release with the new TLSv1.3 536 implementation enabled by default for both client and server. The 537 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 538 in an upcoming release. 539 540 * New X509 certificate chain validator that correctly handles 541 multiple paths through intermediate certificates. Loosely based on 542 Go's X509 validator. 543 544 * New name constraints verification implementation which passes the 545 bettertls.com certificate validation check suite. 546 547 * Improve the handling of BIO_read()/BIO_write() failures in the 548 TLSv1.3 stack. 549 550 * Start replacing the existing TLSv1.2 record layer. 551 552 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 553 554 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 555 556 * Send alert on ssl_get_prev_session() failure. 557 558 * Zero out variable on the stack to avoid leaving garbage in the tail 559 of short session IDs. 560 561 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 562 that it gets correctly reinitialized across a SSL_set_ssl_method() 563 call. 564 565 * Avoid an out-of-bounds write in BN_rand(). 566 567 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 568 the code in ui_lib.c. 569 570 * Correctly track selected ALPN length to avoid a potential segmentation 571 fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 572 573 * Include machine/endian.h gost2814789.c in order to pick up the 574 __STRICT_ALIGNMENT define. 575 576 * Simplify SSL method lookups. 577 578 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 579 SSL_set_ssl_method() and several internal functions. 580 581 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 582 583 * Refactor dtls1_new(), dtls1_hm_fragment_new(), 584 dtls1_drain_fragments(), dtls1_clear_queues(). 585 586 * Copy the session ID directly in ssl_get_prev_session() instead of 587 handing it through several functions for copying. 588 589 * Clean up and refactor ssl_get_prev_session(); simplify 590 tls_decrypt_ticket() and tls1_process_ticket() exit paths. 591 592 * Avoid memset() before memcpy() in CBS_add_bytes(). 593 594 * Rewrite X509_INFO_{new,free}() more idiomatically. 595 596 * Remove unnecessary zeroing after recallocarray() in 597 ASN1_BIT_STRING_set_bit(). 598 599 * Convert openssl(1) ocsp new option handling. 600 601 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 602 603 * Document return value from EC_KEY_get0_public_key(3). 604 605 * Greatly expanded test coverage via the tlsfuzzer test scripts. 606 607 * Expanded test coverage via the bettertls certificate test suite. 608 609 * Test interoperability with the Botan TLS client. 610 611 * Make pthread_mutex static initialisation work on Windows. 612 613 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 614 6153.2.1 - Development release 616 617 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 618 functions. 619 620 * Send a record overflow alert for TLSv1.3 messages having overlong 621 plaintext or inner plaintext. 622 623 * Send an illegal parameter alert if a client sends an invalid DH key 624 share. 625 626 * Document PKCS7_final(3), PKCS7_add_attribute(3). 627 628 * Collapse x509v3 directory into x509. 629 630 * Improve TLSv1.3 client certificate selection to allow EC certificates 631 instead of only RSA certificates. 632 633 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 634 of constructing a broken objects that may cause NULL pointer accesses. 635 636 * Add support for additional GOST curves from RFC 7836 and 637 draft-deremin-rfc4491-bis. 638 639 * Add OIDs for HMAC using the Streebog hash function. 640 641 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 642 643 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 644 645 * Handle GOST in ssl_cert_dup(). 646 647 * Stop sending GOST R 34.10-94 as a CertificateType. 648 649 * Use IANA allocated GOST ClientCertificateTypes. 650 651 * Add a custom copy handler for AES keywrap to fix a use-after-free. 652 653 * Enforce in the TLSv1.3 server that that ClientHello messages after 654 a HelloRetryRequest match the original ClientHello as per RFC 8446 655 section 4.1.2 656 657 * Document more PKCS7 attribute functions. 658 659 * Document PKCS7_get_signer_info(3). 660 661 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 662 663 * Document PEM_def_callback(3). 664 665 * Document EVP_read_pw_string_min(3). 666 667 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 668 669 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 670 671 * Document X509_get0_pubkey_bitstr(3). 672 673 * Fix an off-by-one in the CBC padding removal. From BoringSSL. 674 675 * Enforce restrictions on extensions present in the ClientHello as per 676 RFC 8446, section 9.2. 677 678 * Add new CMAC_Init(3) and ChaCha(3) manual pages. 679 680 * Fix SSL_shutdown behavior to match the legacy stack. The previous 681 behavior could cause a hang. 682 683 * Add initial support for openbsd/powerpc64. 684 685 * Make the message type available in the internal TLS extensions API 686 functions. 687 688 * Enable TLSv1.3 for the generic TLS_method(). 689 690 * Convert openssl(1) s_client option handling. 691 692 * Document openssl(1) certhash. 693 694 * Convert openssl(1) verify option handling. 695 696 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 697 use-after-free and double-free issues in calling programs. 698 699 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 700 701 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 702 703 * Convert openssl(1) s_server option handling. 704 705 * Add minimal info callback support for TLSv1.3. 706 707 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 708 709 * Correctly handle server requests for an OCSP response. 710 711 * Add the P-521 curve to the list of curves supported by default 712 in the client. 713 714 * Convert openssl(1) req option handling. 715 716 * Avoid calling freezero with a negative size if a server sends a 717 malformed plaintext of all zeroes. 718 719 * Send an unexpected message alert if no valid content type is found 720 in a TLSv1.3 record. 721 7223.2.0 - Development release 723 724 * Enable TLS 1.3 server side in addition to client by default. 725 With this change TLS 1.3 is handled entirely on the new stack 726 and state machine, with fallback to the legacy stack and 727 state machine for older versions. Note that the OpenSSL TLS 1.3 728 API is not yet visible/available. 729 730 * Improve length checks in the TLS 1.3 record layer and provide 731 appropriate alerts for violations of record layer limits. 732 733 * Enforce that SNI hostnames received by the TLS server are correctly 734 formed as per RFC 5890 and RFC 6066, responding with illegal parameter 735 for a nonconformant host name. 736 737 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 738 retry of handshake messages. 739 740 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 741 similar to new OpenSSL releases. 742 743 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 744 various commands. 745 746 * Add tlsfuzzer based regression tests. 747 748 * Support sending certificate status requests from the TLS 1.3 749 client to request OCSP staples for leaf certificates. 750 751 * Support sending certificate status replies from the TLS 1.3 server 752 in order to send OCSP staples for leaf certificates. 753 754 * Send correct alerts when handling failed key share extensions 755 on the TLS 1.3 server. 756 757 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 758 switching from the new to legacy stacks. 759 760 * Support TLS 1.3 options in the openssl(1) command. 761 762 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 763 conditions. 764 765 * Modify "openssl x509" to display invalid certificate times as 766 invalid, and correctly deal with the failing return case from 767 X509_cmp_time so that a certificate with an invalid NotAfter does 768 not appear valid. 769 770 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 771 compatibility. 772 773 * Ensure only PSS signatures are used with RSA in TLS 1.3. 774 775 * Ensure that TLS 1.3 clients advertise exactly the "null" compression 776 method in its legacy_compression_methods. 777 778 * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 779 s_client, which could lead to using 14 bytes of stack garbage instead 780 of an IPv6 address in DTLS mode. 781 782 * Use non-expired certificates first when building a certificate chain. 783 7843.1.5 - Security fix 785 786 * Malformed ASN.1 in a certificate revocation list or a timestamp 787 response token can lead to a NULL pointer dereference. 788 7893.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 790 791 * Improve client certificate selection to allow EC certificates 792 instead of only RSA certificates. 793 794 * Do not error out if a TLSv1.3 server requests an OCSP response as 795 part of a certificate request. 796 797 * Fix SSL_shutdown behavior to match the legacy stack. The previous 798 behaviour could cause a hang. 799 800 * Fix a memory leak and add a missing error check in the handling of 801 the key update message. 802 803 * Fix a memory leak in tls13_record_layer_set_traffic_key. 804 805 * Avoid calling freezero with a negative size if a server sends a 806 malformed plaintext of all zeroes. 807 808 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 809 to avoid using PKCS1-based signatures. 810 811 * Add the P-521 curve to the list of curves supported by default 812 in the client. 813 8143.1.3 - Bug fix 815 816 * libcrypto may fail to build a valid certificate chain due to 817 expired untrusted issuer certificates. 818 8193.1.2 - Bug fix 820 821 * A TLS client with peer verification disabled may crash when 822 contacting a server that sends an empty certificate list. 823 8243.1.1 - Stable release 825 826 * Improved cipher suite handling to automatically include TLSv1.3 827 cipher suites when they are not explicitly referred to in the 828 cipher string. 829 830 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 831 state transitions and ensuring that the legacy session identifer 832 retains the same value across the handshake. 833 834 * Provided TLSv1.3 cipher suite aliases to match the names used 835 in RFC 8446. 836 837 * Improved TLSv1.3 client key share handling to allow the use of 838 any groups in our configured NID list. 839 840 * Fixed printing the serialNumber with X509_print_ex() fall back to 841 the colon separated hex bytes in case greater than int value. 842 843 * Fix to disallow setting the AES-GCM IV length to zero. 844 845 * Added -groups option to openssl(1) s_server subcommand. 846 847 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 848 849 * Improved portable builds to support the use of static MSVC runtimes. 850 851 * Fixed portable builds to avoid exporting a sleep() symbol. 852 8533.1.0 - Development release 854 855 * Completed initial TLS 1.3 implementation with a completely new state 856 machine and record layer. TLS 1.3 is now enabled by default for the 857 client side, with the server side to be enabled in a future release. 858 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 859 860 * Many more code cleanups, fixes, and improvements to memory handling 861 and protocol parsing. 862 863 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 864 865 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 866 1.1.1 and enabled by default. 867 868 * Improved compatibility by backporting functionality and documentation 869 from OpenSSL 1.1.1. 870 871 * Added many new additional crypto test vectors. 872 873 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 874 875 * Default CA bundle location is now configurable in portable builds. 876 877 * Added cms subcommand to openssl(1). 878 879 * Added -addext option to openssl(1) req subcommand. 880 8813.0.2 - Stable release 882 883 * Use a valid curve when constructing an EC_KEY that looks like X25519. 884 The recent EC group cofactor change results in stricter validation, 885 which causes the EC_GROUP_set_generator() call to fail. 886 Issue reported and fix tested by rsadowski@ 887 888 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 889 (Note that the CMS code is currently disabled) 890 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 891 892 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 893 or -HTTP options, due to incomplete path check logic. 894 Issue reported and fix tested by Jobert Abma 895 8963.0.1 - Development release 897 898 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 899 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 900 it using Hasse's bound. This works as long as the cofactor is small 901 enough. 902 903 * Fixed a memory leak in error paths for eckey_type2param(). 904 905 * Initial work on supporting Cryptographic Message Syntax (CMS) in 906 libcrypto (not enabled). 907 908 * Various manual page improvements and additions. 909 910 * Added a CMake check for an existing uninstall target, facilitating 911 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 912 9133.0.0 - Development release 914 915 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 916 917 * Documented undescribed options and removed unfunctional options 918 description in openssl(1) manual. 919 920 * A plethora of small fixes due to regular oss-fuzz testing. 921 922 * Various side channels in DSA and ECDSA were addressed. These are some of 923 the many issues found in an extensive systematic analysis of bignum usage 924 by Samuel Weiser, David Schrammel et al. 925 926 * Enabled openssl(1) speed subcommand on Windows platform. 927 928 * Enabled performance optimizations when building with Visual Studio on Windows. 929 930 * Fixed incorrect carry operation in 512 addition for Streebog. 931 932 * Fixed -modulus option with openssl(1) dsa subcommand. 933 934 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 935 9362.9.2 - Bug fixes 937 938 * Fixed portable builds with older versions of MacOS, 939 Android targets < API 21, and Solaris 10 940 941 * Fixed SRTP profile advertisement for DTLS servers. 942 9432.9.1 - Stable release 944 945 * Added support for XChaCha20 and XChaCha20-Poly1305. 946 947 * Added support for AES key wrap constructions via the EVP interface. 948 949 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 950 951 * Added pbkdf2 key derivation support to openssl(1) 952 953 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 954 955 * Changed the default digest type of openssl(1) enc to to sha256. 956 957 * Changed the default digest type of openssl(1) dgst to sha256. 958 959 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 960 961 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 962 963 * Improved Windows, Android, and ARM compatibility, including assembly 964 optimizations on Mingw-w64 targets. 965 9662.9.0 - Development release 967 968 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 969 970 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 971 972 * Fixed CMake builds on systems where getpagesize is defined as an 973 inline function. 974 975 * CRYPTO_LOCK is now automatically initialized, with the legacy 976 callbacks stubbed for compatibility. 977 978 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 979 980 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 981 982 * Added extensive interoperability tests between LibreSSL and OpenSSL 983 1.0 and 1.1. 984 985 * Added additional Wycheproof tests and related bug fixes. 986 987 * Simplified sigalgs option processing and handshake signing algorithm 988 989 * Added the ability to use the RSA PSS algorithm for handshake 990 signatures. 991 992 * Added bn_rand_interval() and use it in code needing ranges of random 993 bn values. 994 995 * Added functionality to derive early, handshake, and application 996 secrets as per RFC8446. 997 998 * Added handshake state machine from RFC8446. 999 1000 * Removed some ASN.1 related code from libcrypto that had not been used 1001 since around 2000. 1002 1003 * Unexported internal symbols and internalized more record layer structs. 1004 1005 * Added support for assembly optimizations on 32-bit ARM ELF targets. 1006 1007 * Improved protection against timing side channels in ECDSA signature 1008 generation. 1009 1010 * Coordinate blinding was added to some elliptic curves. This is the 1011 last bit of the work by Brumley et al. to protect against the 1012 Portsmash vulnerability. 1013 1014 * Ensure transcript handshake is always freed with TLS 1.2. 1015 10162.8.2 - Stable release 1017 1018 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 1019 along with test harness fixes. 1020 1021 * Fixed memory leak in nc(1) 1022 10232.8.1 - Test and compatibility improvements 1024 1025 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 1026 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 1027 X25519 test vectors. Applied appropriate fixes for errors uncovered 1028 by tests. 1029 1030 * Simplified key exchange signature generation and verification. 1031 1032 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 1033 1034 * Converted more code paths to use CBB/CBS. All handshake messages are 1035 now created by CBB. 1036 1037 * Fixed various memory leaks found by Coverity. 1038 1039 * Simplified session ticket parsing and handling, inspired by 1040 BoringSSL. 1041 1042 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 1043 is a no-op in LibreSSL, so this function returns an error to not 1044 indicate the (non-)existence of memory leaks. 1045 1046 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 1047 X509_OBJECT_up_ref_count now return an int for error handling, 1048 matching OpenSSL. 1049 1050 * Converted a number of #defines into proper functions, matching 1051 OpenSSL's ABI. 1052 1053 * Added X509_get0_serialNumber from OpenSSL. 1054 1055 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 1056 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 1057 OpenSSL. 1058 1059 * Removed broken pkcs8 formats from openssl(1). 1060 1061 * Converted more functions in public API to use const arguments. 1062 1063 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 1064 EVP_AEAD interface. 1065 1066 * Stopped using composite EVP_CIPHER AEADs. 1067 1068 * Added timing-safe compares for checking results of signature 1069 verification. There are no known attacks, this is just inexpensive 1070 prudence. 1071 1072 * Correctly clear the current cipher state, when changing cipher state. 1073 This fixed an issue where renegotiation of cipher suites would fail 1074 when switched from AEAD to non-AEAD or vice-versa. 1075 Issue reported by Bernard Spil. 1076 1077 * Added more cipher tests to appstest.sh, including all TLSv1.2 1078 ciphers. 1079 1080 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 1081 1082 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 1083 retrieved and set with appropriate validation. 1084 10852.8.0 - Bug fixes, security, and compatibility improvements 1086 1087 * Extensive documentation updates and additional API history. 1088 1089 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 1090 1091 * Tighten up checks for various X509_VERIFY_PARAM functions, 1092 'poisoning' parameters so that an unverified certificate cannot be 1093 used if it fails verification. 1094 1095 * Fixed a potential memory leak on failure in ASN1_item_digest 1096 1097 * Fixed a potential memory alignment crash in asn1_item_combine_free 1098 1099 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 1100 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 1101 1102 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 1103 1104 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 1105 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 1106 1107 * Added const annotations to many existing APIs from OpenSSL, making 1108 interoperability easier for downstream applications. 1109 1110 * Fixed small timing side-channels in ecdsa_sign_setup and 1111 dsa_sign_setup. 1112 1113 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 1114 operation of BN_* functions. 1115 1116 * Updated BN_clear to use explicit_bzero. 1117 1118 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 1119 1120 * More CBS conversions, including simplifications to RSA key exchange, 1121 and converted code to use dedicated buffers for secrets. 1122 1123 * Removed three remaining single DES cipher suites. 1124 1125 * Fixed a potential leak/incorrect return value in DSA signature 1126 generation. 1127 1128 * Added a blinding value when generating DSA and ECDSA signatures, in 1129 order to reduce the possibility of a side-channel attack leaking the 1130 private key. 1131 1132 * Added ECC constant time scalar multiplication support. 1133 From Billy Brumley and his team at Tampere University of Technology. 1134 1135 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 1136 specification in RFC 8017. Based on an OpenSSL commit by David 1137 Benjamin. 1138 1139 * Cleaned up BN_* implementations following changes made in OpenSSL by 1140 Davide Galassi and others. 1141 11422.7.4 - Security fixes 1143 1144 * Avoid a timing side-channel leak when generating DSA and ECDSA 1145 signatures. This is caused by an attempt to do fast modular 1146 arithmetic, which introduces branches that leak information 1147 regarding secret values. Issue identified and reported by Keegan 1148 Ryan of NCC Group. 1149 1150 * Reject excessively large primes in DH key generation. Problem 1151 reported by Guido Vranken to OpenSSL 1152 (https://github.com/openssl/openssl/pull/6457) and based on his 1153 diff. 1154 11552.7.3 - Bug fixes 1156 1157 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 1158 Sury 1159 1160 * Fixed an issue normalizing CPU architecture in the configure script, 1161 which disabled assembly optimizations on platforms that get detected 1162 as 'amd64', opposed to 'x86_64' 1163 1164 * Limited tls_config_clear_keys() to only clear private keys. 1165 This was inadvertently clearing the keypair, which includes the OCSP 1166 staple and pubkey hash - if an application called tls_configure() 1167 followed by tls_config_clear_keys(), this would prevent OCSP staples 1168 from working. 1169 11702.7.2 - Stable release 1171 1172 * Updated and added extensive new HISTORY sections to API manuals. 1173 1174 * Added support for shared library builds with CMake on all supported 1175 platforms. Note that some of the CMake options have changed, consult 1176 the README for details. 1177 11782.7.1 - Bug fixes 1179 1180 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 1181 length provided is 0 to match the OpenSSL behaviour. Issue noticed 1182 by Christian Heimes <christian@python.org>. 1183 1184 * Fixed builds macOS 10.11 and older. 1185 11862.7.0 - Bug fixes and improvements 1187 1188 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 1189 observations of real-world usage in applications. These are 1190 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 1191 changes have not been made to existing structs, allowing code written 1192 for older OpenSSL APIs to continue working. 1193 1194 * Extensive corrections, improvements, and additions to the 1195 API documentation, including new public APIs from OpenSSL that had 1196 no pre-existing documentation. 1197 1198 * Added support for automatic library initialization in libcrypto, 1199 libssl, and libtls. Support for pthread_once or a compatible 1200 equivalent is now required of the target operating system. As a 1201 side-effect, minimum Windows support is Vista or higher. 1202 1203 * Converted more packet handling methods to CBB, which improves 1204 resiliency when generating TLS messages. 1205 1206 * Completed TLS extension handling rewrite, improving consistency of 1207 checks for malformed and duplicate extensions. 1208 1209 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 1210 This removes the last remaining use of the old M_ASN1_* macros 1211 (asn1_mac.h) from API that needs to continue to exist. 1212 1213 * Added support for client-side session resumption in libtls. 1214 A libtls client can specify a session file descriptor (a regular 1215 file with appropriate ownership and permissions) and libtls will 1216 manage reading and writing of session data across TLS handshakes. 1217 1218 * Improved support for strict alignment on ARMv7 architectures, 1219 conditionally enabling assembly in those cases. 1220 1221 * Fixed a memory leak in libtls when reusing a tls_config. 1222 1223 * Merged more DTLS support into the regular TLS code path, removing 1224 duplicated code. 1225 1226 * Many improvements to Windows Cmake-based builds and tests, 1227 especially when targeting Visual Studio. 1228 12292.6.4 - Bug fixes 1230 1231 * Make tls_config_parse_protocols() work correctly when passed a NULL 1232 pointer for a protocol string. Issue found by semarie@, who also 1233 provided the diff. 1234 1235 * Correct TLS extensions handling when no extensions are present. 1236 If no TLS extensions are present in a client hello or server hello, 1237 omit the entire extensions block, rather than including it with a 1238 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 1239 providing packet captures and testing the fix. 1240 1241 * Fixed portable builds on older Android systems, and systems with out 1242 IPV6_TCLASS support. 1243 12442.6.3 - OpenBSD 6.2 Release 1245 1246 * No core changes from LibreSSL 2.6.2 1247 1248 * Minor compatibility fixes in portable version. 1249 12502.6.2 - Bug fixes 1251 1252 * Provide a useful error with libtls if there are no OCSP URLs in a 1253 peer certificate. 1254 1255 * Keep track of which keypair is in use by a TLS context, fixing a bug 1256 where a TLS server with SNI would only return the OCSP staple for the 1257 default keypair. Issue reported by William Graeber and confirmed by 1258 Andreas Bartelt. 1259 1260 * Fixed various issues in the OCSP extension parsing code. 1261 The original code incorrectly passes the pointer allocated via 1262 CBS_stow() (using malloc()) to a d2i_*() function and then calls 1263 free() on the now incremented pointer, most likely resulting in a 1264 crash. This issue was reported by Robert Swiecki who found the issue 1265 using honggfuzz. 1266 1267 * If tls_config_parse_protocols() is called with a NULL pointer, 1268 return the default protocols instead of crashing - this makes the 1269 behaviour more useful and mirrors what we already do in 1270 tls_config_set_ciphers() et al. 1271 12722.6.1 - Code removal, rewrites 1273 1274 * Added a "-T tlscompat" option to nc(1), which enables the use of all 1275 TLS protocols and "compat" ciphers. This allows for TLS connections 1276 to TLS servers that are using less than ideal cipher suites, without 1277 having to resort to "-T tlsall" which enables all known cipher 1278 suites. Diff from Kyle J. McKay. 1279 1280 * Added a new TLS extension handling framework, somewhat analogous to 1281 BoringSSL, and converted all TLS extensions to use it. Added new TLS 1282 extension regression tests. 1283 1284 * Improved and added many new manpages. Updated *check_private_key 1285 manpages with additional cautions regarding their use. 1286 1287 * Cleaned up the EC key/curve configuration handling. 1288 1289 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 1290 of the eliptical curves that may be used during client and server 1291 key exchange to be specified. 1292 1293 * Converted more code paths to use CBB/CBS. 1294 1295 * Removed support for DSS/DSA, since we removed the cipher suites a 1296 while back. 1297 1298 * Removed NPN support. NPN was never standardised and the last draft 1299 expired in October 2012. ALPN was standardised in July 2014 and has 1300 been supported in LibreSSL since December 2014. NPN has also been 1301 removed from Chromium in May 2016. 1302 1303 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 1304 CryptoPro clients. 1305 1306 * Removed support for the TLS padding extension, which was added as a 1307 workaround for an old bug in F5's TLS termination. 1308 1309 * Worked around another bug in F5's TLS termination handling of the 1310 elliptical curves extension. RFC 4492 only defines elliptic_curves 1311 for ClientHello. However, F5 is sending it in ServerHello. We need 1312 to skip over it since our TLS extension parsing code is now more 1313 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 1314 1315 * Added ability to clamp notafter valies in certificates for systems 1316 with 32-bit time_t. This is necessary to conform to RFC 5280 1317 4.1.2.5. 1318 1319 * Implemented the SSL_CTX_set_min_proto_version(3) API. 1320 1321 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 1322 1323 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 1324 13252.6.0 - New APIs, bug fixes and improvements 1326 1327 * Added support for providing CRLs to libtls. Once a CRL is provided we 1328 enable CRL checking for the full certificate chain. Based on a diff 1329 from Jack Burton 1330 1331 * Allow non-compliant clients using IP literal addresses with SNI 1332 to connect to a server using libtls. 1333 1334 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 1335 Reported by Robert Swiecki, who found the issue using honggfuzz. 1336 1337 * Added definitions for three OIDs used in EV certificates. 1338 From Kyle J. McKay 1339 1340 * Added tls_peer_cert_chain_pem to libtls, useful in private 1341 certificate validation callbacks such as those in relayd. 1342 1343 * Converted explicit clear/free sequences to use freezero(3). 1344 1345 * Reworked TLS certificate name verification code to more strictly 1346 follow RFC 6125. 1347 1348 * Cleaned up and simplified server key exchange EC point handling. 1349 1350 * Added tls_keypair_clear_key for clearing key material. 1351 1352 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 1353 simplified BIO_get_host_ip and BIO_accept. 1354 1355 * Fixed the openssl(1) ca command so that is generates certificates 1356 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 1357 1358 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 1359 1360 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 1361 1362 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 1363 1364 * Provided a tls_unload_file() function that frees the memory returned 1365 from a tls_load_file() call, ensuring that it the contents become 1366 inaccessible. This is specifically needed on platforms where the 1367 library allocators may be different from the application allocator. 1368 1369 * Perform reference counting for tls_config. This allows 1370 tls_config_free() to be called as soon as it has been passed to the 1371 final tls_configure() call, simplifying lifetime tracking for the 1372 application. 1373 1374 * Moved internal state of SSL and other structures to be opaque. 1375 1376 * Dropped cipher suites with DSS authentication. 1377 1378 * nc(1) improvements, including: 1379 nc -W to terminate nc after receiving a number of packets 1380 nc -Z for saving the peer certificate and chain in a pem file 1381 13822.5.5 - Bug fixes 1383 1384 * Distinguish between self-issued certificates and self-signed 1385 certificates. The certificate verification code has special cases 1386 for self-signed certificates and without this change, self-issued 1387 certificates (which it seems are common place with 1388 openvpn/easyrsa) were also being included in this category. 1389 1390 * Added getpagesize fallback, needed for Android bionic libc. 1391 13922.5.4 - Security Updates 1393 1394 * Revert a previous change that forced consistency between return 1395 value and error code when specifing a certificate verification 1396 callback, since this breaks the documented API. When a user supplied 1397 callback always returns 1, and later code checks the error code to 1398 potentially abort post verification, this will result in incorrect 1399 successul certificate verification. 1400 1401 * Switched Linux getrandom() usage to non-blocking mode, continuing to 1402 use fallback mechanims if unsuccessful. This works around a design 1403 flaw in Linux getrandom(2) where early boot usage in a library makes 1404 it impossible to recover if getrandom(2) is not yet initialized. 1405 1406 * Fixed a bug caused by the return value being set early to signal 1407 successful DTLS cookie validation. This can mask a later failure and 1408 result in a positive return value being returned from 1409 ssl3_get_client_hello(), when it should return a negative value to 1410 propagate the error. 1411 1412 * Fixed a build error on non-x86/x86_64 systems running Solaris. 1413 14142.5.3 - OpenBSD 6.1 Release 1415 1416 * Documentation updates 1417 1418 * Improved ocspcheck(1) error handling 1419 14202.5.2 - Security features and bugfixes 1421 1422 * Added the recallocarray(3) memory allocation function, and converted 1423 various places in the library to use it, such as CBB and BUF_MEM_grow. 1424 recallocarray(3) is similar to reallocarray. Newly allocated memory 1425 is cleared similar to calloc(3). Memory that becomes unallocated 1426 while shrinking or moving existing allocations is explicitly 1427 discarded by unmapping or clearing to 0 1428 1429 * Added new root CAs from SECOM Trust Systems / Security Communication 1430 of Japan. 1431 1432 * Added EVP interface for MD5+SHA1 hashes. 1433 1434 * Fixed DTLS client failures when the server sends a certificate 1435 request. 1436 1437 * Correct handling of padding when upgrading an SSLv2 challenge into 1438 an SSLv3/TLS connection. 1439 1440 * Allow protocols and ciphers to be set on a TLS config object in 1441 libtls. 1442 1443 * Improved nc(1) TLS handshake CPU usage and server-side error 1444 reporting. 1445 14462.5.1 - Bug and security fixes, new features, documentation updates 1447 1448 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 1449 error. Reported by Theofilos Petsios. 1450 1451 * Detect zero-length encrypted session data early, instead of when 1452 malloc(0) fails or the HMAC check fails. Noted independently by 1453 jsing@ and Kurt Cancemi. 1454 1455 * Check for and handle failure of HMAC_{Update,Final} or 1456 EVP_DecryptUpdate(). 1457 1458 * Massive update and normalization of manpages, conversion to 1459 mandoc format. Many pages were rewritten for clarity and accuracy. 1460 Portable doc links are up-to-date with a new conversion tool. 1461 1462 * Curve25519 Key Exchange support. 1463 1464 * Support for alternate chains for certificate verification. 1465 1466 * Code cleanups, CBS conversions, further unification of DTLS/SSL 1467 handshake code, further ASN1 macro expansion and removal. 1468 1469 * Private symbol are now hidden in libssl and libcryto. 1470 1471 * Friendly certificate verification error messages in libtls, peer 1472 verification is now always enabled. 1473 1474 * Added OCSP stapling support to libtls and netcat. 1475 1476 * Added ocspcheck utility to validate a certificate against its OCSP 1477 responder and save the reply for stapling 1478 1479 * Enhanced regression tests and error handling for libtls. 1480 1481 * Added explicit constant and non-constant time BN functions, 1482 defaulting to constant time wherever possible. 1483 1484 * Moved many leaked implementation details in public structs behind 1485 opaque pointers. 1486 1487 * Added ticket support to libtls. 1488 1489 * Added support for setting the supported EC curves via 1490 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 1491 SSL{_CTX}_set1_curves{_list} names. This also changes the default 1492 list of curves to be X25519, P-256 and P-384. All other curves must 1493 be manually enabled. 1494 1495 * Added -groups option to openssl(1) s_client for specifying the curves 1496 to be used in a colon-separated list. 1497 1498 * Merged client/server version negotiation code paths into one, 1499 reducing much duplicate code. 1500 1501 * Removed error function codes from libssl and libcrypto. 1502 1503 * Fixed an issue where a truncated packet could crash via an OOB read. 1504 1505 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 1506 client-initiated renegotiation. This is the default for libtls 1507 servers. 1508 1509 * Avoid a side-channel cache-timing attack that can leak the ECDSA 1510 private keys when signing. This is due to BN_mod_inverse() being 1511 used without the constant time flag being set. Reported by Cesar 1512 Pereida Garcia and Billy Brumley (Tampere University of Technology). 1513 The fix was developed by Cesar Pereida Garcia. 1514 1515 * iOS and MacOS compatibility updates from Simone Basso and Jacob 1516 Berkman. 1517 1518 15192.5.0 - New APIs, bug fixes and improvements 1520 1521 * libtls now supports ALPN and SNI 1522 1523 * libtls adds a new callback interface for integrating custom IO 1524 functions. Thanks to Tobias Pape. 1525 1526 * libtls now handles 4 cipher suite groups: 1527 "secure" (TLSv1.2+AEAD+PFS) 1528 "compat" (HIGH:!aNULL) 1529 "legacy" (HIGH:MEDIUM:!aNULL) 1530 "insecure" (ALL:!aNULL:!eNULL) 1531 1532 This allows for flexibility and finer grained control, rather than 1533 having two extremes (an issue raised by Marko Kreen some time ago). 1534 1535 * Tightened error handling for tls_config_set_ciphers(). 1536 1537 * libtls now always loads CA, key and certificate files at the time the 1538 configuration function is called. This simplifies code and results in 1539 a single memory based code path being used to provide data to libssl. 1540 1541 * Add support for OCSP intermediate certificates. 1542 1543 * Added functions used by stunnel and exim from BoringSSL - this 1544 brings in X509_check_host, X509_check_email, X509_check_ip, and 1545 X509_check_ip_asc. 1546 1547 * Added initial support for iOS, thanks to Jacob Berkman. 1548 1549 * Improved behavior of arc4random on Windows when using memory leak 1550 analysis software. 1551 1552 * Correctly handle an EOF that occurs prior to the TLS handshake 1553 completing. Reported by Vasily Kolobkov, based on a diff from Marko 1554 Kreen. 1555 1556 * Limit the support of the "backward compatible" ssl2 handshake to 1557 only be used if TLS 1.0 is enabled. 1558 1559 * Fix incorrect results in certain cases on 64-bit systems when 1560 BN_mod_word() can return incorrect results. BN_mod_word() now can 1561 return an error condition. Thanks to Brian Smith. 1562 1563 * Added constant-time updates to address CVE-2016-0702 1564 1565 * Fixed undefined behavior in BN_GF2m_mod_arr() 1566 1567 * Removed unused Cryptographic Message Support (CMS) 1568 1569 * More conversions of long long idioms to time_t 1570 1571 * Improved compatibility by avoiding printing NULL strings with 1572 printf. 1573 1574 * Reverted change that cleans up the EVP cipher context in 1575 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 1576 previous behaviour. 1577 1578 * Avoid unbounded memory growth in libssl, which can be triggered by a 1579 TLS client repeatedly renegotiating and sending OCSP Status Request 1580 TLS extensions. 1581 1582 * Avoid falling back to a weak digest for (EC)DH when using SNI with 1583 libssl. 1584 15852.4.2 - Bug fixes and improvements 1586 1587 * Fixed loading default certificate locations with openssl s_client. 1588 1589 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 1590 RFC6960. Also added fixes for OCSP to work with intermediate 1591 certificates provided in responses. 1592 1593 * Improved behavior of arc4random on Windows to not appear to leak 1594 memory in debug tools, reduced privileges of allocated memory. 1595 1596 * Fixed incorrect results from BN_mod_word() when the modulus is too 1597 large, thanks to Brian Smith from BoringSSL. 1598 1599 * Correctly handle an EOF prior to completing the TLS handshake in 1600 libtls. 1601 1602 * Improved libtls ceritificate loading and cipher string validation. 1603 1604 * Updated libtls cipher group suites into four categories: 1605 "secure" (TLSv1.2+AEAD+PFS) 1606 "compat" (HIGH:!aNULL) 1607 "legacy" (HIGH:MEDIUM:!aNULL) 1608 "insecure" (ALL:!aNULL:!eNULL) 1609 This allows for flexibility and finer grained control, rather than 1610 having two extremes. 1611 1612 * Limited support for 'backward compatible' SSLv2 handshake packets to 1613 when TLS 1.0 is enabled, providing more restricted compatibility 1614 with TLS 1.0 clients. 1615 1616 * openssl(1) and other documentation improvements. 1617 1618 * Removed flags for disabling constant-time operations. 1619 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 1620 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 1621 all of these operations unconditionally constant-time. 1622 1623 16242.4.1 - Security fix 1625 1626 * Correct a problem that prevents the DSA signing algorithm from 1627 running in constant time even if the flag BN_FLG_CONSTTIME is set. 1628 This issue was reported by Cesar Pereida (Aalto University), Billy 1629 Brumley (Tampere University of Technology), and Yuval Yarom (The 1630 University of Adelaide and NICTA). The fix was developed by Cesar 1631 Pereida. 1632 16332.4.0 - Build improvements, new features 1634 1635 * Many improvements to the CMake build infrastructure, including 1636 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 1637 Inoguchi for this work. 1638 1639 * Added missing error handling around bn_wexpand() calls. 1640 1641 * Added explicit_bzero calls for freed ASN.1 objects. 1642 1643 * Fixed X509_*set_object functions to return 0 on allocation failure. 1644 1645 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 1646 1647 * Changed default EVP_aead_chacha20_poly1305() implementation to the 1648 IETF version, which is now the default. 1649 1650 * Fixed password prompts from openssl(1) to properly handle ^C. 1651 1652 * Reworked error handling in libtls so that configuration errors are 1653 visible. 1654 1655 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 1656 1657 * Manpage fixes and updates 1658 16592.3.5 - Reliability fix 1660 1661 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 1662 16632.3.4 - Security Update 1664 1665 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 1666 From OpenSSL. 1667 1668 * Minor build fixes 1669 16702.3.3 - OpenBSD 5.9 release branch tagged 1671 1672 * Reworked build scripts to better sync with OpenNTPD-portable 1673 1674 * Fixed broken manpage links 1675 1676 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 1677 1678 * Fixed HP-UX builds 1679 1680 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 1681 binary builds 1682 1683 * cert.pem has been reorganized and synced with Mozilla's certificate store 1684 16852.3.2 - Compatibility and Reliability fixes 1686 1687 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 1688 OPENSSL_VERSION_NUMBER, see: 1689 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 1690 1691 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 1692 construction introduced in RFC 7539, which is different than that 1693 already used in TLS with EVP_aead_chacha20_poly1305() 1694 1695 * Avoid a potential undefined C99+ behavior due to shift overflow in 1696 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 1697 1698 * More man pages converted from pod to mdoc format 1699 1700 * Added COMODO RSA Certification Authority and QuoVadis 1701 root certificates to cert.pem 1702 1703 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 1704 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 1705 certificate from cert.pem 1706 1707 * Added support for building nc(1) on Solaris 1708 1709 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 1710 1711 * Improved console handling with openssl(1) on Windows 1712 1713 * Ensure the network stack is enabled on Windows when running 1714 tls_init() 1715 1716 * Fixed incorrect TLS certificate loading by nc(1) 1717 1718 * Added support for Solaris 11.3's getentropy(2) system call 1719 1720 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 1721 1722 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 1723 1724 * Fixes from OpenSSL 1.0.1q 1725 - CVE-2015-3194 - NULL pointer dereference in client side certificate 1726 validation. 1727 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 1728 1729 * The following OpenSSL CVEs did not apply to LibreSSL 1730 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 1731 squaring procedure. 1732 - CVE-2015-3196 - Double free race condition of the identify hint 1733 data. 1734 1735 See https://marc.info/?l=openbsd-announce&m=144925068504102 1736 17372.3.1 - ASN.1 and time handling cleanups 1738 1739 * ASN.1 cleanups and RFC5280 compliance fixes. 1740 1741 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 1742 now checks if the host OS supports 64-bit time_t. 1743 1744 * Fixed a leak in SSL_new in the error path. 1745 1746 * Support always extracting the peer cipher and version with libtls. 1747 1748 * Added ability to check certificate validity times with libtls, 1749 tls_peer_cert_notbefore and tls_peer_cert_notafter. 1750 1751 * Changed tls_connect_servername to use the first address that resolves with 1752 getaddrinfo(). 1753 1754 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 1755 initial commit in 2004). 1756 1757 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 1758 by Qualys Security. 1759 1760 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 1761 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 1762 1763 * Reject too small bits value in BN_generate_prime_ex(), so that it does 1764 not risk becoming negative in probable_prime_dh_safe(), reported by 1765 Franck Denis. 1766 1767 * Enable nc(1) builds on more platforms. 1768 17692.3.0 - SSLv3 removed, libtls API changes, portability improvements 1770 1771 * SSLv3 is now permanently removed from the tree. 1772 1773 * The libtls API is changed from the 2.2.x series. 1774 1775 The read/write functions work correctly with external event 1776 libraries. See the tls_init man page for examples of using libtls 1777 correctly in asynchronous mode. 1778 1779 Client-side verification is now supported, with the client supplying 1780 the certificate to the server. 1781 1782 Also, when using tls_connect_fds, tls_connect_socket or 1783 tls_accept_fds, libtls no longer implicitly closes the passed in 1784 sockets. The caller is responsible for closing them in this case. 1785 1786 * When loading a DSA key from an raw (without DH parameters) ASN.1 1787 serialization, perform some consistency checks on its `p' and `q' 1788 values, and return an error if the checks failed. 1789 1790 Thanks for Georgi Guninski (guninski at guninski dot com) for 1791 mentioning the possibility of a weak (non prime) q value and 1792 providing a test case. 1793 1794 See 1795 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1796 for a longer discussion. 1797 1798 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1799 of the result key without error. A coding error could cause software 1800 to use much shorter keys than intended. 1801 1802 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1803 longer supported. 1804 1805 * The engine command and parameters are removed from the openssl(1). 1806 Previous releases removed dynamic and builtin engine support 1807 already. 1808 1809 * SHA-0 is removed, which was withdrawn shortly after publication 20 1810 years ago. 1811 1812 * Added Certplus CA root certificate to the default cert.pem file. 1813 1814 * New interface OPENSSL_cpu_caps is provided that does not allow 1815 software to inadvertently modify cpu capability flags. 1816 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1817 1818 * The out_len argument of AEAD changed from ssize_t to size_t. 1819 1820 * Deduplicated DTLS code, sharing bugfixes and improvements with 1821 TLS. 1822 1823 * Converted 'nc' to use libtls for client and server operations; it is 1824 included in the libressl-portable distribution as an example of how 1825 to use the library. 1826 18272.2.3 - Bug fixes, build enhancements 1828 1829 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1830 include TLS extensions, resulting in such handshakes being aborted. 1831 This release corrects the handling of such messages. Thanks to 1832 Ligushka from github for reporting the issue. 1833 1834 * Added install target for cmake builds. Thanks to TheNietsnie from 1835 github. 1836 1837 * Updated pkgconfig files to correctly report the release version 1838 number, not the individual library ABI version numbers. Thanks to 1839 Jan Engelhardt for reporting the issue. 1840 18412.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1842 1843 * Switched 'openssl dhparam' default from 512 to 2048 bits 1844 1845 * Reworked openssl(1) option handling 1846 1847 * More CRYPTO ByteString (CBC) packet parsing conversions 1848 1849 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1850 1851 * Fixed dozens of Coverity issues including dead code, memory leaks, 1852 logic errors and more. 1853 1854 * Ensure that openssl(1) restores terminal echo state after reading a 1855 password. 1856 1857 * Incorporated fix for OpenSSL Issue #3683 1858 1859 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1860 for each portable release. 1861 1862 * Removed workarounds for TLS client padding bugs. 1863 1864 * No longer disable ECDHE-ECDSA on OS X 1865 1866 * Removed SSLv3 support from openssl(1) 1867 1868 * Removed IE 6 SSLv3 workarounds. 1869 1870 * Modified tls_write in libtls to allow partial writes, clarified with 1871 examples in the documentation. 1872 1873 * Removed RSAX engine 1874 1875 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1876 applications that were not ready to build without SSLv3 yet. For 1877 now, building a program that intentionally uses SSLv3 will result in 1878 a linker warning. 1879 1880 * Added TLS_method, TLS_client_method and TLS_server_method as a 1881 replacement for the SSLv23_*method calls. 1882 1883 * Added initial cmake build support, including support for building with 1884 Visual Studio, currently tested with Visual Studio 2013 Community 1885 Edition. 1886 1887 * --with-enginesdir is removed as a configuration parameter 1888 1889 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1890 installed under $sysconfdir/ssl or the directory specified by 1891 --with-openssldir. Previous versions of LibreSSL left these empty. 1892 18932.2.1 - Build fixes, feature added, features removed 1894 1895 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1896 1897 * Initial support for Windows Embedded 2009, Server 2003, XP 1898 1899 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1900 1901 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1902 1903 * Removed Dynamic Engine support 1904 1905 * Removed unused and obsolete MDC-2DES cipher 1906 1907 * Removed workarounds for obsolete SSL implementations 1908 19092.2.0 - Build cleanups and new OS support, Security Updates 1910 1911 * AIX Support - thanks to Michael Felt 1912 1913 * Cygwin Support - thanks to Corinna Vinschen 1914 1915 * Refactored build macros, support packaging libtls independently. 1916 There are more pieces required to support building and using OpenSSL 1917 with libtls, but this is an initial start at providing an 1918 independent package for people to start hacking on. 1919 1920 * Removal of OPENSSL_issetugid and all library getenv calls. 1921 Applications can and should no longer rely on environment variables 1922 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1923 supported with the openssl(1) command. 1924 1925 * libtls API and documentation additions 1926 1927 * Various bug fixes and simplifications to libssl and libcrypto 1928 1929 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1930 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1931 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1932 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1933 1934 * The following CVEs did not apply to LibreSSL or were fixed in 1935 earlier releases: 1936 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1937 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1938 - CVE-2014-8176 - Invalid free in DTLS 1939 1940 * Fixes for the following CVEs are still in review for LibreSSL 1941 - CVE-2015-1791 - Race condition handling NewSessionTicket 1942 19432.1.6 - Security update 1944 1945 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1946 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1947 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1948 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1949 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1950 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1951 1952 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1953 is integrated for safety, but LibreSSL is not vulnerable. 1954 1955 * Libtls is now built by default. The --enable-libtls 1956 configuration option is no longer required. 1957 The libtls API is now stable for the 2.1.x series. 1958 19592.1.5 - Bug fixes and a security update 1960 * Fix incorrect comparison function in openssl(1) certhash command. 1961 Thanks to Christian Neukirchen / Void Linux. 1962 1963 * Windows port improvements and bug fixes. 1964 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1965 - Correct a hang in openssl(1) reading from stdin on an connection. 1966 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1967 any other network-related commands to function properly. 1968 1969 * Reject all server DH keys smaller than 1024 bits. 1970 19712.1.4 - Security and feature updates 1972 * Improvements to libtls: 1973 - a new API for loading CA chains directly from memory instead of a 1974 file, allowing verification with privilege separation in a chroot 1975 without direct access to CA certificate files. 1976 1977 - Ciphers default to TLSv1.2 with AEAD and PFS. 1978 1979 - Improved error handling and message generation 1980 1981 - New APIs and improved documentation 1982 1983 * Added X509_STORE_load_mem API for loading certificates from memory. 1984 This facilitates accessing certificates from a chrooted environment. 1985 1986 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1987 using 'TLSv1.2+AEAD' as the cipher selection string. 1988 1989 * Dead and disabled code removal including MD5, Netscape workarounds, 1990 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1991 1992 * ASN1 macro maze expanded to aid reading and searching the code. 1993 1994 * NULL pointer asserts removed in favor of letting the OS/signal 1995 handler catch them. 1996 1997 * Refactored argument handling in openssl(1) for consistency and 1998 maintainability. 1999 2000 * New openssl(1) command 'certhash' replaces the c_rehash script. 2001 2002 * Support for building with OPENSSL_NO_DEPRECATED 2003 2004 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 2005 various auditor and vulnerability scanners. 2006 2007 * Dozens of issues found with the Coverity scanner fixed. 2008 2009 * Security Updates: 2010 2011 - Fix a minor information leak that was introduced in t1_lib.c 2012 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 2013 provided to the network. In most cases this is a non-issue since 2014 the memory content is already public. Issue found and reported by 2015 Felix Groebert of the Google Security Team. 2016 2017 - Fixes for the following low-severity issues were integrated into 2018 LibreSSL from OpenSSL 1.0.1k: 2019 2020 CVE-2015-0205 - DH client certificates accepted without 2021 verification 2022 CVE-2014-3570 - Bignum squaring may produce incorrect results 2023 CVE-2014-8275 - Certificate fingerprints can be modified 2024 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 2025 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 2026 2027 The following CVEs were fixed in earlier LibreSSL releases: 2028 CVE-2015-0206 - Memory leak handling repeated DLTS records 2029 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 2030 2031 The following CVEs did not apply to LibreSSL: 2032 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 2033 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 2034 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 2035 20362.1.3 - Security update and OS support improvements 2037 * Fixed various memory leaks in DTLS, including fixes for 2038 CVE-2015-0206. 2039 2040 * Added Application-Layer Protocol Negotiation (ALPN) support. 2041 2042 * Removed GOST R 34.10-94 signature authentication. 2043 2044 * Removed nonfunctional Netscape browser-hang workaround code. 2045 2046 * Simplified and refactored SSL/DTLS handshake code. 2047 2048 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 2049 2050 * Hide timing info about padding errors during handshakes. 2051 2052 * Improved libtls support for non-blocking sockets, added randomized 2053 session ID contexts. Work is ongoing with this library - feedback 2054 and potential use-cases are welcome. 2055 2056 * Support building Windows DLLs. 2057 Thanks to Jan Engelhard. 2058 2059 * Packaged config wrapper for better compatibility with OpenSSL-based 2060 build systems. 2061 Thanks to @technion from github 2062 2063 * Ensure the stack is marked non-executable for assembly sections. 2064 Thanks to Anthony G. Bastile. 2065 2066 * Enable extra compiler hardening flags by default, where applicable. 2067 The default set of hardening features can vary by OS to OS, so 2068 feedback is welcome on this. To disable the default hardening flags, 2069 specify '--disable-hardening' during configure. 2070 Thanks to Jim Barlow 2071 2072 * Initial HP-UX support, tested with HP-UX 11.31 ia64 2073 Thanks to Kinichiro Inoguchi 2074 2075 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 2076 Imported from OpenNTPD, thanks to @gitisihara from github 2077 20782.1.2 - Many new features and improvements 2079 * Added reworked GOST cipher suite support 2080 thanks to Dmitry Eremin-Solenikov 2081 2082 * Enabled Camellia ciphers due to improved patent situation 2083 2084 * Use builtin arc4random implementation on OS X and FreeBSD 2085 this addresses some deficiencies in the native implementations of 2086 these operating systems, see commit logs for more information 2087 2088 * Added initial Windows mingw-w64 support (32 and 64-bit) 2089 thanks to Song Dongsheng and others for code and feedback 2090 2091 * Enabled assembly optimizations on x86_64 CPUs 2092 supports Linux, *BSD, Solaris and OS X operating systems 2093 thanks to Wouter Clarie for the initial implementation 2094 2095 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 2096 2097 * Improved build infrastructure, 'make distcheck' now passes 2098 this simplifies and speeds developer efficiency 2099 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 2100 2101 * Allow conditional building of the libtls library 2102 expect the API and ABI of the library to change 2103 feedback is welcome 2104 2105 * Fixes for more memory leaks, cleanups, etc. 2106 21072.1.1 - Security update 2108 * Address POODLE attack by disabling SSLv3 by default 2109 2110 * Fix Eliptical Curve cipher selection bug 2111 (https://github.com/libressl-portable/portable/issues/35) 2112 21132.1.0 - First release from the OpenBSD 5.7 tree 2114 * Added support for automatic ephemeral EC keys 2115 2116 * Fixes for many memory leaks and overflows in error handlers 2117 2118 * The TLS padding extension (that works around bugs in F5 terminators) is 2119 off by default 2120 2121 * support for getrandom(2) on Linux 3.17 2122 2123 * the NO_ASM macro is no longer being set, providing the first bits toward 2124 enabling other assembly offloads. 2125 21262.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 2127 * CVE-2014-3506 2128 * CVE-2014-3507 2129 * CVE-2014-3508 (partially vulnerable)he 2130 * CVE-2014-3509 2131 * CVE-2014-3510 2132 * CVE-2014-3511 2133 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 2134 21352.0.4 - Portability fixes, deleted unused SRP code 2136 21372.0.3 - Portability fixes, improvements to fork detection 2138 21392.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 2140 21412.0.1 - Portability fixes: 2142 * Removed -Werror and and other non-portable compiler flags 2143 2144 * Allow setting OPENSSLDIR and ENGINSDIR 2145 21462.0.0 - First release from the OpenBSD 5.6 tree 2147 * Removal of many obsolete features and coding conventions from the OpenSSL 2148 1.0.1h source 2149