1f5b1c8a1SJohn MarinoBecause this project is maintained both in the OpenBSD tree using CVS and in 2f5b1c8a1SJohn MarinoGit, it can be confusing following all of the changes. 3f5b1c8a1SJohn Marino 4f5b1c8a1SJohn MarinoMost of the libssl and libcrypto source code is is here in OpenBSD CVS: 5f5b1c8a1SJohn Marino 6f5b1c8a1SJohn Marino http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7f5b1c8a1SJohn Marino 8f5b1c8a1SJohn MarinoSome of the libcrypto and OS-compatibility files for entropy and random number 9f5b1c8a1SJohn Marinogeneration are here: 10f5b1c8a1SJohn Marino 11f5b1c8a1SJohn Marino http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12f5b1c8a1SJohn Marino 13f5b1c8a1SJohn MarinoA simplified TLS wrapper library is here: 14f5b1c8a1SJohn Marino 15f5b1c8a1SJohn Marino http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16f5b1c8a1SJohn Marino 17f5b1c8a1SJohn MarinoThe LibreSSL Portable project copies these portions of the OpenBSD tree, along 18f5b1c8a1SJohn Marinowith relevant portions of the C library, to a Git repository. This makes it 19f5b1c8a1SJohn Marinoeasier to follow all of the relevant changes to the upstream project in a 20f5b1c8a1SJohn Marinosingle place: 21f5b1c8a1SJohn Marino 22f5b1c8a1SJohn Marino https://github.com/libressl-portable/openbsd 23f5b1c8a1SJohn Marino 24f5b1c8a1SJohn MarinoThe portable bits of the project are largely maintained out-of-tree, and their 25f5b1c8a1SJohn Marinohistory is also available from Git. 26f5b1c8a1SJohn Marino 27f5b1c8a1SJohn Marino https://github.com/libressl-portable/portable 28f5b1c8a1SJohn Marino 29f5b1c8a1SJohn MarinoLibreSSL Portable Release Notes: 30f5b1c8a1SJohn Marino 31*de0e0e4dSAntonio Huete Jimenez3.6.1 - Stable release 32b6dec7daSDaniel Fojt 33*de0e0e4dSAntonio Huete Jimenez * Bug fixes 34*de0e0e4dSAntonio Huete Jimenez - Custom verification callbacks could cause the X.509 verifier to 35*de0e0e4dSAntonio Huete Jimenez fail to store errors resulting from leaf certificate verification. 36*de0e0e4dSAntonio Huete Jimenez Reported by Ilya Shipitsin. 37*de0e0e4dSAntonio Huete Jimenez - Unbreak ASN.1 indefinite length encoding. 38*de0e0e4dSAntonio Huete Jimenez Reported by Niklas Hallqvist. 39b6dec7daSDaniel Fojt 40*de0e0e4dSAntonio Huete Jimenez3.6.0 - Development release 412eb7d3b8SDaniel Fojt 42*de0e0e4dSAntonio Huete Jimenez * Internal improvements 43*de0e0e4dSAntonio Huete Jimenez - Avoid expensive RFC 3779 checks during cert verification. 44*de0e0e4dSAntonio Huete Jimenez - The templated ASN.1 decoder has been cleaned up, refactored, 45*de0e0e4dSAntonio Huete Jimenez modernized with parts rewritten using CBB and CBS. 46*de0e0e4dSAntonio Huete Jimenez - The ASN.1 time parser has been rewritten. 47*de0e0e4dSAntonio Huete Jimenez - Rewrite and fix ASN1_STRING_to_UTF8(). 48*de0e0e4dSAntonio Huete Jimenez - Use asn1_abs_set_unused_bits() rather than inlining it. 49*de0e0e4dSAntonio Huete Jimenez - Simplify ec_asn1_group2curve(). 50*de0e0e4dSAntonio Huete Jimenez - First pass at a clean up of ASN1_item_sign_ctx() 51*de0e0e4dSAntonio Huete Jimenez - ssl_txt.c was cleaned up. 52*de0e0e4dSAntonio Huete Jimenez - Internal function arguments and struct member have been changed 53*de0e0e4dSAntonio Huete Jimenez to size_t. 54*de0e0e4dSAntonio Huete Jimenez - Lots of missing error checks of EVP API were added. 55*de0e0e4dSAntonio Huete Jimenez - Clean up and clarify BN_kronecker(). 56*de0e0e4dSAntonio Huete Jimenez - Simplify ASN1_INTEGER_cmp() 57*de0e0e4dSAntonio Huete Jimenez - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse 58*de0e0e4dSAntonio Huete Jimenez the ASN1_INTEGER functions for ASN1_ENUMERATED. 59*de0e0e4dSAntonio Huete Jimenez - Use ASN1_INTEGER to parse and build {Z,}LONG_it 60*de0e0e4dSAntonio Huete Jimenez - Refactored and cleaned up group (elliptic curve) handling in 61*de0e0e4dSAntonio Huete Jimenez t1_lib.c. 62*de0e0e4dSAntonio Huete Jimenez - Simplify certificate list handling code in the legacy server. 63*de0e0e4dSAntonio Huete Jimenez - Make CBB_finish() fail if *out_data is not NULL. 64*de0e0e4dSAntonio Huete Jimenez - Remove tls_buffer_set_data() and remove/revise callers. 65*de0e0e4dSAntonio Huete Jimenez - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS. 66*de0e0e4dSAntonio Huete Jimenez - Simplify tlsext_supported_groups_server_parse(). 67*de0e0e4dSAntonio Huete Jimenez - Remove redundant length checks in tlsext parse functions. 68*de0e0e4dSAntonio Huete Jimenez - Simplify tls13_server_encrypted_extensions_recv(). 69*de0e0e4dSAntonio Huete Jimenez - Add read and write support to tls_buffer. 70*de0e0e4dSAntonio Huete Jimenez - Convert TLS transcript from BUF_MEM to tls_buffer. 71*de0e0e4dSAntonio Huete Jimenez - Clear key on exit in PKCS12_gen_mac(). 72*de0e0e4dSAntonio Huete Jimenez - Minor fixes in PKCS12_parse(). 73*de0e0e4dSAntonio Huete Jimenez - Provide and use a primitive clear function for BIGNUM_it. 74*de0e0e4dSAntonio Huete Jimenez - Use ASN1_INTEGER to encode/decode BIGNUM_it. 75*de0e0e4dSAntonio Huete Jimenez - Add stack frames to AES-NI x86_64 assembly. 76*de0e0e4dSAntonio Huete Jimenez - Use named initialisers for BIGNUMs. 77*de0e0e4dSAntonio Huete Jimenez - Tidy up some of BN_nist_mod_*. 78*de0e0e4dSAntonio Huete Jimenez - Expand BLOCK_CIPHER_* and related macros. 79*de0e0e4dSAntonio Huete Jimenez - Avoid shadowing the cbs function parameter in 80*de0e0e4dSAntonio Huete Jimenez tlsext_alpn_server_parse() 81*de0e0e4dSAntonio Huete Jimenez - Deduplicate peer certificate chain processing code. 82*de0e0e4dSAntonio Huete Jimenez - Make it possible to signal an error from an i2c_* function. 83*de0e0e4dSAntonio Huete Jimenez - Rewrite i2c_ASN1_INTEGER() using CBB/CBS. 84*de0e0e4dSAntonio Huete Jimenez - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20(). 85*de0e0e4dSAntonio Huete Jimenez - Remove bogus length checks from EVP_aead_chacha20_poly1305(). 86*de0e0e4dSAntonio Huete Jimenez - Reworked DSA_size() and ECDSA_size(). 87*de0e0e4dSAntonio Huete Jimenez - Stop using CBIGNUM_it internal to libcrypto. 88*de0e0e4dSAntonio Huete Jimenez - Provide c2i_ASN1_ENUMERATED_cbs() and call it from 89*de0e0e4dSAntonio Huete Jimenez asn1_c2i_primitive(). 90*de0e0e4dSAntonio Huete Jimenez - Ensure ASN.1 types are appropriately encoded. 91*de0e0e4dSAntonio Huete Jimenez - Avoid recycling ASN1_STRINGs when decoding ASN.1. 92*de0e0e4dSAntonio Huete Jimenez - Tidy up asn1_c2i_primitive() slightly. 93*de0e0e4dSAntonio Huete Jimenez - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR, 94*de0e0e4dSAntonio Huete Jimenez BLOCK_CIPHER and the looney M_do_cipher macros. 95*de0e0e4dSAntonio Huete Jimenez - Use correct length for EVP CFB mode ciphers. 96*de0e0e4dSAntonio Huete Jimenez - Provide a version of ssl_msg_callback() that takes a CBS. 97*de0e0e4dSAntonio Huete Jimenez - Use CBS to parse TLS alerts in the legacy stack. 98*de0e0e4dSAntonio Huete Jimenez - Increment the input and output position for EVP AES CFB1. 99*de0e0e4dSAntonio Huete Jimenez - Ensure there is no trailing data for a CCS received by the 100*de0e0e4dSAntonio Huete Jimenez TLSv1.3 stack. 101*de0e0e4dSAntonio Huete Jimenez - Use CBS when procesing a CCS message in the legacy stack. 102*de0e0e4dSAntonio Huete Jimenez - Be stricter with middlebox compatibility mode in the TLSv1.3 103*de0e0e4dSAntonio Huete Jimenez server. 104*de0e0e4dSAntonio Huete Jimenez * Compatibility changes 105*de0e0e4dSAntonio Huete Jimenez - The ASN.1 time parser has been refactored and rewritten using CBS. 106*de0e0e4dSAntonio Huete Jimenez It has been made stricter in that it now enforces the rules from 107*de0e0e4dSAntonio Huete Jimenez RFC 5280. 108*de0e0e4dSAntonio Huete Jimenez - ASN1_AFLG_BROKEN was removed. 109*de0e0e4dSAntonio Huete Jimenez - Error check tls_session_secret_cb() like OpenSSL. 110*de0e0e4dSAntonio Huete Jimenez - Added ASN1_INTEGER_{get,set}_{u,}int64() 111*de0e0e4dSAntonio Huete Jimenez - Move leaf certificate checks to the last thing after chain 112*de0e0e4dSAntonio Huete Jimenez validation. 113*de0e0e4dSAntonio Huete Jimenez - Added -s option to openssl(1) ciphers that only shows the ciphers 114*de0e0e4dSAntonio Huete Jimenez supported by the specified protocol. 115*de0e0e4dSAntonio Huete Jimenez - Use TLS_client_method() instead of TLSv1_client_method() in 116*de0e0e4dSAntonio Huete Jimenez the openssl(1) ciphers command. 117*de0e0e4dSAntonio Huete Jimenez - Validate the protocols in SSL{_CTX,}_set_alpn_protos(). 118*de0e0e4dSAntonio Huete Jimenez - Made TS and PKCS12 opaque. 119*de0e0e4dSAntonio Huete Jimenez - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. 120*de0e0e4dSAntonio Huete Jimenez - Align PKCS12_key_gen_uni() with OpenSSL 121*de0e0e4dSAntonio Huete Jimenez - Various PKCS12 and TS accessors were added. In particular, the 122*de0e0e4dSAntonio Huete Jimenez TS_RESP_CTX_set_time_cb() function was added back. 123*de0e0e4dSAntonio Huete Jimenez - Allow a NULL header in PEM_write{,_bio}() 124*de0e0e4dSAntonio Huete Jimenez - Allow empty attribute sets in CSRs. 125*de0e0e4dSAntonio Huete Jimenez - Adjust signatures of BIO_ctrl functions. 126*de0e0e4dSAntonio Huete Jimenez - Provide additional defines for EVP AEAD. 127*de0e0e4dSAntonio Huete Jimenez - Provide OPENSSL_cleanup(). 128*de0e0e4dSAntonio Huete Jimenez - Make BIO_info_cb() identical to bio_info_cb(). 129*de0e0e4dSAntonio Huete Jimenez * Bug fixes 130*de0e0e4dSAntonio Huete Jimenez - Avoid use of uninitialized in BN_mod_exp_recp(). 131*de0e0e4dSAntonio Huete Jimenez - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is 132*de0e0e4dSAntonio Huete Jimenez set on X509_get_purpose() failure. 133*de0e0e4dSAntonio Huete Jimenez - Fix HMAC() with NULL key. 134*de0e0e4dSAntonio Huete Jimenez - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings(). 135*de0e0e4dSAntonio Huete Jimenez - Avoid strict aliasing violations in BN_nist_mod_*(). 136*de0e0e4dSAntonio Huete Jimenez - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). 137*de0e0e4dSAntonio Huete Jimenez No return value of X509_check_ca() indicates failure. Application 138*de0e0e4dSAntonio Huete Jimenez code should therefore issue a checked call to X509_check_purpose() 139*de0e0e4dSAntonio Huete Jimenez before calling X509_check_ca(). 140*de0e0e4dSAntonio Huete Jimenez - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some 141*de0e0e4dSAntonio Huete Jimenez valid input. 142*de0e0e4dSAntonio Huete Jimenez - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). 143*de0e0e4dSAntonio Huete Jimenez - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. 144*de0e0e4dSAntonio Huete Jimenez - Avoid use of uninitialized in ASN1_STRING_to_UTF8(). 145*de0e0e4dSAntonio Huete Jimenez - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). 146*de0e0e4dSAntonio Huete Jimenez - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy. 147*de0e0e4dSAntonio Huete Jimenez - Do not reject primes in trial divisions. 148*de0e0e4dSAntonio Huete Jimenez - Error out on negative shifts in BN_{r,l}shift() instead of 149*de0e0e4dSAntonio Huete Jimenez accessing arrays out of bounds. 150*de0e0e4dSAntonio Huete Jimenez - Fix URI name constraints, allow for URI's with no host part. 151*de0e0e4dSAntonio Huete Jimenez - Fix the legacy verifier callback behaviour for untrusted certs. 152*de0e0e4dSAntonio Huete Jimenez - Correct serfver-side handling of TLSv1.3 key updates. 153*de0e0e4dSAntonio Huete Jimenez - Plug leak in PKCS12_setup_mac(). 154*de0e0e4dSAntonio Huete Jimenez - Plug leak in X509V3_add1_i2d(). 155*de0e0e4dSAntonio Huete Jimenez - Only print X.509 versions we know about. 156*de0e0e4dSAntonio Huete Jimenez - Avoid signed integer overflow due to unary negation 157*de0e0e4dSAntonio Huete Jimenez - Initialize readbytes in BIO_gets(). 158*de0e0e4dSAntonio Huete Jimenez - Plug memory leak in CMS_add_simple_smimecap(). 159*de0e0e4dSAntonio Huete Jimenez - Plug memory leak in X509_REQ_print_ex(). 160*de0e0e4dSAntonio Huete Jimenez - Check HMAC() return value to avoid a later use of uninitialized. 161*de0e0e4dSAntonio Huete Jimenez - Avoid potential NULL dereference in ssl_set_pkey(). 162*de0e0e4dSAntonio Huete Jimenez - Check return values in ssl_print_tmp_key(). 163*de0e0e4dSAntonio Huete Jimenez - Switch loop bounds from size_t to int in check_hosts(). 164*de0e0e4dSAntonio Huete Jimenez - Avoid division by zero if no connection was made in s_time.c. 165*de0e0e4dSAntonio Huete Jimenez - Check sk_SSL_CIPHER_push() return value 166*de0e0e4dSAntonio Huete Jimenez - Avoid out-of-bounds read in ssl_cipher_process_rulestr(). 167*de0e0e4dSAntonio Huete Jimenez - Use LONG_MAX as the limit for ciphers with long based APIs. 168*de0e0e4dSAntonio Huete Jimenez * New features 169*de0e0e4dSAntonio Huete Jimenez - EVP API for HKDF ported from OpenSSL and subsequently cleaned up. 170*de0e0e4dSAntonio Huete Jimenez - The security level API (SSL_{,CTX}_{get,set}_security_level()) is 171*de0e0e4dSAntonio Huete Jimenez now available. Callbacks and ex_data are not supported. Sane 172*de0e0e4dSAntonio Huete Jimenez software will not be using this. 173*de0e0e4dSAntonio Huete Jimenez - Experimental support for the BoringSSL QUIC API. 174*de0e0e4dSAntonio Huete Jimenez - Add initial support for TS ESSCertIDv2 verification. 175*de0e0e4dSAntonio Huete Jimenez - LibreSSL now uses the Baillie-PSW primality test instead of 176*de0e0e4dSAntonio Huete Jimenez Miller-Rabin . 1772eb7d3b8SDaniel Fojt 178*de0e0e4dSAntonio Huete Jimenez3.5.3 - Reliability fix 1792eb7d3b8SDaniel Fojt 180*de0e0e4dSAntonio Huete Jimenez * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing 181*de0e0e4dSAntonio Huete Jimenez the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for 182*de0e0e4dSAntonio Huete Jimenez reporting the issue and testing the fix. 1832eb7d3b8SDaniel Fojt 184*de0e0e4dSAntonio Huete Jimenez3.5.2 - Stable release 1852eb7d3b8SDaniel Fojt 186*de0e0e4dSAntonio Huete Jimenez * Bug fixes 187*de0e0e4dSAntonio Huete Jimenez - Avoid single byte overread in asn1_parse2(). 188*de0e0e4dSAntonio Huete Jimenez - Allow name constraints with a leading dot. From Alex Wilson. 189*de0e0e4dSAntonio Huete Jimenez - Relax a check in x509_constraints_dirname() to allow prefixes. 190*de0e0e4dSAntonio Huete Jimenez From Alex Wilson. 191*de0e0e4dSAntonio Huete Jimenez - Fix NULL dereferences in openssl(1) cms option parsing. 192*de0e0e4dSAntonio Huete Jimenez - Do not zero the computed cofactor on ec_guess_cofactor() success. 193*de0e0e4dSAntonio Huete Jimenez - Bound cofactor in EC_GROUP_set_generator() to reduce the number of 194*de0e0e4dSAntonio Huete Jimenez bogus groups that can be described with nonsensical parameters. 195*de0e0e4dSAntonio Huete Jimenez - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low 196*de0e0e4dSAntonio Huete Jimenez memory conditions. Reported for HMAC by Masaru Masuda. 197*de0e0e4dSAntonio Huete Jimenez - Plug leak in ASN1_TIME_adj_internal(). 198*de0e0e4dSAntonio Huete Jimenez - Avoid infinite loop for custom curves of order 1. 199*de0e0e4dSAntonio Huete Jimenez Issue reported by Hanno Boeck, comments by David Benjamin. 200*de0e0e4dSAntonio Huete Jimenez - Avoid an infinite loop on parsing DSA private keys by validating 201*de0e0e4dSAntonio Huete Jimenez that the provided parameters conform to FIPS 186-4. 202*de0e0e4dSAntonio Huete Jimenez Issue reported by Hanno Boeck, comments by David Benjamin. 203*de0e0e4dSAntonio Huete Jimenez * Compatibility improvements 204*de0e0e4dSAntonio Huete Jimenez - Allow non-standard name constraints of the form @domain.com. 205*de0e0e4dSAntonio Huete Jimenez * Internal improvements 206*de0e0e4dSAntonio Huete Jimenez - Limit OID text conversion to 64 bits per arc. 207*de0e0e4dSAntonio Huete Jimenez - Clean up and simplify memory BIO code. 208*de0e0e4dSAntonio Huete Jimenez - Reduce number of memmove() calls in memory BIOs. 209*de0e0e4dSAntonio Huete Jimenez - Factor out alert handling code in the legacy stack. 210*de0e0e4dSAntonio Huete Jimenez - Add sanity checks on p and q in old_dsa_priv_decode() 211*de0e0e4dSAntonio Huete Jimenez - Cache the SHA-512 hash instead of the SHA-1 for CRLs. 212*de0e0e4dSAntonio Huete Jimenez - Suppress various compiler warnings for old gcc versions. 213*de0e0e4dSAntonio Huete Jimenez - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). 214*de0e0e4dSAntonio Huete Jimenez - Rework ownership handling in x509_constraints_validate(). 215*de0e0e4dSAntonio Huete Jimenez - Rework ASN1_STRING_set(). 216*de0e0e4dSAntonio Huete Jimenez - Remove const from tls1_transcript_hash_value(). 217*de0e0e4dSAntonio Huete Jimenez - Clean up and simplify ssl3_renegotiate{,_check}(). 218*de0e0e4dSAntonio Huete Jimenez - Rewrite legacy TLS and DTLS unexpected handshake message handling. 219*de0e0e4dSAntonio Huete Jimenez - Simplify SSL_do_handshake(). 220*de0e0e4dSAntonio Huete Jimenez - Rewrite ASCII/text to ASN.1 object conversion. 221*de0e0e4dSAntonio Huete Jimenez - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj(). 222*de0e0e4dSAntonio Huete Jimenez - Split armv7 and aarch64 code into separate locations. 223*de0e0e4dSAntonio Huete Jimenez - Rewrote openssl(1) ts to use the new option handling and cleaned 224*de0e0e4dSAntonio Huete Jimenez up the C code. 225*de0e0e4dSAntonio Huete Jimenez - Provide asn1_get_primitive(). 226*de0e0e4dSAntonio Huete Jimenez - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. 227*de0e0e4dSAntonio Huete Jimenez - Remove the minimum record length checks from dtls1_read_bytes(). 228*de0e0e4dSAntonio Huete Jimenez - Clean up {dtls1,ssl3}_read_bytes(). 229*de0e0e4dSAntonio Huete Jimenez - Be more careful with embedded and terminating NULs in the new 230*de0e0e4dSAntonio Huete Jimenez name constraints code. 231*de0e0e4dSAntonio Huete Jimenez - Check EVP_Digest* return codes in openssl(1) ts 232*de0e0e4dSAntonio Huete Jimenez - Various minor code cleanup in openssl(1) pkcs12 233*de0e0e4dSAntonio Huete Jimenez - Use calloc() in pkey_hmac_init(). 234*de0e0e4dSAntonio Huete Jimenez - Simplify priv_key handling in d2i_ECPrivateKey(). 235*de0e0e4dSAntonio Huete Jimenez * Documentation improvements 236*de0e0e4dSAntonio Huete Jimenez - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after 237*de0e0e4dSAntonio Huete Jimenez refactoring and bug fixes. 238*de0e0e4dSAntonio Huete Jimenez - Fixed numerous minor grammar, spelling, wording, and punctuation 239*de0e0e4dSAntonio Huete Jimenez issues. 2402eb7d3b8SDaniel Fojt 241*de0e0e4dSAntonio Huete Jimenez3.5.1 - Security release 242*de0e0e4dSAntonio Huete Jimenez 243*de0e0e4dSAntonio Huete Jimenez * A malicious certificate can cause an infinite loop. 244*de0e0e4dSAntonio Huete Jimenez Reported by and fix from Tavis Ormandy and David Benjamin, Google. 245*de0e0e4dSAntonio Huete Jimenez 246*de0e0e4dSAntonio Huete Jimenez3.5.0 - Development release 247*de0e0e4dSAntonio Huete Jimenez 248*de0e0e4dSAntonio Huete Jimenez * New Features 249*de0e0e4dSAntonio Huete Jimenez - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed, 250*de0e0e4dSAntonio Huete Jimenez regression tests were added and the code was cleaned up. 251*de0e0e4dSAntonio Huete Jimenez - Certificate Transparency was ported from OpenSSL. Many internal 252*de0e0e4dSAntonio Huete Jimenez improvements were made, resulting in cleaner and safer code. 253*de0e0e4dSAntonio Huete Jimenez Regress coverage was added. libssl does not yet make use of it. 254*de0e0e4dSAntonio Huete Jimenez * Portable Improvements 255*de0e0e4dSAntonio Huete Jimenez - Fixed various POSIX compliance and other portability issues 256*de0e0e4dSAntonio Huete Jimenez found by the port to the Sortix operating system. 257*de0e0e4dSAntonio Huete Jimenez - Add libmd as platform specific libraries for Solaris. 258*de0e0e4dSAntonio Huete Jimenez Issue reported from (ihsan <at> opencsw org) on libressl ML. 259*de0e0e4dSAntonio Huete Jimenez - Set IA-64 compiler flag only if it is HP-UX with IA-64. 260*de0e0e4dSAntonio Huete Jimenez Suggested from Larkin Nickle (me <at> larbob org) by libressl ML. 261*de0e0e4dSAntonio Huete Jimenez - Enabled and scheduled Coverity scan. 262*de0e0e4dSAntonio Huete Jimenez Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github. 263*de0e0e4dSAntonio Huete Jimenez * Compatibility Changes 264*de0e0e4dSAntonio Huete Jimenez - Most structs that were previously defined in the following headers 265*de0e0e4dSAntonio Huete Jimenez are now opaque as they are in OpenSSL 1.1: 266*de0e0e4dSAntonio Huete Jimenez bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h, 267*de0e0e4dSAntonio Huete Jimenez x509.h, x509v3.h, x509_vfy.h 268*de0e0e4dSAntonio Huete Jimenez - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_ 269*de0e0e4dSAntonio Huete Jimenez OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead 270*de0e0e4dSAntonio Huete Jimenez of using something consistent with the previous naming. Various 271*de0e0e4dSAntonio Huete Jimenez test suites expect these names (instead of checking for the much 272*de0e0e4dSAntonio Huete Jimenez more sensible cipher numbers). The old names are still accepted 273*de0e0e4dSAntonio Huete Jimenez as aliases. 274*de0e0e4dSAntonio Huete Jimenez - Subject alternative names and name constraints are now validated 275*de0e0e4dSAntonio Huete Jimenez when they are added to certificates. Various interoperability 276*de0e0e4dSAntonio Huete Jimenez problems with stacks that validate certificates more strictly 277*de0e0e4dSAntonio Huete Jimenez than OpenSSL can be avoided this way. 278*de0e0e4dSAntonio Huete Jimenez - Attempt to opportunistically use the host name for SNI in s_client 279*de0e0e4dSAntonio Huete Jimenez * Bug fixes 280*de0e0e4dSAntonio Huete Jimenez - In some situations, the verifier would discard the error on an 281*de0e0e4dSAntonio Huete Jimenez unvalidated certificate chain. This would happen when the 282*de0e0e4dSAntonio Huete Jimenez verification callback was in use, instructing the verifier to 283*de0e0e4dSAntonio Huete Jimenez continue unconditionally. This could lead to incorrect decisions 284*de0e0e4dSAntonio Huete Jimenez being made in software. 285*de0e0e4dSAntonio Huete Jimenez - Avoid an infinite loop in SSL_shutdown() 286*de0e0e4dSAntonio Huete Jimenez - Fix another return 0 bug in SSL_shutdown() 287*de0e0e4dSAntonio Huete Jimenez - Handle zero byte reads/writes that trigger handshakes in the 288*de0e0e4dSAntonio Huete Jimenez TLSv1.3 stack 289*de0e0e4dSAntonio Huete Jimenez - A long standing memleak in libtls CRL handling was fixed 290*de0e0e4dSAntonio Huete Jimenez * Internal Improvements 291*de0e0e4dSAntonio Huete Jimenez - Cache the SHA-512 hash instead of the SHA-1 hash and cache 292*de0e0e4dSAntonio Huete Jimenez notBefore and notAfter times when X.509 certificates are parsed. 293*de0e0e4dSAntonio Huete Jimenez - The X.509 lookup code has been simplified and cleaned up. 294*de0e0e4dSAntonio Huete Jimenez - Fixed numerous issues flagged by coverity and the cryptofuzz 295*de0e0e4dSAntonio Huete Jimenez project 296*de0e0e4dSAntonio Huete Jimenez - Increased the number of Miller-Rabin checks in DH and DSA 297*de0e0e4dSAntonio Huete Jimenez key/parameter generation 298*de0e0e4dSAntonio Huete Jimenez - Started using the bytestring API in libcrypto for cleaner and 299*de0e0e4dSAntonio Huete Jimenez safer code 300*de0e0e4dSAntonio Huete Jimenez - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated 301*de0e0e4dSAntonio Huete Jimenez ASN1 302*de0e0e4dSAntonio Huete Jimenez - Convert ASN1_OBJECT_new() to calloc() 303*de0e0e4dSAntonio Huete Jimenez - Convert ASN1_STRING_type_new() to calloc() 304*de0e0e4dSAntonio Huete Jimenez - Rewrite ASN1_STRING_cmp() 305*de0e0e4dSAntonio Huete Jimenez - Use calloc() for X509_CRL_METHOD_new() instead of malloc() 306*de0e0e4dSAntonio Huete Jimenez - Convert ASN1_PCTX_new() to calloc() 307*de0e0e4dSAntonio Huete Jimenez - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a 308*de0e0e4dSAntonio Huete Jimenez function 309*de0e0e4dSAntonio Huete Jimenez - Consolidate {d2i,i2d}_{pr,pu}.c 310*de0e0e4dSAntonio Huete Jimenez - Remove handling of a NULL BUF_MEM from asn1_collect() 311*de0e0e4dSAntonio Huete Jimenez - Pull the recursion depth check up to the top of asn1_collect() 312*de0e0e4dSAntonio Huete Jimenez - Inline collect_data() in asn1_collect() 313*de0e0e4dSAntonio Huete Jimenez - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB 314*de0e0e4dSAntonio Huete Jimenez - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN() 315*de0e0e4dSAntonio Huete Jimenez - Consolidate ASN.1 universal tag type data 316*de0e0e4dSAntonio Huete Jimenez - Rewrite ASN.1 identifier/length parsing in CBS 317*de0e0e4dSAntonio Huete Jimenez - Make OBJ_obj2nid() work correctly with NID_undef 318*de0e0e4dSAntonio Huete Jimenez - tlsext_tick_lifetime_hint is now an uint32_t 319*de0e0e4dSAntonio Huete Jimenez - Untangle ssl3_get_message() return values 320*de0e0e4dSAntonio Huete Jimenez - Rename tls13_buffer to tls_buffer 321*de0e0e4dSAntonio Huete Jimenez - Fold DTLS_STATE_INTERNAL into DTLS1_STATE 322*de0e0e4dSAntonio Huete Jimenez - Provide a way to determine our maximum legacy version 323*de0e0e4dSAntonio Huete Jimenez - Mop up enc_read_ctx and read_hash 324*de0e0e4dSAntonio Huete Jimenez - Fold SSL_SESSION_INTERNAL into SSL_SESSION 325*de0e0e4dSAntonio Huete Jimenez - Use ssl_force_want_read in the DTLS code 326*de0e0e4dSAntonio Huete Jimenez - Add record processing limit to DTLS code 327*de0e0e4dSAntonio Huete Jimenez - Add explicit CBS_contains_zero_byte() check in CBS_strdup() 328*de0e0e4dSAntonio Huete Jimenez - Improve SNI hostname validation 329*de0e0e4dSAntonio Huete Jimenez - Ensure SSL_set_tlsext_host_name() is given a valid hostname 330*de0e0e4dSAntonio Huete Jimenez - Fix a strange check in the auto DH codepath 331*de0e0e4dSAntonio Huete Jimenez - Factor out/rewrite DHE key exchange 332*de0e0e4dSAntonio Huete Jimenez - Convert server serialisation of DHE parameters/public key to new 333*de0e0e4dSAntonio Huete Jimenez functions 334*de0e0e4dSAntonio Huete Jimenez - Check DH public key in ssl_kex_peer_public_dhe() 335*de0e0e4dSAntonio Huete Jimenez - Move the minimum DHE key size check into ssl_kex_peer_params_dhe() 336*de0e0e4dSAntonio Huete Jimenez - Clean up and refactor server side DHE key exchange 337*de0e0e4dSAntonio Huete Jimenez - Provide CBS_get_last_u8() 338*de0e0e4dSAntonio Huete Jimenez - Provide CBS_get_u64() 339*de0e0e4dSAntonio Huete Jimenez - Provide CBS_add_u64() 340*de0e0e4dSAntonio Huete Jimenez - Provide various CBS_peek_* functions 341*de0e0e4dSAntonio Huete Jimenez - Use CBS_get_last_u8() to find the content type in TLSv1.3 records 342*de0e0e4dSAntonio Huete Jimenez - unifdef TLS13_USE_LEGACY_CLIENT_AUTH 343*de0e0e4dSAntonio Huete Jimenez - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack 344*de0e0e4dSAntonio Huete Jimenez - Only allow zero length key shares when we know we're doing HRR 345*de0e0e4dSAntonio Huete Jimenez - Pull key share group/length CBB code up from 346*de0e0e4dSAntonio Huete Jimenez tls13_key_share_public() 347*de0e0e4dSAntonio Huete Jimenez - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and 348*de0e0e4dSAntonio Huete Jimenez validation 349*de0e0e4dSAntonio Huete Jimenez - Return 0 on failure from send/get kex functions in the legacy 350*de0e0e4dSAntonio Huete Jimenez stack 351*de0e0e4dSAntonio Huete Jimenez - Rename tls13_key_share to tls_key_share 352*de0e0e4dSAntonio Huete Jimenez - Allocate and free the EVP_AEAD_CTX struct in 353*de0e0e4dSAntonio Huete Jimenez tls13_record_protection 354*de0e0e4dSAntonio Huete Jimenez - Convert legacy TLS client to tls_key_share 355*de0e0e4dSAntonio Huete Jimenez - Convert legacy TLS server to tls_key_share 356*de0e0e4dSAntonio Huete Jimenez - Stop attempting to duplicate the public and private key of dh_tmp 357*de0e0e4dSAntonio Huete Jimenez - Rename dh_tmp to dhe_params 358*de0e0e4dSAntonio Huete Jimenez - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY 359*de0e0e4dSAntonio Huete Jimenez - Clean up pkey handling in ssl3_get_server_key_exchange() 360*de0e0e4dSAntonio Huete Jimenez - Fix GOST skip certificate verify handling 361*de0e0e4dSAntonio Huete Jimenez - Simplify tlsext_keyshare_server_parse() 362*de0e0e4dSAntonio Huete Jimenez - Plumb decode errors through key share parsing code 363*de0e0e4dSAntonio Huete Jimenez - Simplify SSL_get_peer_certificate() 364*de0e0e4dSAntonio Huete Jimenez - Cleanup/simplify ssl_cert_type() 365*de0e0e4dSAntonio Huete Jimenez - The S3I macro was removed 366*de0e0e4dSAntonio Huete Jimenez - The openssl(1) cms and smime subcommands option handling was 367*de0e0e4dSAntonio Huete Jimenez converted and the C source was cleaned up. 368*de0e0e4dSAntonio Huete Jimenez * Documentation improvements 369*de0e0e4dSAntonio Huete Jimenez - 45 new manual pages, most of which were written from scratch. 370*de0e0e4dSAntonio Huete Jimenez Documentation coverage of ASN.1 and X.509 code has been 371*de0e0e4dSAntonio Huete Jimenez significantly improved. 372*de0e0e4dSAntonio Huete Jimenez * API additions and removals 373*de0e0e4dSAntonio Huete Jimenez - libssl 374*de0e0e4dSAntonio Huete Jimenez API additions 375*de0e0e4dSAntonio Huete Jimenez SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex 376*de0e0e4dSAntonio Huete Jimenez API stubs for compatibility 377*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets 378*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets 379*de0e0e4dSAntonio Huete Jimenez SSL_get_num_tickets SSL_set_num_tickets 380*de0e0e4dSAntonio Huete Jimenez - libcrypto 381*de0e0e4dSAntonio Huete Jimenez added API (some of these were previously available as macros): 382*de0e0e4dSAntonio Huete Jimenez ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free 383*de0e0e4dSAntonio Huete Jimenez ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new 384*de0e0e4dSAntonio Huete Jimenez ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex 385*de0e0e4dSAntonio Huete Jimenez BIO_get_init BIO_set_callback_ex BIO_set_next 386*de0e0e4dSAntonio Huete Jimenez BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old 387*de0e0e4dSAntonio Huete Jimenez BN_abs_is_word BN_get_flags BN_is_negative 388*de0e0e4dSAntonio Huete Jimenez BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags 389*de0e0e4dSAntonio Huete Jimenez BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free 390*de0e0e4dSAntonio Huete Jimenez CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file 391*de0e0e4dSAntonio Huete Jimenez CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free 392*de0e0e4dSAntonio Huete Jimenez CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key 393*de0e0e4dSAntonio Huete Jimenez CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free 394*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer 395*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time 396*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert 397*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_set1_issuer 398*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE 399*de0e0e4dSAntonio Huete Jimenez CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key 400*de0e0e4dSAntonio Huete Jimenez DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g 401*de0e0e4dSAntonio Huete Jimenez DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q 402*de0e0e4dSAntonio Huete Jimenez ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free 403*de0e0e4dSAntonio Huete Jimenez EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst 404*de0e0e4dSAntonio Huete Jimenez EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data 405*de0e0e4dSAntonio Huete Jimenez EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx 406*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new 407*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup 408*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final 409*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_set_flags EVP_MD_meth_set_init 410*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size 411*de0e0e4dSAntonio Huete Jimenez EVP_MD_meth_set_update EVP_PKEY_asn1_set_check 412*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check 413*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_check EVP_PKEY_meth_set_check 414*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check 415*de0e0e4dSAntonio Huete Jimenez EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode 416*de0e0e4dSAntonio Huete Jimenez FIPS_mode_set IPAddressChoice_free IPAddressChoice_new 417*de0e0e4dSAntonio Huete Jimenez IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free 418*de0e0e4dSAntonio Huete Jimenez IPAddressOrRange_new IPAddressRange_free IPAddressRange_new 419*de0e0e4dSAntonio Huete Jimenez OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id 420*de0e0e4dSAntonio Huete Jimenez OCSP_resp_get0_produced_at OCSP_resp_get0_respdata 421*de0e0e4dSAntonio Huete Jimenez OCSP_resp_get0_signature OCSP_resp_get0_signer 422*de0e0e4dSAntonio Huete Jimenez OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional 423*de0e0e4dSAntonio Huete Jimenez RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp 424*de0e0e4dSAntonio Huete Jimenez RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q 425*de0e0e4dSAntonio Huete Jimenez SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free 426*de0e0e4dSAntonio Huete Jimenez SCT_get0_extensions SCT_get0_log_id SCT_get0_signature 427*de0e0e4dSAntonio Huete Jimenez SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source 428*de0e0e4dSAntonio Huete Jimenez SCT_get_timestamp SCT_get_validation_status SCT_get_version 429*de0e0e4dSAntonio Huete Jimenez SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions 430*de0e0e4dSAntonio Huete Jimenez SCT_set0_log_id SCT_set0_signature SCT_set1_extensions 431*de0e0e4dSAntonio Huete Jimenez SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type 432*de0e0e4dSAntonio Huete Jimenez SCT_set_signature_nid SCT_set_source SCT_set_timestamp 433*de0e0e4dSAntonio Huete Jimenez SCT_set_version SCT_validate SCT_validation_status_string 434*de0e0e4dSAntonio Huete Jimenez X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey 435*de0e0e4dSAntonio Huete Jimenez X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject 436*de0e0e4dSAntonio Huete Jimenez X509_STORE_CTX_get_num_untrusted 437*de0e0e4dSAntonio Huete Jimenez X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify 438*de0e0e4dSAntonio Huete Jimenez X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain 439*de0e0e4dSAntonio Huete Jimenez X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth 440*de0e0e4dSAntonio Huete Jimenez X509_STORE_CTX_set_verify X509_STORE_get_verify 441*de0e0e4dSAntonio Huete Jimenez X509_STORE_get_verify_cb X509_STORE_set_verify 442*de0e0e4dSAntonio Huete Jimenez X509_get_X509_PUBKEY X509_get_extended_key_usage 443*de0e0e4dSAntonio Huete Jimenez X509_get_extension_flags X509_get_key_usage 444*de0e0e4dSAntonio Huete Jimenez X509v3_addr_add_inherit X509v3_addr_add_prefix 445*de0e0e4dSAntonio Huete Jimenez X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi 446*de0e0e4dSAntonio Huete Jimenez X509v3_addr_get_range X509v3_addr_inherits 447*de0e0e4dSAntonio Huete Jimenez X509v3_addr_is_canonical X509v3_addr_subset 448*de0e0e4dSAntonio Huete Jimenez X509v3_addr_validate_path X509v3_addr_validate_resource_set 449*de0e0e4dSAntonio Huete Jimenez X509v3_asid_add_id_or_range X509v3_asid_add_inherit 450*de0e0e4dSAntonio Huete Jimenez X509v3_asid_canonize X509v3_asid_inherits 451*de0e0e4dSAntonio Huete Jimenez X509v3_asid_is_canonical X509v3_asid_subset 452*de0e0e4dSAntonio Huete Jimenez X509v3_asid_validate_path X509v3_asid_validate_resource_set 453*de0e0e4dSAntonio Huete Jimenez d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers 454*de0e0e4dSAntonio Huete Jimenez d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily 455*de0e0e4dSAntonio Huete Jimenez d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST 456*de0e0e4dSAntonio Huete Jimenez i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers 457*de0e0e4dSAntonio Huete Jimenez i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily 458*de0e0e4dSAntonio Huete Jimenez i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST 459*de0e0e4dSAntonio Huete Jimenez i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT 460*de0e0e4dSAntonio Huete Jimenez i2o_SCT_LIST o2i_SCT o2i_SCT_LIST 461*de0e0e4dSAntonio Huete Jimenez removed API: 462*de0e0e4dSAntonio Huete Jimenez ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss 463*de0e0e4dSAntonio Huete Jimenez EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init 464*de0e0e4dSAntonio Huete Jimenez NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new 465*de0e0e4dSAntonio Huete Jimenez NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free 466*de0e0e4dSAntonio Huete Jimenez NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit 467*de0e0e4dSAntonio Huete Jimenez PEM_SealUpdate PEM_read_X509_CERT_PAIR 468*de0e0e4dSAntonio Huete Jimenez PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR 469*de0e0e4dSAntonio Huete Jimenez PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free 470*de0e0e4dSAntonio Huete Jimenez X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb 471*de0e0e4dSAntonio Huete Jimenez asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore 472*de0e0e4dSAntonio Huete Jimenez asn1_enc_save asn1_ex_c2i asn1_get_choice_selector 473*de0e0e4dSAntonio Huete Jimenez asn1_get_field_ptr asn1_set_choice_selector check_defer 474*de0e0e4dSAntonio Huete Jimenez d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY 475*de0e0e4dSAntonio Huete Jimenez d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET 476*de0e0e4dSAntonio Huete Jimenez d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY 477*de0e0e4dSAntonio Huete Jimenez i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET 478*de0e0e4dSAntonio Huete Jimenez i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer 479*de0e0e4dSAntonio Huete Jimenez 480*de0e0e4dSAntonio Huete Jimenez3.4.1 - Stable release 481*de0e0e4dSAntonio Huete Jimenez 482*de0e0e4dSAntonio Huete Jimenez * New Features 483*de0e0e4dSAntonio Huete Jimenez - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. 484*de0e0e4dSAntonio Huete Jimenez - Enabled the new X.509 validator to allow verification of 485*de0e0e4dSAntonio Huete Jimenez modern certificate chains. 486*de0e0e4dSAntonio Huete Jimenez * Portable Improvements 487*de0e0e4dSAntonio Huete Jimenez - Ported continuous integration and test infrastructure to Github 488*de0e0e4dSAntonio Huete Jimenez actions. 489*de0e0e4dSAntonio Huete Jimenez - Added Universal Windows Platform (UWP) build support. 490*de0e0e4dSAntonio Huete Jimenez - Fixed mingw-w64 builds on newer versions with missing SSP support. 491*de0e0e4dSAntonio Huete Jimenez - Added non-executable stack annotations for CMake builds. 492*de0e0e4dSAntonio Huete Jimenez * API and Documentation Enhancements 493*de0e0e4dSAntonio Huete Jimenez - Added the following APIs from OpenSSL 494*de0e0e4dSAntonio Huete Jimenez BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve 495*de0e0e4dSAntonio Huete Jimenez EC_GROUP_order_bits EC_GROUP_set_curve 496*de0e0e4dSAntonio Huete Jimenez EC_POINT_get_affine_coordinates 497*de0e0e4dSAntonio Huete Jimenez EC_POINT_set_affine_coordinates 498*de0e0e4dSAntonio Huete Jimenez EC_POINT_set_compressed_coordinates EVP_DigestSign 499*de0e0e4dSAntonio Huete Jimenez EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey 500*de0e0e4dSAntonio Huete Jimenez SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method 501*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data 502*de0e0e4dSAntonio Huete Jimenez SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher 503*de0e0e4dSAntonio Huete Jimenez SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable 504*de0e0e4dSAntonio Huete Jimenez SSL_SESSION_set_max_early_data SSL_get_early_data_status 505*de0e0e4dSAntonio Huete Jimenez SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio 506*de0e0e4dSAntonio Huete Jimenez SSL_set_ciphersuites SSL_set_max_early_data 507*de0e0e4dSAntonio Huete Jimenez SSL_set_post_handshake_auth 508*de0e0e4dSAntonio Huete Jimenez SSL_set_psk_use_session_callback 509*de0e0e4dSAntonio Huete Jimenez SSL_verify_client_post_handshake SSL_write_early_data 510*de0e0e4dSAntonio Huete Jimenez - Added AES-GCM constants from RFC 7714 for SRTP. 511*de0e0e4dSAntonio Huete Jimenez * Compatibility Changes 512*de0e0e4dSAntonio Huete Jimenez - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache. 513*de0e0e4dSAntonio Huete Jimenez - Call the info callback on connect/accept exit in TLSv1.3, 514*de0e0e4dSAntonio Huete Jimenez needed for p5-Net-SSLeay. 515*de0e0e4dSAntonio Huete Jimenez - Default to using named curve parameter encoding from 516*de0e0e4dSAntonio Huete Jimenez pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. 517*de0e0e4dSAntonio Huete Jimenez - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. 518*de0e0e4dSAntonio Huete Jimenez * Testing and Proactive Security 519*de0e0e4dSAntonio Huete Jimenez - Added additional state machine test coverage. 520*de0e0e4dSAntonio Huete Jimenez - Improved integration test support with ruby/openssl tests. 521*de0e0e4dSAntonio Huete Jimenez - Error codes and callback support in new X.509 validator made 522*de0e0e4dSAntonio Huete Jimenez compatible with p5-Net_SSLeay tests. 523*de0e0e4dSAntonio Huete Jimenez * Internal Improvements 524*de0e0e4dSAntonio Huete Jimenez - Numerous fixes and improvements to the new X.509 validator to 525*de0e0e4dSAntonio Huete Jimenez ensure compatible error codes and callback support compatible 526*de0e0e4dSAntonio Huete Jimenez with the legacy OpenSSL validator. 527*de0e0e4dSAntonio Huete Jimenez 528*de0e0e4dSAntonio Huete Jimenez3.4.0 - Development release 529*de0e0e4dSAntonio Huete Jimenez 530*de0e0e4dSAntonio Huete Jimenez * Add support for OpenSSL 1.1.1 TLSv1.3 APIs. 531*de0e0e4dSAntonio Huete Jimenez 532*de0e0e4dSAntonio Huete Jimenez * Enable new x509 validator. 533*de0e0e4dSAntonio Huete Jimenez 534*de0e0e4dSAntonio Huete Jimenez * More details to come, testing is appreciated. 535*de0e0e4dSAntonio Huete Jimenez 536*de0e0e4dSAntonio Huete Jimenez3.3.5 - Security fix 537*de0e0e4dSAntonio Huete Jimenez 538*de0e0e4dSAntonio Huete Jimenez * A stack overread could occur when checking X.509 name constraints. 539*de0e0e4dSAntonio Huete Jimenez From GoldBinocle on GitHub. 540*de0e0e4dSAntonio Huete Jimenez 541*de0e0e4dSAntonio Huete Jimenez * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. 542*de0e0e4dSAntonio Huete Jimenez This compensates for the expiry of the DST Root X3 certificate. 543*de0e0e4dSAntonio Huete Jimenez 544*de0e0e4dSAntonio Huete Jimenez3.3.4 - Security fix 545*de0e0e4dSAntonio Huete Jimenez 546*de0e0e4dSAntonio Huete Jimenez * In LibreSSL, printing a certificate can result in a crash in 547*de0e0e4dSAntonio Huete Jimenez X509_CERT_AUX_print(). 548*de0e0e4dSAntonio Huete Jimenez From Ingo Schwarze 549*de0e0e4dSAntonio Huete Jimenez 550*de0e0e4dSAntonio Huete Jimenez * Ensure GNU-stack is set on ELF platforms when building with CMake to 551*de0e0e4dSAntonio Huete Jimenez enable non-executable stack annotations for the GNU toolchain. 552*de0e0e4dSAntonio Huete Jimenez From Tobias Heider 553*de0e0e4dSAntonio Huete Jimenez 554*de0e0e4dSAntonio Huete Jimenez3.3.3 - Stable release 555*de0e0e4dSAntonio Huete Jimenez 556*de0e0e4dSAntonio Huete Jimenez * This is the first stable release from the 3.3.x series. 557*de0e0e4dSAntonio Huete Jimenez There are no changes from 3.3.2. 558*de0e0e4dSAntonio Huete Jimenez 559*de0e0e4dSAntonio Huete Jimenez3.3.2 - Development release 560*de0e0e4dSAntonio Huete Jimenez 561*de0e0e4dSAntonio Huete Jimenez * This release adds support for DTLSv1.2 and continues the rewrite 562*de0e0e4dSAntonio Huete Jimenez of the record layer for the legacy stack. Numerous bugs and 563*de0e0e4dSAntonio Huete Jimenez interoperability issues were fixed in the new verifier. A few bugs 564*de0e0e4dSAntonio Huete Jimenez and incompatibilities remain, so this release uses the old verifier 565*de0e0e4dSAntonio Huete Jimenez by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. 566*de0e0e4dSAntonio Huete Jimenez 567*de0e0e4dSAntonio Huete Jimenez * Switch finish{,_peer}_md_len from an int to a size_t. 568*de0e0e4dSAntonio Huete Jimenez 569*de0e0e4dSAntonio Huete Jimenez * Make SSL_get{,_peer}_finished() work when used with TLSv1.3. 570*de0e0e4dSAntonio Huete Jimenez 571*de0e0e4dSAntonio Huete Jimenez * Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size 572*de0e0e4dSAntonio Huete Jimenez for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 573*de0e0e4dSAntonio Huete Jimenez was a historical artefact. 574*de0e0e4dSAntonio Huete Jimenez 575*de0e0e4dSAntonio Huete Jimenez * Correct the return value type from ERR_peek_error() to a long. 576*de0e0e4dSAntonio Huete Jimenez 577*de0e0e4dSAntonio Huete Jimenez * Avoid use of uninitialized in ASN1_time_parse() which could happen 578*de0e0e4dSAntonio Huete Jimenez on parsing UTCTime if the caller did not initialise the passed 579*de0e0e4dSAntonio Huete Jimenez struct tm. 580*de0e0e4dSAntonio Huete Jimenez 581*de0e0e4dSAntonio Huete Jimenez * Destroy the mutex in a tls_config object on tls_config_free(). 5822eb7d3b8SDaniel Fojt 5832eb7d3b8SDaniel Fojt * Free alert_data and phh_data in tls13_record_layer_free() 584*de0e0e4dSAntonio Huete Jimenez these could leak if SSL_shutdown() or tls_close() were called 585*de0e0e4dSAntonio Huete Jimenez after closing the underlying socket(). 5862eb7d3b8SDaniel Fojt 587*de0e0e4dSAntonio Huete Jimenez * Free struct members in tls13_record_layer_free() in their natural 588*de0e0e4dSAntonio Huete Jimenez order for reviewability. 5892eb7d3b8SDaniel Fojt 590*de0e0e4dSAntonio Huete Jimenez * Gracefully handle root certificates being both trusted and 591*de0e0e4dSAntonio Huete Jimenez untrusted. 592*de0e0e4dSAntonio Huete Jimenez 593*de0e0e4dSAntonio Huete Jimenez * Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new 594*de0e0e4dSAntonio Huete Jimenez verifier. 595*de0e0e4dSAntonio Huete Jimenez 596*de0e0e4dSAntonio Huete Jimenez * Use the legacy verifier when building auto chains for TLS. 597*de0e0e4dSAntonio Huete Jimenez 598*de0e0e4dSAntonio Huete Jimenez * Use consistent names in tls13_{client,server}_finished_{recv,send}(). 599*de0e0e4dSAntonio Huete Jimenez 600*de0e0e4dSAntonio Huete Jimenez * Add tls13_secret_{init,cleanup}() and use them throughout the 601*de0e0e4dSAntonio Huete Jimenez TLSv1.3 code base. 602*de0e0e4dSAntonio Huete Jimenez 603*de0e0e4dSAntonio Huete Jimenez * Move the read MAC key into the TLSv1.2 record layer. 604*de0e0e4dSAntonio Huete Jimenez 605*de0e0e4dSAntonio Huete Jimenez * Make tls12_record_layer_free() NULL safe. 606*de0e0e4dSAntonio Huete Jimenez 607*de0e0e4dSAntonio Huete Jimenez * Search the intermediates only after searching the root certs in the 608*de0e0e4dSAntonio Huete Jimenez new verifier to avoid problems with the legacy callback. 609*de0e0e4dSAntonio Huete Jimenez 610*de0e0e4dSAntonio Huete Jimenez * Bail out early after finding a single chain in the new verifier, if 611*de0e0e4dSAntonio Huete Jimenez we have been called via the legacy verifier API. 612*de0e0e4dSAntonio Huete Jimenez 613*de0e0e4dSAntonio Huete Jimenez * Set (invalid and likely incomplete) chain on the xsc on chain build 614*de0e0e4dSAntonio Huete Jimenez failure prior to calling the callback. This is required by various 615*de0e0e4dSAntonio Huete Jimenez callers, including auto chain. 616*de0e0e4dSAntonio Huete Jimenez 617*de0e0e4dSAntonio Huete Jimenez * Align SSL_get_shared_ciphers() with OpenSSL. This takes into account 618*de0e0e4dSAntonio Huete Jimenez that it never returned server ciphers, so now it will fail when 619*de0e0e4dSAntonio Huete Jimenez called from the client side. 620*de0e0e4dSAntonio Huete Jimenez 621*de0e0e4dSAntonio Huete Jimenez * Add support for SSL_get_shared_ciphers() with TLSv1.3. 622*de0e0e4dSAntonio Huete Jimenez 623*de0e0e4dSAntonio Huete Jimenez * Split the record protection from the TLSv1.2 record layer. 624*de0e0e4dSAntonio Huete Jimenez 625*de0e0e4dSAntonio Huete Jimenez * Clean up sequence number handling in the new TLSv1.2 record layer. 626*de0e0e4dSAntonio Huete Jimenez 627*de0e0e4dSAntonio Huete Jimenez * Clean up sequence number handling in DTLS. 628*de0e0e4dSAntonio Huete Jimenez 629*de0e0e4dSAntonio Huete Jimenez * Clean up dtls1_reset_seq_numbers(). 630*de0e0e4dSAntonio Huete Jimenez 631*de0e0e4dSAntonio Huete Jimenez * Factor out code for explicit IV length, block size and MAC length 632*de0e0e4dSAntonio Huete Jimenez from tls12_record_layer_open_record_protected_cipher(). 633*de0e0e4dSAntonio Huete Jimenez 634*de0e0e4dSAntonio Huete Jimenez * Provide record layer overhead for DTLS. 635*de0e0e4dSAntonio Huete Jimenez 636*de0e0e4dSAntonio Huete Jimenez * Provide functions to determine if TLSv1.2 record protection is 637*de0e0e4dSAntonio Huete Jimenez engaged. 638*de0e0e4dSAntonio Huete Jimenez 639*de0e0e4dSAntonio Huete Jimenez * Add code to handle change of cipher state in the new TLSv1.2 record 640*de0e0e4dSAntonio Huete Jimenez layer. 641*de0e0e4dSAntonio Huete Jimenez 642*de0e0e4dSAntonio Huete Jimenez * Mop up now unused dtls1_build_sequence_numbers() function. 643*de0e0e4dSAntonio Huete Jimenez 644*de0e0e4dSAntonio Huete Jimenez * Allow setting a keypair on a tls context without specifying the 645*de0e0e4dSAntonio Huete Jimenez private key, and fake it internally in libtls. This removes the 646*de0e0e4dSAntonio Huete Jimenez need for privsep engines like relayd to use bogus keys. 647*de0e0e4dSAntonio Huete Jimenez 648*de0e0e4dSAntonio Huete Jimenez * Skip the private key check for fake private keys. 649*de0e0e4dSAntonio Huete Jimenez 650*de0e0e4dSAntonio Huete Jimenez * Move the private key setup from tls_configure_ssl_keypair() to a 651*de0e0e4dSAntonio Huete Jimenez helper function with proper error checking. 652*de0e0e4dSAntonio Huete Jimenez 653*de0e0e4dSAntonio Huete Jimenez * Change the internal tls_configure_ssl_keypair() function to 654*de0e0e4dSAntonio Huete Jimenez return -1 instead of 1 on failure. 655*de0e0e4dSAntonio Huete Jimenez 656*de0e0e4dSAntonio Huete Jimenez * Move sequence numbers into the new TLSv1.2 record layer. 657*de0e0e4dSAntonio Huete Jimenez 658*de0e0e4dSAntonio Huete Jimenez * Move AEAD handling into the new TLSv1.2 record layer. 659*de0e0e4dSAntonio Huete Jimenez 660*de0e0e4dSAntonio Huete Jimenez * Remove direct assignment of aead_ctx to avoid a leak. 661*de0e0e4dSAntonio Huete Jimenez 662*de0e0e4dSAntonio Huete Jimenez * Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, 663*de0e0e4dSAntonio Huete Jimenez draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. 664*de0e0e4dSAntonio Huete Jimenez 665*de0e0e4dSAntonio Huete Jimenez * Fail early in legacy exporter if the master secret is not available 666*de0e0e4dSAntonio Huete Jimenez to avoid a segfault if it is called when the handshake is not 667*de0e0e4dSAntonio Huete Jimenez completed. 668*de0e0e4dSAntonio Huete Jimenez 669*de0e0e4dSAntonio Huete Jimenez * Factor out legacy stack version checks. 670*de0e0e4dSAntonio Huete Jimenez 671*de0e0e4dSAntonio Huete Jimenez * Correct handshake MAC/PRF for various TLSv1.2 cipher suites which 672*de0e0e4dSAntonio Huete Jimenez were originally added with the default handshake MAC and PRF rather 673*de0e0e4dSAntonio Huete Jimenez than the SHA256 handshake MAC and PRF. 674*de0e0e4dSAntonio Huete Jimenez 675*de0e0e4dSAntonio Huete Jimenez * Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). 676*de0e0e4dSAntonio Huete Jimenez 677*de0e0e4dSAntonio Huete Jimenez * Use dtls1_record_retrieve_buffered_record() to load buffered 678*de0e0e4dSAntonio Huete Jimenez application data. 679*de0e0e4dSAntonio Huete Jimenez 680*de0e0e4dSAntonio Huete Jimenez * Enforce read ahead with DTLS. 681*de0e0e4dSAntonio Huete Jimenez 682*de0e0e4dSAntonio Huete Jimenez * Remove bogus DTLS checks that disabled ECC and OCSP. 683*de0e0e4dSAntonio Huete Jimenez 684*de0e0e4dSAntonio Huete Jimenez * Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". 685*de0e0e4dSAntonio Huete Jimenez 686*de0e0e4dSAntonio Huete Jimenez * Only print the certificate file once on verification failure. 687*de0e0e4dSAntonio Huete Jimenez 688*de0e0e4dSAntonio Huete Jimenez * Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. 689*de0e0e4dSAntonio Huete Jimenez 690*de0e0e4dSAntonio Huete Jimenez * Clean up and simplify dtls1_get_cipher(). 691*de0e0e4dSAntonio Huete Jimenez 692*de0e0e4dSAntonio Huete Jimenez * Group HelloVerifyRequest decoding and add missing check for trailing 693*de0e0e4dSAntonio Huete Jimenez data. 694*de0e0e4dSAntonio Huete Jimenez 695*de0e0e4dSAntonio Huete Jimenez * Revise HelloVerifyRequest handling for DTLSv1.2. 696*de0e0e4dSAntonio Huete Jimenez 697*de0e0e4dSAntonio Huete Jimenez * Handle DTLS1_2_VERSION in various places. 698*de0e0e4dSAntonio Huete Jimenez 699*de0e0e4dSAntonio Huete Jimenez * Add DTLSv1.2 methods. 700*de0e0e4dSAntonio Huete Jimenez 701*de0e0e4dSAntonio Huete Jimenez * Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of 702*de0e0e4dSAntonio Huete Jimenez zero if the minimum or maximum has been set to zero to match 703*de0e0e4dSAntonio Huete Jimenez OpenSSL's behavior. 704*de0e0e4dSAntonio Huete Jimenez 705*de0e0e4dSAntonio Huete Jimenez * Rename the "truncated" label into "decode_err" and the "f_err" 706*de0e0e4dSAntonio Huete Jimenez label into "fatal_err". 707*de0e0e4dSAntonio Huete Jimenez 708*de0e0e4dSAntonio Huete Jimenez * Factor out and change some of the legacy client version code. 709*de0e0e4dSAntonio Huete Jimenez 710*de0e0e4dSAntonio Huete Jimenez * Simplify version checks in the TLSv1.3 client. Ensure that the 711*de0e0e4dSAntonio Huete Jimenez server announced TLSv1.3 and nothing higher and check that the 712*de0e0e4dSAntonio Huete Jimenez legacy_version is set to TLSv1.2 as required by RFC 8446. 713*de0e0e4dSAntonio Huete Jimenez 714*de0e0e4dSAntonio Huete Jimenez * Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that 715*de0e0e4dSAntonio Huete Jimenez the new validator checks for EXFLAG_CRITICAL in 716*de0e0e4dSAntonio Huete Jimenez x509_vfy_check_chain_extension() for all untrusted certs in the 717*de0e0e4dSAntonio Huete Jimenez chain. Take into account that the root is not necessarily trusted. 718*de0e0e4dSAntonio Huete Jimenez 719*de0e0e4dSAntonio Huete Jimenez * Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. 720*de0e0e4dSAntonio Huete Jimenez 721*de0e0e4dSAntonio Huete Jimenez * Rename depth to num_untrusted. 722*de0e0e4dSAntonio Huete Jimenez 723*de0e0e4dSAntonio Huete Jimenez * Only use TLS versions internally rather than both TLS and DTLS 724*de0e0e4dSAntonio Huete Jimenez versions since the latter are the one's complement of the human 725*de0e0e4dSAntonio Huete Jimenez readable version numbers, which means that newer versions decrease 726*de0e0e4dSAntonio Huete Jimenez in value. 727*de0e0e4dSAntonio Huete Jimenez 728*de0e0e4dSAntonio Huete Jimenez * Fix two bugs in the legacy verifier that resulted from refactoring 729*de0e0e4dSAntonio Huete Jimenez of X509_verify_cert() for the new verifier: a return value was 730*de0e0e4dSAntonio Huete Jimenez incorrectly treated as boolean, making it insufficient to decide 731*de0e0e4dSAntonio Huete Jimenez whether validation should carry on or not. 732*de0e0e4dSAntonio Huete Jimenez 733*de0e0e4dSAntonio Huete Jimenez * Identify DTLS based on the version major value. 734*de0e0e4dSAntonio Huete Jimenez 735*de0e0e4dSAntonio Huete Jimenez * Move handling of cipher/hash based cipher suites into the new record 736*de0e0e4dSAntonio Huete Jimenez layer. 737*de0e0e4dSAntonio Huete Jimenez 738*de0e0e4dSAntonio Huete Jimenez * Add tls12_record_protection_unused() and call it from CCS functions. 739*de0e0e4dSAntonio Huete Jimenez 740*de0e0e4dSAntonio Huete Jimenez * Move key/IV length checks closer to usage sites. Also add explicit 741*de0e0e4dSAntonio Huete Jimenez checks against EVP_CIPHER_{iv,key}_length(). 742*de0e0e4dSAntonio Huete Jimenez 743*de0e0e4dSAntonio Huete Jimenez * Replace two handrolled tls12_record_protection_engaged(). 744*de0e0e4dSAntonio Huete Jimenez 745*de0e0e4dSAntonio Huete Jimenez * Improve internal version handling: add handshake fields for our 746*de0e0e4dSAntonio Huete Jimenez minimum version, our maximum version and the TLS version negotiated 747*de0e0e4dSAntonio Huete Jimenez during the handshake. Convert most of the internal code to use these 748*de0e0e4dSAntonio Huete Jimenez version fields. 749*de0e0e4dSAntonio Huete Jimenez 750*de0e0e4dSAntonio Huete Jimenez * Guard against future internal use of TLS1_get_{client,}_version() 751*de0e0e4dSAntonio Huete Jimenez macros. 752*de0e0e4dSAntonio Huete Jimenez 753*de0e0e4dSAntonio Huete Jimenez * Remove the internal ssl_downgrade_max_version() function which is no 754*de0e0e4dSAntonio Huete Jimenez longer needed. 755*de0e0e4dSAntonio Huete Jimenez 756*de0e0e4dSAntonio Huete Jimenez * Fix checks for memory caps of constraints names. There are internal 757*de0e0e4dSAntonio Huete Jimenez caps on the number of name constraints and other names, that the new 758*de0e0e4dSAntonio Huete Jimenez name constraints code allocates per cert chain. These limits were 759*de0e0e4dSAntonio Huete Jimenez checked too late, making them only partially effective. 760*de0e0e4dSAntonio Huete Jimenez 761*de0e0e4dSAntonio Huete Jimenez * Use EXFLAG_INVALID to handle out of memory and parse errors in 762*de0e0e4dSAntonio Huete Jimenez x509v3_cache_extensions(). 763*de0e0e4dSAntonio Huete Jimenez 764*de0e0e4dSAntonio Huete Jimenez * Add support for DTLSv1.2 version handling. 765*de0e0e4dSAntonio Huete Jimenez 766*de0e0e4dSAntonio Huete Jimenez * Enable DTLSv1.2 support. 767*de0e0e4dSAntonio Huete Jimenez 768*de0e0e4dSAntonio Huete Jimenez * Add DTLSv1.2 support to openssl s_client/s_server. 769*de0e0e4dSAntonio Huete Jimenez 770*de0e0e4dSAntonio Huete Jimenez * Remove no longer needed read ahead workarounds in the s_client and 771*de0e0e4dSAntonio Huete Jimenez s_server. 772*de0e0e4dSAntonio Huete Jimenez 773*de0e0e4dSAntonio Huete Jimenez * Fix a copy-paste error - skid was confused with an akid when 774*de0e0e4dSAntonio Huete Jimenez checking for EXFLAG_INVALID. This broke OCSP validation with 775*de0e0e4dSAntonio Huete Jimenez certain mirrors. 776*de0e0e4dSAntonio Huete Jimenez 777*de0e0e4dSAntonio Huete Jimenez * Make supported protocols and options for DHE params more prominent 778*de0e0e4dSAntonio Huete Jimenez in tls_config_set_protocols.3. 779*de0e0e4dSAntonio Huete Jimenez 780*de0e0e4dSAntonio Huete Jimenez * Avoid a use-after-scope in tls13_cert_add(). 781*de0e0e4dSAntonio Huete Jimenez 782*de0e0e4dSAntonio Huete Jimenez * Split TLSv1.3 record protection from record layer. 783*de0e0e4dSAntonio Huete Jimenez 784*de0e0e4dSAntonio Huete Jimenez * Move the TLSv1.3 handshake struct inside the shared handshake 785*de0e0e4dSAntonio Huete Jimenez struct. 786*de0e0e4dSAntonio Huete Jimenez 787*de0e0e4dSAntonio Huete Jimenez * Fully initialize rrec in tls12_record_layer_open_record_protected() 788*de0e0e4dSAntonio Huete Jimenez to avoid confusing some static analyzers. 789*de0e0e4dSAntonio Huete Jimenez 790*de0e0e4dSAntonio Huete Jimenez * Use tls_set_errorx() on OCSP_basic_verify() failure since the latter 791*de0e0e4dSAntonio Huete Jimenez does not set errno. 792*de0e0e4dSAntonio Huete Jimenez 793*de0e0e4dSAntonio Huete Jimenez * Convert openssl(1) x509 to new option handling and do the usual 794*de0e0e4dSAntonio Huete Jimenez clean up that goes along with it. 795*de0e0e4dSAntonio Huete Jimenez 796*de0e0e4dSAntonio Huete Jimenez * Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. 797*de0e0e4dSAntonio Huete Jimenez 798*de0e0e4dSAntonio Huete Jimenez * Rename new_cipher to cipher to align naming with keyblock or other 799*de0e0e4dSAntonio Huete Jimenez parts of the handshake data. 800*de0e0e4dSAntonio Huete Jimenez 801*de0e0e4dSAntonio Huete Jimenez * Avoid mangled output in BIO_debug_callback(). 802*de0e0e4dSAntonio Huete Jimenez 803*de0e0e4dSAntonio Huete Jimenez * Fix client initiated renegotiation by replacing use of s->internal-type 804*de0e0e4dSAntonio Huete Jimenez with s->server. 805*de0e0e4dSAntonio Huete Jimenez 806*de0e0e4dSAntonio Huete Jimenez * Move the TLSv1.2 record number increment into the new record layer. 807*de0e0e4dSAntonio Huete Jimenez 808*de0e0e4dSAntonio Huete Jimenez * Move finished and peer finished into the handshake struct. 809*de0e0e4dSAntonio Huete Jimenez 810*de0e0e4dSAntonio Huete Jimenez * Avoid transcript initialization when sending a TLS HelloRequest, 811*de0e0e4dSAntonio Huete Jimenez fixing server initiated renegotiation. 812*de0e0e4dSAntonio Huete Jimenez 813*de0e0e4dSAntonio Huete Jimenez * Remove pointless assignment in SSL_get0_alpn_selected(). 814*de0e0e4dSAntonio Huete Jimenez 815*de0e0e4dSAntonio Huete Jimenez * Provide EVP_PKEY_new_CMAC_KEY(3). 816*de0e0e4dSAntonio Huete Jimenez 817*de0e0e4dSAntonio Huete Jimenez * Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. 818*de0e0e4dSAntonio Huete Jimenez 819*de0e0e4dSAntonio Huete Jimenez * Add DTLSv1.2 to openssl(1) s_server and s_client protocol message 820*de0e0e4dSAntonio Huete Jimenez logging. 821*de0e0e4dSAntonio Huete Jimenez 822*de0e0e4dSAntonio Huete Jimenez * Avoid leaking param->name in x509_verify_param_zero(). 823*de0e0e4dSAntonio Huete Jimenez 824*de0e0e4dSAntonio Huete Jimenez * Avoid a leak in an error path in openssl(1) x509. 825*de0e0e4dSAntonio Huete Jimenez 826*de0e0e4dSAntonio Huete Jimenez * Add some error checking to openssl(1) x509. 827*de0e0e4dSAntonio Huete Jimenez 828*de0e0e4dSAntonio Huete Jimenez * When sending an alert in TLSv1.3, only set its error code when no 829*de0e0e4dSAntonio Huete Jimenez other error was set previously. Certain clients rely on specific 830*de0e0e4dSAntonio Huete Jimenez SSL_R_ error codes to identify that they are dealing with a self 831*de0e0e4dSAntonio Huete Jimenez signed cert. 832*de0e0e4dSAntonio Huete Jimenez 833*de0e0e4dSAntonio Huete Jimenez * Switch to the legacy verifier for the stable release. 834*de0e0e4dSAntonio Huete Jimenez 835*de0e0e4dSAntonio Huete Jimenez * Provide SSL_use_certificate_chain_file(3). 836*de0e0e4dSAntonio Huete Jimenez 837*de0e0e4dSAntonio Huete Jimenez * Provide SSL_set_hostflags(3) and SSL_get0_peername(3). 838*de0e0e4dSAntonio Huete Jimenez 839*de0e0e4dSAntonio Huete Jimenez * Provide various DTLSv1.2 specific functions and defines. 840*de0e0e4dSAntonio Huete Jimenez 841*de0e0e4dSAntonio Huete Jimenez * Document meaning of '*' in the genrsa output. 842*de0e0e4dSAntonio Huete Jimenez 843*de0e0e4dSAntonio Huete Jimenez * Updated documentation for SSL_get_shared_ciphers(3). 844*de0e0e4dSAntonio Huete Jimenez 845*de0e0e4dSAntonio Huete Jimenez * Add documentation for SSL_get_finished(3). 846*de0e0e4dSAntonio Huete Jimenez 847*de0e0e4dSAntonio Huete Jimenez * Document EVP_PKEY_new_CMAC_key(3) 848*de0e0e4dSAntonio Huete Jimenez 849*de0e0e4dSAntonio Huete Jimenez * Document SSL_use_certificate_chain_file(3). 850*de0e0e4dSAntonio Huete Jimenez 851*de0e0e4dSAntonio Huete Jimenez * Document SSL_set_hostflags(3) and SSL_get0_peername(3). 852*de0e0e4dSAntonio Huete Jimenez 853*de0e0e4dSAntonio Huete Jimenez * Update SSL_get_version.3 manual for DTLSv.1.2 support. 854*de0e0e4dSAntonio Huete Jimenez 855*de0e0e4dSAntonio Huete Jimenez * Added '--enable-libtls-only' build option, which builds and installs a 856*de0e0e4dSAntonio Huete Jimenez statically-linked libtls, skipping libcrypto and libssl. This is useful 857*de0e0e4dSAntonio Huete Jimenez for systems that ship with OpenSSL but wish to also package libtls. 858*de0e0e4dSAntonio Huete Jimenez 859*de0e0e4dSAntonio Huete Jimenez3.3.1 - Security fix 860*de0e0e4dSAntonio Huete Jimenez 861*de0e0e4dSAntonio Huete Jimenez * Malformed ASN.1 in a certificate revocation list or a timestamp 862*de0e0e4dSAntonio Huete Jimenez response token can lead to a NULL pointer dereference. 863*de0e0e4dSAntonio Huete Jimenez 864*de0e0e4dSAntonio Huete Jimenez Bug fixes 865*de0e0e4dSAntonio Huete Jimenez 866*de0e0e4dSAntonio Huete Jimenez * Move point-on-curve check to set_affine_coordinates to avoid 867*de0e0e4dSAntonio Huete Jimenez verifying ECDSA signatures with unchecked public keys. 868*de0e0e4dSAntonio Huete Jimenez 869*de0e0e4dSAntonio Huete Jimenez * Fix SSL_is_server() to behave as documented by re-introducing the 870*de0e0e4dSAntonio Huete Jimenez client-specific methods. 871*de0e0e4dSAntonio Huete Jimenez 872*de0e0e4dSAntonio Huete Jimenez * Avoid undefined behavior due to memcpy(NULL, NULL, 0). 873*de0e0e4dSAntonio Huete Jimenez 874*de0e0e4dSAntonio Huete Jimenez * Mark a few more internal static tables const. 875*de0e0e4dSAntonio Huete Jimenez 876*de0e0e4dSAntonio Huete Jimenez3.3.0 - Development release 877*de0e0e4dSAntonio Huete Jimenez 878*de0e0e4dSAntonio Huete Jimenez * Make openssl(1) s_server ignore -4 and -6 for compatibility with 879*de0e0e4dSAntonio Huete Jimenez OpenSSL. 880*de0e0e4dSAntonio Huete Jimenez 881*de0e0e4dSAntonio Huete Jimenez * Further cleanup of the DTLS record handling. 882*de0e0e4dSAntonio Huete Jimenez 883*de0e0e4dSAntonio Huete Jimenez * Continue the replacement of the TLSv1.2 record layer by 884*de0e0e4dSAntonio Huete Jimenez reimplementing the read side of the TLSv1.2 record handling. 885*de0e0e4dSAntonio Huete Jimenez 886*de0e0e4dSAntonio Huete Jimenez * Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). 887*de0e0e4dSAntonio Huete Jimenez 888*de0e0e4dSAntonio Huete Jimenez * Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. 889*de0e0e4dSAntonio Huete Jimenez 890*de0e0e4dSAntonio Huete Jimenez * When switching from the TLSv1.3 stack to the legacy stack include 891*de0e0e4dSAntonio Huete Jimenez a TLS record header. This is necessary if there is more than one 892*de0e0e4dSAntonio Huete Jimenez handshake message in the TLS plaintext record. 893*de0e0e4dSAntonio Huete Jimenez 894*de0e0e4dSAntonio Huete Jimenez * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp 895*de0e0e4dSAntonio Huete Jimenez command. 896*de0e0e4dSAntonio Huete Jimenez 897*de0e0e4dSAntonio Huete Jimenez * Fix resource handling on error in OCSP_request_add0_id(). 898*de0e0e4dSAntonio Huete Jimenez 899*de0e0e4dSAntonio Huete Jimenez * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into 900*de0e0e4dSAntonio Huete Jimenez .data.rel.ro and .rodata, respectively. 901*de0e0e4dSAntonio Huete Jimenez 902*de0e0e4dSAntonio Huete Jimenez * Add a const qualifier to srtp_known_profiles. 903*de0e0e4dSAntonio Huete Jimenez 904*de0e0e4dSAntonio Huete Jimenez * Simplify TLS method by removing the client and server specific 905*de0e0e4dSAntonio Huete Jimenez methods internally. 906*de0e0e4dSAntonio Huete Jimenez 907*de0e0e4dSAntonio Huete Jimenez * Avoid casting away const in ssl_ctx_make_profiles(). 908*de0e0e4dSAntonio Huete Jimenez 909*de0e0e4dSAntonio Huete Jimenez * Make sure there is enough room for stashing the handshake message 910*de0e0e4dSAntonio Huete Jimenez when switching to the legacy TLS stack. 911*de0e0e4dSAntonio Huete Jimenez 912*de0e0e4dSAntonio Huete Jimenez * Avoid explicitly conditioning an assert on DTLS1_VERSION to make 913*de0e0e4dSAntonio Huete Jimenez the assert work for newer DTLS versions. 914*de0e0e4dSAntonio Huete Jimenez 915*de0e0e4dSAntonio Huete Jimenez * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. 916*de0e0e4dSAntonio Huete Jimenez 917*de0e0e4dSAntonio Huete Jimenez * Send a host header with OCSP queries to make openssl(1) ocsp 918*de0e0e4dSAntonio Huete Jimenez work with some widely used OCSP responders. 919*de0e0e4dSAntonio Huete Jimenez 920*de0e0e4dSAntonio Huete Jimenez * Fix a memory leak in the openssl(1) s_client. 921*de0e0e4dSAntonio Huete Jimenez 922*de0e0e4dSAntonio Huete Jimenez * Add a flag to mark DTLS methods as DTLS to have an easy way to 923*de0e0e4dSAntonio Huete Jimenez recognize DTLS methods that avoids inspecting the version number. 924*de0e0e4dSAntonio Huete Jimenez 925*de0e0e4dSAntonio Huete Jimenez * Implement SSL_is_dtls() and use it internally in place of the 926*de0e0e4dSAntonio Huete Jimenez SSL_IS_DTLS macro. 927*de0e0e4dSAntonio Huete Jimenez 928*de0e0e4dSAntonio Huete Jimenez * Unbreak DTLS retransmissions for flights that include a CCS. 929*de0e0e4dSAntonio Huete Jimenez 930*de0e0e4dSAntonio Huete Jimenez * Add ability to ocspcheck(8) to parse a port in the specified 931*de0e0e4dSAntonio Huete Jimenez OCSP URL. 932*de0e0e4dSAntonio Huete Jimenez 933*de0e0e4dSAntonio Huete Jimenez * Refactor and clean up ocspcheck(8) and add regression tests. 934*de0e0e4dSAntonio Huete Jimenez 935*de0e0e4dSAntonio Huete Jimenez * If x509_verify() fails, ensure that the error is set on both 936*de0e0e4dSAntonio Huete Jimenez the x509_verify_ctx() and its store context to make some failures 937*de0e0e4dSAntonio Huete Jimenez visible from SSL_get_verify_result(). 938*de0e0e4dSAntonio Huete Jimenez 939*de0e0e4dSAntonio Huete Jimenez * Use the X509_STORE_CTX get_issuer() callback from the new X.509 940*de0e0e4dSAntonio Huete Jimenez verifier to fix hashed certificate directories. 941*de0e0e4dSAntonio Huete Jimenez 942*de0e0e4dSAntonio Huete Jimenez * Only check BIO_should_read() on read and BIO_should_write() on 943*de0e0e4dSAntonio Huete Jimenez write. Previously, BIO_should_write() was also checked after read 944*de0e0e4dSAntonio Huete Jimenez and BIO_should_read() after write which could cause stalls in 945*de0e0e4dSAntonio Huete Jimenez software that uses the same BIO for read and write. 946*de0e0e4dSAntonio Huete Jimenez 947*de0e0e4dSAntonio Huete Jimenez * In openssl(1) verify, also check for error on the store context 948*de0e0e4dSAntonio Huete Jimenez since the return value of X509_verify_cert() is unreliable in 949*de0e0e4dSAntonio Huete Jimenez presence of a callback that returns 1 too often. 950*de0e0e4dSAntonio Huete Jimenez 951*de0e0e4dSAntonio Huete Jimenez * Update getentropy on Windows to use Cryptography Next Generation 952*de0e0e4dSAntonio Huete Jimenez (CNG). wincrypt is deprecated and no longer works with newer Windows 953*de0e0e4dSAntonio Huete Jimenez environments, such as in Windows Store apps. 954*de0e0e4dSAntonio Huete Jimenez 955*de0e0e4dSAntonio Huete Jimenez * Implement auto chain for the TLSv1.3 server since some software 956*de0e0e4dSAntonio Huete Jimenez relies on this. 957*de0e0e4dSAntonio Huete Jimenez 958*de0e0e4dSAntonio Huete Jimenez * Handle additional certificate error cases in the new X.509 verifier. 959*de0e0e4dSAntonio Huete Jimenez Keep track of the errors encountered if a verify callback tells the 960*de0e0e4dSAntonio Huete Jimenez verifier to continue and report them back via the error on the store 961*de0e0e4dSAntonio Huete Jimenez context. This mimics the behavior of the old verifier that would 962*de0e0e4dSAntonio Huete Jimenez persist the first error encountered while building the chain. 963*de0e0e4dSAntonio Huete Jimenez 964*de0e0e4dSAntonio Huete Jimenez * Report specific failures for "self signed certificates" in a way 965*de0e0e4dSAntonio Huete Jimenez compatible with the old verifier since software relies on the 966*de0e0e4dSAntonio Huete Jimenez error code. 967*de0e0e4dSAntonio Huete Jimenez 968*de0e0e4dSAntonio Huete Jimenez * Implement key exporter for TLSv1.3. 969*de0e0e4dSAntonio Huete Jimenez 970*de0e0e4dSAntonio Huete Jimenez * Plug a large memory leak in the new verifier caused by calling 971*de0e0e4dSAntonio Huete Jimenez X509_policy_check() repeatedly. 972*de0e0e4dSAntonio Huete Jimenez 973*de0e0e4dSAntonio Huete Jimenez * Avoid leaking memory in x509_verify_chain_dup(). 974*de0e0e4dSAntonio Huete Jimenez 975*de0e0e4dSAntonio Huete Jimenez * Various documentation improvements, particularly around TLS methods. 9762eb7d3b8SDaniel Fojt 9772eb7d3b8SDaniel Fojt3.2.3 - Security fix 9782eb7d3b8SDaniel Fojt 9792eb7d3b8SDaniel Fojt * Malformed ASN.1 in a certificate revocation list or a timestamp 9802eb7d3b8SDaniel Fojt response token can lead to a NULL pointer dereference. 9812eb7d3b8SDaniel Fojt 9828edacedfSDaniel Fojt3.2.2 - Stable release 9838edacedfSDaniel Fojt 9848edacedfSDaniel Fojt * This is the first stable release with the new TLSv1.3 9858edacedfSDaniel Fojt implementation enabled by default for both client and server. The 9868edacedfSDaniel Fojt OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 9878edacedfSDaniel Fojt in an upcoming release. 9888edacedfSDaniel Fojt 9898edacedfSDaniel Fojt * New X509 certificate chain validator that correctly handles 9908edacedfSDaniel Fojt multiple paths through intermediate certificates. Loosely based on 9918edacedfSDaniel Fojt Go's X509 validator. 9928edacedfSDaniel Fojt 9938edacedfSDaniel Fojt * New name constraints verification implementation which passes the 9948edacedfSDaniel Fojt bettertls.com certificate validation check suite. 9958edacedfSDaniel Fojt 9968edacedfSDaniel Fojt * Improve the handling of BIO_read()/BIO_write() failures in the 9978edacedfSDaniel Fojt TLSv1.3 stack. 9988edacedfSDaniel Fojt 9998edacedfSDaniel Fojt * Start replacing the existing TLSv1.2 record layer. 10008edacedfSDaniel Fojt 10018edacedfSDaniel Fojt * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 10028edacedfSDaniel Fojt 10038edacedfSDaniel Fojt * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 10048edacedfSDaniel Fojt 10058edacedfSDaniel Fojt * Send alert on ssl_get_prev_session() failure. 10068edacedfSDaniel Fojt 10078edacedfSDaniel Fojt * Zero out variable on the stack to avoid leaving garbage in the tail 10088edacedfSDaniel Fojt of short session IDs. 10098edacedfSDaniel Fojt 10108edacedfSDaniel Fojt * Move state initialization from SSL_clear() to ssl3_clear() to ensure 10118edacedfSDaniel Fojt that it gets correctly reinitialized across a SSL_set_ssl_method() 10128edacedfSDaniel Fojt call. 10138edacedfSDaniel Fojt 10148edacedfSDaniel Fojt * Avoid an out-of-bounds write in BN_rand(). 10158edacedfSDaniel Fojt 10168edacedfSDaniel Fojt * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 10178edacedfSDaniel Fojt the code in ui_lib.c. 10188edacedfSDaniel Fojt 10198edacedfSDaniel Fojt * Correctly track selected ALPN length to avoid a potential segmentation 10208edacedfSDaniel Fojt fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 10218edacedfSDaniel Fojt 10228edacedfSDaniel Fojt * Include machine/endian.h gost2814789.c in order to pick up the 10238edacedfSDaniel Fojt __STRICT_ALIGNMENT define. 10248edacedfSDaniel Fojt 10258edacedfSDaniel Fojt * Simplify SSL method lookups. 10268edacedfSDaniel Fojt 10278edacedfSDaniel Fojt * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 10288edacedfSDaniel Fojt SSL_set_ssl_method() and several internal functions. 10298edacedfSDaniel Fojt 10308edacedfSDaniel Fojt * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 10318edacedfSDaniel Fojt 10328edacedfSDaniel Fojt * Refactor dtls1_new(), dtls1_hm_fragment_new(), 10338edacedfSDaniel Fojt dtls1_drain_fragments(), dtls1_clear_queues(). 10348edacedfSDaniel Fojt 10358edacedfSDaniel Fojt * Copy the session ID directly in ssl_get_prev_session() instead of 10368edacedfSDaniel Fojt handing it through several functions for copying. 10378edacedfSDaniel Fojt 10388edacedfSDaniel Fojt * Clean up and refactor ssl_get_prev_session(); simplify 10398edacedfSDaniel Fojt tls_decrypt_ticket() and tls1_process_ticket() exit paths. 10408edacedfSDaniel Fojt 10418edacedfSDaniel Fojt * Avoid memset() before memcpy() in CBS_add_bytes(). 10428edacedfSDaniel Fojt 10438edacedfSDaniel Fojt * Rewrite X509_INFO_{new,free}() more idiomatically. 10448edacedfSDaniel Fojt 10458edacedfSDaniel Fojt * Remove unnecessary zeroing after recallocarray() in 10468edacedfSDaniel Fojt ASN1_BIT_STRING_set_bit(). 10478edacedfSDaniel Fojt 10488edacedfSDaniel Fojt * Convert openssl(1) ocsp new option handling. 10498edacedfSDaniel Fojt 10508edacedfSDaniel Fojt * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 10518edacedfSDaniel Fojt 10528edacedfSDaniel Fojt * Document return value from EC_KEY_get0_public_key(3). 10538edacedfSDaniel Fojt 10548edacedfSDaniel Fojt * Greatly expanded test coverage via the tlsfuzzer test scripts. 10558edacedfSDaniel Fojt 10568edacedfSDaniel Fojt * Expanded test coverage via the bettertls certificate test suite. 10578edacedfSDaniel Fojt 10588edacedfSDaniel Fojt * Test interoperability with the Botan TLS client. 10598edacedfSDaniel Fojt 10608edacedfSDaniel Fojt * Make pthread_mutex static initialisation work on Windows. 10618edacedfSDaniel Fojt 10628edacedfSDaniel Fojt * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 10638edacedfSDaniel Fojt 10648edacedfSDaniel Fojt3.2.1 - Development release 10658edacedfSDaniel Fojt 10668edacedfSDaniel Fojt * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 10678edacedfSDaniel Fojt functions. 10688edacedfSDaniel Fojt 10698edacedfSDaniel Fojt * Send a record overflow alert for TLSv1.3 messages having overlong 10708edacedfSDaniel Fojt plaintext or inner plaintext. 10718edacedfSDaniel Fojt 10728edacedfSDaniel Fojt * Send an illegal parameter alert if a client sends an invalid DH key 10738edacedfSDaniel Fojt share. 10748edacedfSDaniel Fojt 10758edacedfSDaniel Fojt * Document PKCS7_final(3), PKCS7_add_attribute(3). 10768edacedfSDaniel Fojt 10778edacedfSDaniel Fojt * Collapse x509v3 directory into x509. 10788edacedfSDaniel Fojt 10798edacedfSDaniel Fojt * Improve TLSv1.3 client certificate selection to allow EC certificates 10808edacedfSDaniel Fojt instead of only RSA certificates. 10818edacedfSDaniel Fojt 10828edacedfSDaniel Fojt * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 10838edacedfSDaniel Fojt of constructing a broken objects that may cause NULL pointer accesses. 10848edacedfSDaniel Fojt 10858edacedfSDaniel Fojt * Add support for additional GOST curves from RFC 7836 and 10868edacedfSDaniel Fojt draft-deremin-rfc4491-bis. 10878edacedfSDaniel Fojt 10888edacedfSDaniel Fojt * Add OIDs for HMAC using the Streebog hash function. 10898edacedfSDaniel Fojt 10908edacedfSDaniel Fojt * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 10918edacedfSDaniel Fojt 10928edacedfSDaniel Fojt * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 10938edacedfSDaniel Fojt 10948edacedfSDaniel Fojt * Handle GOST in ssl_cert_dup(). 10958edacedfSDaniel Fojt 10968edacedfSDaniel Fojt * Stop sending GOST R 34.10-94 as a CertificateType. 10978edacedfSDaniel Fojt 10988edacedfSDaniel Fojt * Use IANA allocated GOST ClientCertificateTypes. 10998edacedfSDaniel Fojt 11008edacedfSDaniel Fojt * Add a custom copy handler for AES keywrap to fix a use-after-free. 11018edacedfSDaniel Fojt 11028edacedfSDaniel Fojt * Enforce in the TLSv1.3 server that that ClientHello messages after 11038edacedfSDaniel Fojt a HelloRetryRequest match the original ClientHello as per RFC 8446 11048edacedfSDaniel Fojt section 4.1.2 11058edacedfSDaniel Fojt 11068edacedfSDaniel Fojt * Document more PKCS7 attribute functions. 11078edacedfSDaniel Fojt 11088edacedfSDaniel Fojt * Document PKCS7_get_signer_info(3). 11098edacedfSDaniel Fojt 11108edacedfSDaniel Fojt * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 11118edacedfSDaniel Fojt 11128edacedfSDaniel Fojt * Document PEM_def_callback(3). 11138edacedfSDaniel Fojt 11148edacedfSDaniel Fojt * Document EVP_read_pw_string_min(3). 11158edacedfSDaniel Fojt 11168edacedfSDaniel Fojt * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 11178edacedfSDaniel Fojt 11188edacedfSDaniel Fojt * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 11198edacedfSDaniel Fojt 11208edacedfSDaniel Fojt * Document X509_get0_pubkey_bitstr(3). 11218edacedfSDaniel Fojt 11228edacedfSDaniel Fojt * Fix an off-by-one in the CBC padding removal. From BoringSSL. 11238edacedfSDaniel Fojt 11248edacedfSDaniel Fojt * Enforce restrictions on extensions present in the ClientHello as per 11258edacedfSDaniel Fojt RFC 8446, section 9.2. 11268edacedfSDaniel Fojt 11278edacedfSDaniel Fojt * Add new CMAC_Init(3) and ChaCha(3) manual pages. 11288edacedfSDaniel Fojt 11298edacedfSDaniel Fojt * Fix SSL_shutdown behavior to match the legacy stack. The previous 11308edacedfSDaniel Fojt behavior could cause a hang. 11318edacedfSDaniel Fojt 11328edacedfSDaniel Fojt * Add initial support for openbsd/powerpc64. 11338edacedfSDaniel Fojt 11348edacedfSDaniel Fojt * Make the message type available in the internal TLS extensions API 11358edacedfSDaniel Fojt functions. 11368edacedfSDaniel Fojt 11378edacedfSDaniel Fojt * Enable TLSv1.3 for the generic TLS_method(). 11388edacedfSDaniel Fojt 11398edacedfSDaniel Fojt * Convert openssl(1) s_client option handling. 11408edacedfSDaniel Fojt 11418edacedfSDaniel Fojt * Document openssl(1) certhash. 11428edacedfSDaniel Fojt 11438edacedfSDaniel Fojt * Convert openssl(1) verify option handling. 11448edacedfSDaniel Fojt 11458edacedfSDaniel Fojt * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 11468edacedfSDaniel Fojt use-after-free and double-free issues in calling programs. 11478edacedfSDaniel Fojt 11488edacedfSDaniel Fojt * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 11498edacedfSDaniel Fojt 11508edacedfSDaniel Fojt * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 11518edacedfSDaniel Fojt 11528edacedfSDaniel Fojt * Convert openssl(1) s_server option handling. 11538edacedfSDaniel Fojt 11548edacedfSDaniel Fojt * Add minimal info callback support for TLSv1.3. 11558edacedfSDaniel Fojt 11568edacedfSDaniel Fojt * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 11578edacedfSDaniel Fojt 11588edacedfSDaniel Fojt * Correctly handle server requests for an OCSP response. 11598edacedfSDaniel Fojt 11608edacedfSDaniel Fojt * Add the P-521 curve to the list of curves supported by default 11618edacedfSDaniel Fojt in the client. 11628edacedfSDaniel Fojt 11638edacedfSDaniel Fojt * Convert openssl(1) req option handling. 11648edacedfSDaniel Fojt 11658edacedfSDaniel Fojt * Avoid calling freezero with a negative size if a server sends a 11668edacedfSDaniel Fojt malformed plaintext of all zeroes. 11678edacedfSDaniel Fojt 11688edacedfSDaniel Fojt * Send an unexpected message alert if no valid content type is found 11698edacedfSDaniel Fojt in a TLSv1.3 record. 11708edacedfSDaniel Fojt 11718edacedfSDaniel Fojt3.2.0 - Development release 11728edacedfSDaniel Fojt 11738edacedfSDaniel Fojt * Enable TLS 1.3 server side in addition to client by default. 11748edacedfSDaniel Fojt With this change TLS 1.3 is handled entirely on the new stack 11758edacedfSDaniel Fojt and state machine, with fallback to the legacy stack and 11768edacedfSDaniel Fojt state machine for older versions. Note that the OpenSSL TLS 1.3 11778edacedfSDaniel Fojt API is not yet visible/available. 11788edacedfSDaniel Fojt 11798edacedfSDaniel Fojt * Improve length checks in the TLS 1.3 record layer and provide 11808edacedfSDaniel Fojt appropriate alerts for violations of record layer limits. 11818edacedfSDaniel Fojt 11828edacedfSDaniel Fojt * Enforce that SNI hostnames received by the TLS server are correctly 11838edacedfSDaniel Fojt formed as per RFC 5890 and RFC 6066, responding with illegal parameter 11848edacedfSDaniel Fojt for a nonconformant host name. 11858edacedfSDaniel Fojt 11868edacedfSDaniel Fojt * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 11878edacedfSDaniel Fojt retry of handshake messages. 11888edacedfSDaniel Fojt 11898edacedfSDaniel Fojt * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 11908edacedfSDaniel Fojt similar to new OpenSSL releases. 11918edacedfSDaniel Fojt 11928edacedfSDaniel Fojt * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 11938edacedfSDaniel Fojt various commands. 11948edacedfSDaniel Fojt 11958edacedfSDaniel Fojt * Add tlsfuzzer based regression tests. 11968edacedfSDaniel Fojt 11978edacedfSDaniel Fojt * Support sending certificate status requests from the TLS 1.3 11988edacedfSDaniel Fojt client to request OCSP staples for leaf certificates. 11998edacedfSDaniel Fojt 12008edacedfSDaniel Fojt * Support sending certificate status replies from the TLS 1.3 server 12018edacedfSDaniel Fojt in order to send OCSP staples for leaf certificates. 12028edacedfSDaniel Fojt 12038edacedfSDaniel Fojt * Send correct alerts when handling failed key share extensions 12048edacedfSDaniel Fojt on the TLS 1.3 server. 12058edacedfSDaniel Fojt 12068edacedfSDaniel Fojt * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 12078edacedfSDaniel Fojt switching from the new to legacy stacks. 12088edacedfSDaniel Fojt 12098edacedfSDaniel Fojt * Support TLS 1.3 options in the openssl(1) command. 12108edacedfSDaniel Fojt 12118edacedfSDaniel Fojt * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 12128edacedfSDaniel Fojt conditions. 12138edacedfSDaniel Fojt 12148edacedfSDaniel Fojt * Modify "openssl x509" to display invalid certificate times as 12158edacedfSDaniel Fojt invalid, and correctly deal with the failing return case from 12168edacedfSDaniel Fojt X509_cmp_time so that a certificate with an invalid NotAfter does 12178edacedfSDaniel Fojt not appear valid. 12188edacedfSDaniel Fojt 12198edacedfSDaniel Fojt * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 12208edacedfSDaniel Fojt compatibility. 12218edacedfSDaniel Fojt 12228edacedfSDaniel Fojt * Ensure only PSS signatures are used with RSA in TLS 1.3. 12238edacedfSDaniel Fojt 12248edacedfSDaniel Fojt * Ensure that TLS 1.3 clients advertise exactly the "null" compression 12258edacedfSDaniel Fojt method in its legacy_compression_methods. 12268edacedfSDaniel Fojt 12278edacedfSDaniel Fojt * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 12288edacedfSDaniel Fojt s_client, which could lead to using 14 bytes of stack garbage instead 12298edacedfSDaniel Fojt of an IPv6 address in DTLS mode. 12308edacedfSDaniel Fojt 12318edacedfSDaniel Fojt * Use non-expired certificates first when building a certificate chain. 12328edacedfSDaniel Fojt 1233*de0e0e4dSAntonio Huete Jimenez3.1.5 - Security fix 1234*de0e0e4dSAntonio Huete Jimenez 1235*de0e0e4dSAntonio Huete Jimenez * Malformed ASN.1 in a certificate revocation list or a timestamp 1236*de0e0e4dSAntonio Huete Jimenez response token can lead to a NULL pointer dereference. 1237*de0e0e4dSAntonio Huete Jimenez 1238f015dc58SDaniel Fojt3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 1239f015dc58SDaniel Fojt 1240f015dc58SDaniel Fojt * Improve client certificate selection to allow EC certificates 1241f015dc58SDaniel Fojt instead of only RSA certificates. 1242f015dc58SDaniel Fojt 1243f015dc58SDaniel Fojt * Do not error out if a TLSv1.3 server requests an OCSP response as 1244f015dc58SDaniel Fojt part of a certificate request. 1245f015dc58SDaniel Fojt 1246f015dc58SDaniel Fojt * Fix SSL_shutdown behavior to match the legacy stack. The previous 1247f015dc58SDaniel Fojt behaviour could cause a hang. 1248f015dc58SDaniel Fojt 1249f015dc58SDaniel Fojt * Fix a memory leak and add a missing error check in the handling of 1250f015dc58SDaniel Fojt the key update message. 1251f015dc58SDaniel Fojt 1252f015dc58SDaniel Fojt * Fix a memory leak in tls13_record_layer_set_traffic_key. 1253f015dc58SDaniel Fojt 1254f015dc58SDaniel Fojt * Avoid calling freezero with a negative size if a server sends a 1255f015dc58SDaniel Fojt malformed plaintext of all zeroes. 1256f015dc58SDaniel Fojt 1257f015dc58SDaniel Fojt * Ensure that only PSS may be used with RSA in TLSv1.3 in order 1258f015dc58SDaniel Fojt to avoid using PKCS1-based signatures. 1259f015dc58SDaniel Fojt 1260f015dc58SDaniel Fojt * Add the P-521 curve to the list of curves supported by default 1261f015dc58SDaniel Fojt in the client. 1262f015dc58SDaniel Fojt 1263cca6fc52SDaniel Fojt3.1.3 - Bug fix 1264cca6fc52SDaniel Fojt 1265cca6fc52SDaniel Fojt * libcrypto may fail to build a valid certificate chain due to 1266cca6fc52SDaniel Fojt expired untrusted issuer certificates. 1267cca6fc52SDaniel Fojt 1268cca6fc52SDaniel Fojt3.1.2 - Bug fix 1269cca6fc52SDaniel Fojt 1270cca6fc52SDaniel Fojt * A TLS client with peer verification disabled may crash when 1271cca6fc52SDaniel Fojt contacting a server that sends an empty certificate list. 1272cca6fc52SDaniel Fojt 1273cca6fc52SDaniel Fojt3.1.1 - Stable release 1274cca6fc52SDaniel Fojt 1275cca6fc52SDaniel Fojt * Improved cipher suite handling to automatically include TLSv1.3 1276cca6fc52SDaniel Fojt cipher suites when they are not explicitly referred to in the 1277cca6fc52SDaniel Fojt cipher string. 1278cca6fc52SDaniel Fojt 1279cca6fc52SDaniel Fojt * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 1280cca6fc52SDaniel Fojt state transitions and ensuring that the legacy session identifer 1281cca6fc52SDaniel Fojt retains the same value across the handshake. 1282cca6fc52SDaniel Fojt 1283cca6fc52SDaniel Fojt * Provided TLSv1.3 cipher suite aliases to match the names used 1284cca6fc52SDaniel Fojt in RFC 8446. 1285cca6fc52SDaniel Fojt 1286cca6fc52SDaniel Fojt * Improved TLSv1.3 client key share handling to allow the use of 1287cca6fc52SDaniel Fojt any groups in our configured NID list. 1288cca6fc52SDaniel Fojt 1289cca6fc52SDaniel Fojt * Fixed printing the serialNumber with X509_print_ex() fall back to 1290cca6fc52SDaniel Fojt the colon separated hex bytes in case greater than int value. 1291cca6fc52SDaniel Fojt 1292cca6fc52SDaniel Fojt * Fix to disallow setting the AES-GCM IV length to zero. 1293cca6fc52SDaniel Fojt 1294cca6fc52SDaniel Fojt * Added -groups option to openssl(1) s_server subcommand. 1295cca6fc52SDaniel Fojt 1296cca6fc52SDaniel Fojt * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 1297cca6fc52SDaniel Fojt 1298cca6fc52SDaniel Fojt * Improved portable builds to support the use of static MSVC runtimes. 1299cca6fc52SDaniel Fojt 1300cca6fc52SDaniel Fojt * Fixed portable builds to avoid exporting a sleep() symbol. 1301cca6fc52SDaniel Fojt 1302cca6fc52SDaniel Fojt3.1.0 - Development release 1303cca6fc52SDaniel Fojt 1304cca6fc52SDaniel Fojt * Completed initial TLS 1.3 implementation with a completely new state 1305cca6fc52SDaniel Fojt machine and record layer. TLS 1.3 is now enabled by default for the 1306cca6fc52SDaniel Fojt client side, with the server side to be enabled in a future release. 1307cca6fc52SDaniel Fojt Note that the OpenSSL TLS 1.3 API is not yet visible/available. 1308cca6fc52SDaniel Fojt 1309cca6fc52SDaniel Fojt * Many more code cleanups, fixes, and improvements to memory handling 1310cca6fc52SDaniel Fojt and protocol parsing. 1311cca6fc52SDaniel Fojt 1312cca6fc52SDaniel Fojt * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 1313cca6fc52SDaniel Fojt 1314cca6fc52SDaniel Fojt * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 1315cca6fc52SDaniel Fojt 1.1.1 and enabled by default. 1316cca6fc52SDaniel Fojt 1317cca6fc52SDaniel Fojt * Improved compatibility by backporting functionality and documentation 1318cca6fc52SDaniel Fojt from OpenSSL 1.1.1. 1319cca6fc52SDaniel Fojt 1320cca6fc52SDaniel Fojt * Added many new additional crypto test vectors. 1321cca6fc52SDaniel Fojt 1322cca6fc52SDaniel Fojt * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 1323cca6fc52SDaniel Fojt 1324cca6fc52SDaniel Fojt * Default CA bundle location is now configurable in portable builds. 1325cca6fc52SDaniel Fojt 1326cca6fc52SDaniel Fojt * Added cms subcommand to openssl(1). 1327cca6fc52SDaniel Fojt 1328cca6fc52SDaniel Fojt * Added -addext option to openssl(1) req subcommand. 1329cca6fc52SDaniel Fojt 1330cca6fc52SDaniel Fojt3.0.2 - Stable release 1331cca6fc52SDaniel Fojt 1332cca6fc52SDaniel Fojt * Use a valid curve when constructing an EC_KEY that looks like X25519. 1333cca6fc52SDaniel Fojt The recent EC group cofactor change results in stricter validation, 1334cca6fc52SDaniel Fojt which causes the EC_GROUP_set_generator() call to fail. 1335cca6fc52SDaniel Fojt Issue reported and fix tested by rsadowski@ 1336cca6fc52SDaniel Fojt 1337cca6fc52SDaniel Fojt * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 1338cca6fc52SDaniel Fojt (Note that the CMS code is currently disabled) 1339cca6fc52SDaniel Fojt Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 1340cca6fc52SDaniel Fojt 1341cca6fc52SDaniel Fojt * Avoid a path traversal bug in s_server on Windows when run with the -WWW 1342cca6fc52SDaniel Fojt or -HTTP options, due to incomplete path check logic. 1343cca6fc52SDaniel Fojt Issue reported and fix tested by Jobert Abma 1344cca6fc52SDaniel Fojt 1345cca6fc52SDaniel Fojt3.0.1 - Development release 1346cca6fc52SDaniel Fojt 1347cca6fc52SDaniel Fojt * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 1348cca6fc52SDaniel Fojt or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 1349cca6fc52SDaniel Fojt it using Hasse's bound. This works as long as the cofactor is small 1350cca6fc52SDaniel Fojt enough. 1351cca6fc52SDaniel Fojt 1352cca6fc52SDaniel Fojt * Fixed a memory leak in error paths for eckey_type2param(). 1353cca6fc52SDaniel Fojt 1354cca6fc52SDaniel Fojt * Initial work on supporting Cryptographic Message Syntax (CMS) in 1355cca6fc52SDaniel Fojt libcrypto (not enabled). 1356cca6fc52SDaniel Fojt 1357cca6fc52SDaniel Fojt * Various manual page improvements and additions. 1358cca6fc52SDaniel Fojt 1359cca6fc52SDaniel Fojt * Added a CMake check for an existing uninstall target, facilitating 1360cca6fc52SDaniel Fojt embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 1361cca6fc52SDaniel Fojt 1362cca6fc52SDaniel Fojt3.0.0 - Development release 1363cca6fc52SDaniel Fojt 1364cca6fc52SDaniel Fojt * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 1365cca6fc52SDaniel Fojt 1366cca6fc52SDaniel Fojt * Documented undescribed options and removed unfunctional options 1367cca6fc52SDaniel Fojt description in openssl(1) manual. 1368cca6fc52SDaniel Fojt 1369cca6fc52SDaniel Fojt * A plethora of small fixes due to regular oss-fuzz testing. 1370cca6fc52SDaniel Fojt 1371cca6fc52SDaniel Fojt * Various side channels in DSA and ECDSA were addressed. These are some of 1372cca6fc52SDaniel Fojt the many issues found in an extensive systematic analysis of bignum usage 1373cca6fc52SDaniel Fojt by Samuel Weiser, David Schrammel et al. 1374cca6fc52SDaniel Fojt 1375cca6fc52SDaniel Fojt * Enabled openssl(1) speed subcommand on Windows platform. 1376cca6fc52SDaniel Fojt 1377cca6fc52SDaniel Fojt * Enabled performance optimizations when building with Visual Studio on Windows. 1378cca6fc52SDaniel Fojt 1379cca6fc52SDaniel Fojt * Fixed incorrect carry operation in 512 addition for Streebog. 1380cca6fc52SDaniel Fojt 1381cca6fc52SDaniel Fojt * Fixed -modulus option with openssl(1) dsa subcommand. 1382cca6fc52SDaniel Fojt 1383cca6fc52SDaniel Fojt * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 1384cca6fc52SDaniel Fojt 1385cca6fc52SDaniel Fojt2.9.2 - Bug fixes 1386cca6fc52SDaniel Fojt 1387cca6fc52SDaniel Fojt * Fixed portable builds with older versions of MacOS, 1388cca6fc52SDaniel Fojt Android targets < API 21, and Solaris 10 1389cca6fc52SDaniel Fojt 1390cca6fc52SDaniel Fojt * Fixed SRTP profile advertisement for DTLS servers. 1391cca6fc52SDaniel Fojt 139272c33676SMaxim Ag2.9.1 - Stable release 139372c33676SMaxim Ag 139472c33676SMaxim Ag * Added support for XChaCha20 and XChaCha20-Poly1305. 139572c33676SMaxim Ag 139672c33676SMaxim Ag * Added support for AES key wrap constructions via the EVP interface. 139772c33676SMaxim Ag 139872c33676SMaxim Ag * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 139972c33676SMaxim Ag 140072c33676SMaxim Ag * Added pbkdf2 key derivation support to openssl(1) 140172c33676SMaxim Ag 140272c33676SMaxim Ag * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 140372c33676SMaxim Ag 140472c33676SMaxim Ag * Changed the default digest type of openssl(1) enc to to sha256. 140572c33676SMaxim Ag 140672c33676SMaxim Ag * Changed the default digest type of openssl(1) dgst to sha256. 140772c33676SMaxim Ag 140872c33676SMaxim Ag * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 140972c33676SMaxim Ag 141072c33676SMaxim Ag * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 141172c33676SMaxim Ag 141272c33676SMaxim Ag * Improved Windows, Android, and ARM compatibility, including assembly 141372c33676SMaxim Ag optimizations on Mingw-w64 targets. 141472c33676SMaxim Ag 141572c33676SMaxim Ag2.9.0 - Development release 141672c33676SMaxim Ag 141772c33676SMaxim Ag * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 141872c33676SMaxim Ag 141972c33676SMaxim Ag * Fixed warnings about clock_gettime on Windows Visual Studio builds. 142072c33676SMaxim Ag 142172c33676SMaxim Ag * Fixed CMake builds on systems where getpagesize is defined as an 142272c33676SMaxim Ag inline function. 142372c33676SMaxim Ag 142472c33676SMaxim Ag * CRYPTO_LOCK is now automatically initialized, with the legacy 142572c33676SMaxim Ag callbacks stubbed for compatibility. 142672c33676SMaxim Ag 142772c33676SMaxim Ag * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 142872c33676SMaxim Ag 142972c33676SMaxim Ag * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 143072c33676SMaxim Ag 143172c33676SMaxim Ag * Added extensive interoperability tests between LibreSSL and OpenSSL 143272c33676SMaxim Ag 1.0 and 1.1. 143372c33676SMaxim Ag 143472c33676SMaxim Ag * Added additional Wycheproof tests and related bug fixes. 143572c33676SMaxim Ag 143672c33676SMaxim Ag * Simplified sigalgs option processing and handshake signing algorithm 143772c33676SMaxim Ag 143872c33676SMaxim Ag * Added the ability to use the RSA PSS algorithm for handshake 143972c33676SMaxim Ag signatures. 144072c33676SMaxim Ag 144172c33676SMaxim Ag * Added bn_rand_interval() and use it in code needing ranges of random 144272c33676SMaxim Ag bn values. 144372c33676SMaxim Ag 144472c33676SMaxim Ag * Added functionality to derive early, handshake, and application 144572c33676SMaxim Ag secrets as per RFC8446. 144672c33676SMaxim Ag 144772c33676SMaxim Ag * Added handshake state machine from RFC8446. 144872c33676SMaxim Ag 144972c33676SMaxim Ag * Removed some ASN.1 related code from libcrypto that had not been used 145072c33676SMaxim Ag since around 2000. 145172c33676SMaxim Ag 145272c33676SMaxim Ag * Unexported internal symbols and internalized more record layer structs. 145372c33676SMaxim Ag 145472c33676SMaxim Ag * Added support for assembly optimizations on 32-bit ARM ELF targets. 145572c33676SMaxim Ag 145672c33676SMaxim Ag * Improved protection against timing side channels in ECDSA signature 145772c33676SMaxim Ag generation. 145872c33676SMaxim Ag 145972c33676SMaxim Ag * Coordinate blinding was added to some elliptic curves. This is the 146072c33676SMaxim Ag last bit of the work by Brumley et al. to protect against the 146172c33676SMaxim Ag Portsmash vulnerability. 146272c33676SMaxim Ag 146372c33676SMaxim Ag * Ensure transcript handshake is always freed with TLS 1.2. 146472c33676SMaxim Ag 146572c33676SMaxim Ag2.8.2 - Stable release 146672c33676SMaxim Ag 146772c33676SMaxim Ag * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 146872c33676SMaxim Ag along with test harness fixes. 146972c33676SMaxim Ag 147072c33676SMaxim Ag * Fixed memory leak in nc(1) 147172c33676SMaxim Ag 147272c33676SMaxim Ag2.8.1 - Test and compatibility improvements 147372c33676SMaxim Ag 147472c33676SMaxim Ag * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 147572c33676SMaxim Ag AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 147672c33676SMaxim Ag X25519 test vectors. Applied appropriate fixes for errors uncovered 147772c33676SMaxim Ag by tests. 147872c33676SMaxim Ag 147972c33676SMaxim Ag * Simplified key exchange signature generation and verification. 148072c33676SMaxim Ag 148172c33676SMaxim Ag * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 148272c33676SMaxim Ag 148372c33676SMaxim Ag * Converted more code paths to use CBB/CBS. All handshake messages are 148472c33676SMaxim Ag now created by CBB. 148572c33676SMaxim Ag 148672c33676SMaxim Ag * Fixed various memory leaks found by Coverity. 148772c33676SMaxim Ag 148872c33676SMaxim Ag * Simplified session ticket parsing and handling, inspired by 148972c33676SMaxim Ag BoringSSL. 149072c33676SMaxim Ag 149172c33676SMaxim Ag * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 149272c33676SMaxim Ag is a no-op in LibreSSL, so this function returns an error to not 149372c33676SMaxim Ag indicate the (non-)existence of memory leaks. 149472c33676SMaxim Ag 149572c33676SMaxim Ag * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 149672c33676SMaxim Ag X509_OBJECT_up_ref_count now return an int for error handling, 149772c33676SMaxim Ag matching OpenSSL. 149872c33676SMaxim Ag 149972c33676SMaxim Ag * Converted a number of #defines into proper functions, matching 150072c33676SMaxim Ag OpenSSL's ABI. 150172c33676SMaxim Ag 150272c33676SMaxim Ag * Added X509_get0_serialNumber from OpenSSL. 150372c33676SMaxim Ag 150472c33676SMaxim Ag * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 150572c33676SMaxim Ag PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 150672c33676SMaxim Ag OpenSSL. 150772c33676SMaxim Ag 150872c33676SMaxim Ag * Removed broken pkcs8 formats from openssl(1). 150972c33676SMaxim Ag 151072c33676SMaxim Ag * Converted more functions in public API to use const arguments. 151172c33676SMaxim Ag 151272c33676SMaxim Ag * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 151372c33676SMaxim Ag EVP_AEAD interface. 151472c33676SMaxim Ag 151572c33676SMaxim Ag * Stopped using composite EVP_CIPHER AEADs. 151672c33676SMaxim Ag 151772c33676SMaxim Ag * Added timing-safe compares for checking results of signature 151872c33676SMaxim Ag verification. There are no known attacks, this is just inexpensive 151972c33676SMaxim Ag prudence. 152072c33676SMaxim Ag 152172c33676SMaxim Ag * Correctly clear the current cipher state, when changing cipher state. 152272c33676SMaxim Ag This fixed an issue where renegotiation of cipher suites would fail 152372c33676SMaxim Ag when switched from AEAD to non-AEAD or vice-versa. 152472c33676SMaxim Ag Issue reported by Bernard Spil. 152572c33676SMaxim Ag 152672c33676SMaxim Ag * Added more cipher tests to appstest.sh, including all TLSv1.2 152772c33676SMaxim Ag ciphers. 152872c33676SMaxim Ag 152972c33676SMaxim Ag * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 153072c33676SMaxim Ag 153172c33676SMaxim Ag * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 153272c33676SMaxim Ag retrieved and set with appropriate validation. 153372c33676SMaxim Ag 153472c33676SMaxim Ag2.8.0 - Bug fixes, security, and compatibility improvements 153572c33676SMaxim Ag 153672c33676SMaxim Ag * Extensive documentation updates and additional API history. 153772c33676SMaxim Ag 153872c33676SMaxim Ag * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 153972c33676SMaxim Ag 154072c33676SMaxim Ag * Tighten up checks for various X509_VERIFY_PARAM functions, 154172c33676SMaxim Ag 'poisoning' parameters so that an unverified certificate cannot be 154272c33676SMaxim Ag used if it fails verification. 154372c33676SMaxim Ag 154472c33676SMaxim Ag * Fixed a potential memory leak on failure in ASN1_item_digest 154572c33676SMaxim Ag 154672c33676SMaxim Ag * Fixed a potential memory alignment crash in asn1_item_combine_free 154772c33676SMaxim Ag 154872c33676SMaxim Ag * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 154972c33676SMaxim Ag SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 155072c33676SMaxim Ag 155172c33676SMaxim Ag * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 155272c33676SMaxim Ag 155372c33676SMaxim Ag * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 155472c33676SMaxim Ag and matching OpenSSL behavior, rewrote ENGINE_* documentation. 155572c33676SMaxim Ag 155672c33676SMaxim Ag * Added const annotations to many existing APIs from OpenSSL, making 155772c33676SMaxim Ag interoperability easier for downstream applications. 155872c33676SMaxim Ag 155972c33676SMaxim Ag * Fixed small timing side-channels in ecdsa_sign_setup and 156072c33676SMaxim Ag dsa_sign_setup. 156172c33676SMaxim Ag 156272c33676SMaxim Ag * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 156372c33676SMaxim Ag operation of BN_* functions. 156472c33676SMaxim Ag 156572c33676SMaxim Ag * Updated BN_clear to use explicit_bzero. 156672c33676SMaxim Ag 156772c33676SMaxim Ag * Added a missing bounds check in c2i_ASN1_BIT_STRING. 156872c33676SMaxim Ag 156972c33676SMaxim Ag * More CBS conversions, including simplifications to RSA key exchange, 157072c33676SMaxim Ag and converted code to use dedicated buffers for secrets. 157172c33676SMaxim Ag 157272c33676SMaxim Ag * Removed three remaining single DES cipher suites. 157372c33676SMaxim Ag 157472c33676SMaxim Ag * Fixed a potential leak/incorrect return value in DSA signature 157572c33676SMaxim Ag generation. 157672c33676SMaxim Ag 157772c33676SMaxim Ag * Added a blinding value when generating DSA and ECDSA signatures, in 157872c33676SMaxim Ag order to reduce the possibility of a side-channel attack leaking the 157972c33676SMaxim Ag private key. 158072c33676SMaxim Ag 158172c33676SMaxim Ag * Added ECC constant time scalar multiplication support. 158272c33676SMaxim Ag From Billy Brumley and his team at Tampere University of Technology. 158372c33676SMaxim Ag 158472c33676SMaxim Ag * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 158572c33676SMaxim Ag specification in RFC 8017. Based on an OpenSSL commit by David 158672c33676SMaxim Ag Benjamin. 158772c33676SMaxim Ag 158872c33676SMaxim Ag * Cleaned up BN_* implementations following changes made in OpenSSL by 158972c33676SMaxim Ag Davide Galassi and others. 159072c33676SMaxim Ag 159172c33676SMaxim Ag2.7.4 - Security fixes 159272c33676SMaxim Ag 159372c33676SMaxim Ag * Avoid a timing side-channel leak when generating DSA and ECDSA 159472c33676SMaxim Ag signatures. This is caused by an attempt to do fast modular 159572c33676SMaxim Ag arithmetic, which introduces branches that leak information 159672c33676SMaxim Ag regarding secret values. Issue identified and reported by Keegan 159772c33676SMaxim Ag Ryan of NCC Group. 159872c33676SMaxim Ag 159972c33676SMaxim Ag * Reject excessively large primes in DH key generation. Problem 160072c33676SMaxim Ag reported by Guido Vranken to OpenSSL 160172c33676SMaxim Ag (https://github.com/openssl/openssl/pull/6457) and based on his 160272c33676SMaxim Ag diff. 160372c33676SMaxim Ag 160472c33676SMaxim Ag2.7.3 - Bug fixes 160572c33676SMaxim Ag 160672c33676SMaxim Ag * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 160772c33676SMaxim Ag Sury 160872c33676SMaxim Ag 160972c33676SMaxim Ag * Fixed an issue normalizing CPU architecture in the configure script, 161072c33676SMaxim Ag which disabled assembly optimizations on platforms that get detected 161172c33676SMaxim Ag as 'amd64', opposed to 'x86_64' 161272c33676SMaxim Ag 161372c33676SMaxim Ag * Limited tls_config_clear_keys() to only clear private keys. 161472c33676SMaxim Ag This was inadvertently clearing the keypair, which includes the OCSP 161572c33676SMaxim Ag staple and pubkey hash - if an application called tls_configure() 161672c33676SMaxim Ag followed by tls_config_clear_keys(), this would prevent OCSP staples 161772c33676SMaxim Ag from working. 161872c33676SMaxim Ag 161972c33676SMaxim Ag2.7.2 - Stable release 162072c33676SMaxim Ag 162172c33676SMaxim Ag * Updated and added extensive new HISTORY sections to API manuals. 162272c33676SMaxim Ag 162372c33676SMaxim Ag * Added support for shared library builds with CMake on all supported 162472c33676SMaxim Ag platforms. Note that some of the CMake options have changed, consult 162572c33676SMaxim Ag the README for details. 162672c33676SMaxim Ag 162772c33676SMaxim Ag2.7.1 - Bug fixes 162872c33676SMaxim Ag 162972c33676SMaxim Ag * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 163072c33676SMaxim Ag length provided is 0 to match the OpenSSL behaviour. Issue noticed 163172c33676SMaxim Ag by Christian Heimes <christian@python.org>. 163272c33676SMaxim Ag 163372c33676SMaxim Ag * Fixed builds macOS 10.11 and older. 163472c33676SMaxim Ag 163572c33676SMaxim Ag2.7.0 - Bug fixes and improvements 163672c33676SMaxim Ag 163772c33676SMaxim Ag * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 163872c33676SMaxim Ag observations of real-world usage in applications. These are 163972c33676SMaxim Ag implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 164072c33676SMaxim Ag changes have not been made to existing structs, allowing code written 164172c33676SMaxim Ag for older OpenSSL APIs to continue working. 164272c33676SMaxim Ag 164372c33676SMaxim Ag * Extensive corrections, improvements, and additions to the 164472c33676SMaxim Ag API documentation, including new public APIs from OpenSSL that had 164572c33676SMaxim Ag no pre-existing documentation. 164672c33676SMaxim Ag 164772c33676SMaxim Ag * Added support for automatic library initialization in libcrypto, 164872c33676SMaxim Ag libssl, and libtls. Support for pthread_once or a compatible 164972c33676SMaxim Ag equivalent is now required of the target operating system. As a 165072c33676SMaxim Ag side-effect, minimum Windows support is Vista or higher. 165172c33676SMaxim Ag 165272c33676SMaxim Ag * Converted more packet handling methods to CBB, which improves 165372c33676SMaxim Ag resiliency when generating TLS messages. 165472c33676SMaxim Ag 165572c33676SMaxim Ag * Completed TLS extension handling rewrite, improving consistency of 165672c33676SMaxim Ag checks for malformed and duplicate extensions. 165772c33676SMaxim Ag 165872c33676SMaxim Ag * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 165972c33676SMaxim Ag This removes the last remaining use of the old M_ASN1_* macros 166072c33676SMaxim Ag (asn1_mac.h) from API that needs to continue to exist. 166172c33676SMaxim Ag 166272c33676SMaxim Ag * Added support for client-side session resumption in libtls. 166372c33676SMaxim Ag A libtls client can specify a session file descriptor (a regular 166472c33676SMaxim Ag file with appropriate ownership and permissions) and libtls will 166572c33676SMaxim Ag manage reading and writing of session data across TLS handshakes. 166672c33676SMaxim Ag 166772c33676SMaxim Ag * Improved support for strict alignment on ARMv7 architectures, 166872c33676SMaxim Ag conditionally enabling assembly in those cases. 166972c33676SMaxim Ag 167072c33676SMaxim Ag * Fixed a memory leak in libtls when reusing a tls_config. 167172c33676SMaxim Ag 167272c33676SMaxim Ag * Merged more DTLS support into the regular TLS code path, removing 167372c33676SMaxim Ag duplicated code. 167472c33676SMaxim Ag 167572c33676SMaxim Ag * Many improvements to Windows Cmake-based builds and tests, 167672c33676SMaxim Ag especially when targeting Visual Studio. 167772c33676SMaxim Ag 167872c33676SMaxim Ag2.6.4 - Bug fixes 167972c33676SMaxim Ag 168072c33676SMaxim Ag * Make tls_config_parse_protocols() work correctly when passed a NULL 168172c33676SMaxim Ag pointer for a protocol string. Issue found by semarie@, who also 168272c33676SMaxim Ag provided the diff. 168372c33676SMaxim Ag 168472c33676SMaxim Ag * Correct TLS extensions handling when no extensions are present. 168572c33676SMaxim Ag If no TLS extensions are present in a client hello or server hello, 168672c33676SMaxim Ag omit the entire extensions block, rather than including it with a 168772c33676SMaxim Ag length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 168872c33676SMaxim Ag providing packet captures and testing the fix. 168972c33676SMaxim Ag 169072c33676SMaxim Ag * Fixed portable builds on older Android systems, and systems with out 169172c33676SMaxim Ag IPV6_TCLASS support. 169272c33676SMaxim Ag 169372c33676SMaxim Ag2.6.3 - OpenBSD 6.2 Release 169472c33676SMaxim Ag 169572c33676SMaxim Ag * No core changes from LibreSSL 2.6.2 169672c33676SMaxim Ag 169772c33676SMaxim Ag * Minor compatibility fixes in portable version. 169872c33676SMaxim Ag 169972c33676SMaxim Ag2.6.2 - Bug fixes 170072c33676SMaxim Ag 170172c33676SMaxim Ag * Provide a useful error with libtls if there are no OCSP URLs in a 170272c33676SMaxim Ag peer certificate. 170372c33676SMaxim Ag 170472c33676SMaxim Ag * Keep track of which keypair is in use by a TLS context, fixing a bug 170572c33676SMaxim Ag where a TLS server with SNI would only return the OCSP staple for the 170672c33676SMaxim Ag default keypair. Issue reported by William Graeber and confirmed by 170772c33676SMaxim Ag Andreas Bartelt. 170872c33676SMaxim Ag 170972c33676SMaxim Ag * Fixed various issues in the OCSP extension parsing code. 171072c33676SMaxim Ag The original code incorrectly passes the pointer allocated via 171172c33676SMaxim Ag CBS_stow() (using malloc()) to a d2i_*() function and then calls 171272c33676SMaxim Ag free() on the now incremented pointer, most likely resulting in a 171372c33676SMaxim Ag crash. This issue was reported by Robert Swiecki who found the issue 171472c33676SMaxim Ag using honggfuzz. 171572c33676SMaxim Ag 171672c33676SMaxim Ag * If tls_config_parse_protocols() is called with a NULL pointer, 171772c33676SMaxim Ag return the default protocols instead of crashing - this makes the 171872c33676SMaxim Ag behaviour more useful and mirrors what we already do in 171972c33676SMaxim Ag tls_config_set_ciphers() et al. 172072c33676SMaxim Ag 172172c33676SMaxim Ag2.6.1 - Code removal, rewrites 172272c33676SMaxim Ag 172372c33676SMaxim Ag * Added a "-T tlscompat" option to nc(1), which enables the use of all 172472c33676SMaxim Ag TLS protocols and "compat" ciphers. This allows for TLS connections 172572c33676SMaxim Ag to TLS servers that are using less than ideal cipher suites, without 172672c33676SMaxim Ag having to resort to "-T tlsall" which enables all known cipher 172772c33676SMaxim Ag suites. Diff from Kyle J. McKay. 172872c33676SMaxim Ag 172972c33676SMaxim Ag * Added a new TLS extension handling framework, somewhat analogous to 173072c33676SMaxim Ag BoringSSL, and converted all TLS extensions to use it. Added new TLS 173172c33676SMaxim Ag extension regression tests. 173272c33676SMaxim Ag 173372c33676SMaxim Ag * Improved and added many new manpages. Updated *check_private_key 173472c33676SMaxim Ag manpages with additional cautions regarding their use. 173572c33676SMaxim Ag 173672c33676SMaxim Ag * Cleaned up the EC key/curve configuration handling. 173772c33676SMaxim Ag 173872c33676SMaxim Ag * Added tls_config_set_ecdhecurves() to libtls, which allows the names 173972c33676SMaxim Ag of the eliptical curves that may be used during client and server 174072c33676SMaxim Ag key exchange to be specified. 174172c33676SMaxim Ag 174272c33676SMaxim Ag * Converted more code paths to use CBB/CBS. 174372c33676SMaxim Ag 174472c33676SMaxim Ag * Removed support for DSS/DSA, since we removed the cipher suites a 174572c33676SMaxim Ag while back. 174672c33676SMaxim Ag 174772c33676SMaxim Ag * Removed NPN support. NPN was never standardised and the last draft 174872c33676SMaxim Ag expired in October 2012. ALPN was standardised in July 2014 and has 174972c33676SMaxim Ag been supported in LibreSSL since December 2014. NPN has also been 175072c33676SMaxim Ag removed from Chromium in May 2016. 175172c33676SMaxim Ag 175272c33676SMaxim Ag * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 175372c33676SMaxim Ag CryptoPro clients. 175472c33676SMaxim Ag 175572c33676SMaxim Ag * Removed support for the TLS padding extension, which was added as a 175672c33676SMaxim Ag workaround for an old bug in F5's TLS termination. 175772c33676SMaxim Ag 175872c33676SMaxim Ag * Worked around another bug in F5's TLS termination handling of the 175972c33676SMaxim Ag elliptical curves extension. RFC 4492 only defines elliptic_curves 176072c33676SMaxim Ag for ClientHello. However, F5 is sending it in ServerHello. We need 176172c33676SMaxim Ag to skip over it since our TLS extension parsing code is now more 176272c33676SMaxim Ag strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 176372c33676SMaxim Ag 176472c33676SMaxim Ag * Added ability to clamp notafter valies in certificates for systems 176572c33676SMaxim Ag with 32-bit time_t. This is necessary to conform to RFC 5280 176672c33676SMaxim Ag 4.1.2.5. 176772c33676SMaxim Ag 176872c33676SMaxim Ag * Implemented the SSL_CTX_set_min_proto_version(3) API. 176972c33676SMaxim Ag 177072c33676SMaxim Ag * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 177172c33676SMaxim Ag 177272c33676SMaxim Ag * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 177372c33676SMaxim Ag 177472c33676SMaxim Ag2.6.0 - New APIs, bug fixes and improvements 177572c33676SMaxim Ag 177672c33676SMaxim Ag * Added support for providing CRLs to libtls. Once a CRL is provided we 177772c33676SMaxim Ag enable CRL checking for the full certificate chain. Based on a diff 177872c33676SMaxim Ag from Jack Burton 177972c33676SMaxim Ag 178072c33676SMaxim Ag * Allow non-compliant clients using IP literal addresses with SNI 178172c33676SMaxim Ag to connect to a server using libtls. 178272c33676SMaxim Ag 178372c33676SMaxim Ag * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 178472c33676SMaxim Ag Reported by Robert Swiecki, who found the issue using honggfuzz. 178572c33676SMaxim Ag 178672c33676SMaxim Ag * Added definitions for three OIDs used in EV certificates. 178772c33676SMaxim Ag From Kyle J. McKay 178872c33676SMaxim Ag 178972c33676SMaxim Ag * Added tls_peer_cert_chain_pem to libtls, useful in private 179072c33676SMaxim Ag certificate validation callbacks such as those in relayd. 179172c33676SMaxim Ag 179272c33676SMaxim Ag * Converted explicit clear/free sequences to use freezero(3). 179372c33676SMaxim Ag 179472c33676SMaxim Ag * Reworked TLS certificate name verification code to more strictly 179572c33676SMaxim Ag follow RFC 6125. 179672c33676SMaxim Ag 179772c33676SMaxim Ag * Cleaned up and simplified server key exchange EC point handling. 179872c33676SMaxim Ag 179972c33676SMaxim Ag * Added tls_keypair_clear_key for clearing key material. 180072c33676SMaxim Ag 180172c33676SMaxim Ag * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 180272c33676SMaxim Ag simplified BIO_get_host_ip and BIO_accept. 180372c33676SMaxim Ag 180472c33676SMaxim Ag * Fixed the openssl(1) ca command so that is generates certificates 180572c33676SMaxim Ag with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 180672c33676SMaxim Ag 180772c33676SMaxim Ag * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 180872c33676SMaxim Ag 180972c33676SMaxim Ag * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 181072c33676SMaxim Ag 181172c33676SMaxim Ag * Added HKDF (HMAC Key Derivation Function) from BoringSSL 181272c33676SMaxim Ag 181372c33676SMaxim Ag * Provided a tls_unload_file() function that frees the memory returned 181472c33676SMaxim Ag from a tls_load_file() call, ensuring that it the contents become 181572c33676SMaxim Ag inaccessible. This is specifically needed on platforms where the 181672c33676SMaxim Ag library allocators may be different from the application allocator. 181772c33676SMaxim Ag 181872c33676SMaxim Ag * Perform reference counting for tls_config. This allows 181972c33676SMaxim Ag tls_config_free() to be called as soon as it has been passed to the 182072c33676SMaxim Ag final tls_configure() call, simplifying lifetime tracking for the 182172c33676SMaxim Ag application. 182272c33676SMaxim Ag 182372c33676SMaxim Ag * Moved internal state of SSL and other structures to be opaque. 182472c33676SMaxim Ag 182572c33676SMaxim Ag * Dropped cipher suites with DSS authentication. 182672c33676SMaxim Ag 182772c33676SMaxim Ag * nc(1) improvements, including: 182872c33676SMaxim Ag nc -W to terminate nc after receiving a number of packets 182972c33676SMaxim Ag nc -Z for saving the peer certificate and chain in a pem file 183072c33676SMaxim Ag 183172c33676SMaxim Ag2.5.5 - Bug fixes 183272c33676SMaxim Ag 183372c33676SMaxim Ag * Distinguish between self-issued certificates and self-signed 183472c33676SMaxim Ag certificates. The certificate verification code has special cases 183572c33676SMaxim Ag for self-signed certificates and without this change, self-issued 183672c33676SMaxim Ag certificates (which it seems are common place with 183772c33676SMaxim Ag openvpn/easyrsa) were also being included in this category. 183872c33676SMaxim Ag 183972c33676SMaxim Ag * Added getpagesize fallback, needed for Android bionic libc. 184072c33676SMaxim Ag 184172c33676SMaxim Ag2.5.4 - Security Updates 184272c33676SMaxim Ag 184372c33676SMaxim Ag * Revert a previous change that forced consistency between return 184472c33676SMaxim Ag value and error code when specifing a certificate verification 184572c33676SMaxim Ag callback, since this breaks the documented API. When a user supplied 184672c33676SMaxim Ag callback always returns 1, and later code checks the error code to 184772c33676SMaxim Ag potentially abort post verification, this will result in incorrect 184872c33676SMaxim Ag successul certificate verification. 184972c33676SMaxim Ag 185072c33676SMaxim Ag * Switched Linux getrandom() usage to non-blocking mode, continuing to 185172c33676SMaxim Ag use fallback mechanims if unsuccessful. This works around a design 185272c33676SMaxim Ag flaw in Linux getrandom(2) where early boot usage in a library makes 185372c33676SMaxim Ag it impossible to recover if getrandom(2) is not yet initialized. 185472c33676SMaxim Ag 185572c33676SMaxim Ag * Fixed a bug caused by the return value being set early to signal 185672c33676SMaxim Ag successful DTLS cookie validation. This can mask a later failure and 185772c33676SMaxim Ag result in a positive return value being returned from 185872c33676SMaxim Ag ssl3_get_client_hello(), when it should return a negative value to 185972c33676SMaxim Ag propagate the error. 186072c33676SMaxim Ag 186172c33676SMaxim Ag * Fixed a build error on non-x86/x86_64 systems running Solaris. 186272c33676SMaxim Ag 186372c33676SMaxim Ag2.5.3 - OpenBSD 6.1 Release 186472c33676SMaxim Ag 186572c33676SMaxim Ag * Documentation updates 186672c33676SMaxim Ag 186772c33676SMaxim Ag * Improved ocspcheck(1) error handling 186872c33676SMaxim Ag 186972c33676SMaxim Ag2.5.2 - Security features and bugfixes 187072c33676SMaxim Ag 187172c33676SMaxim Ag * Added the recallocarray(3) memory allocation function, and converted 187272c33676SMaxim Ag various places in the library to use it, such as CBB and BUF_MEM_grow. 187372c33676SMaxim Ag recallocarray(3) is similar to reallocarray. Newly allocated memory 187472c33676SMaxim Ag is cleared similar to calloc(3). Memory that becomes unallocated 187572c33676SMaxim Ag while shrinking or moving existing allocations is explicitly 187672c33676SMaxim Ag discarded by unmapping or clearing to 0 187772c33676SMaxim Ag 187872c33676SMaxim Ag * Added new root CAs from SECOM Trust Systems / Security Communication 187972c33676SMaxim Ag of Japan. 188072c33676SMaxim Ag 188172c33676SMaxim Ag * Added EVP interface for MD5+SHA1 hashes. 188272c33676SMaxim Ag 188372c33676SMaxim Ag * Fixed DTLS client failures when the server sends a certificate 188472c33676SMaxim Ag request. 188572c33676SMaxim Ag 188672c33676SMaxim Ag * Correct handling of padding when upgrading an SSLv2 challenge into 188772c33676SMaxim Ag an SSLv3/TLS connection. 188872c33676SMaxim Ag 188972c33676SMaxim Ag * Allow protocols and ciphers to be set on a TLS config object in 189072c33676SMaxim Ag libtls. 189172c33676SMaxim Ag 189272c33676SMaxim Ag * Improved nc(1) TLS handshake CPU usage and server-side error 189372c33676SMaxim Ag reporting. 189472c33676SMaxim Ag 189572c33676SMaxim Ag2.5.1 - Bug and security fixes, new features, documentation updates 189672c33676SMaxim Ag 189772c33676SMaxim Ag * X509_cmp_time() now passes a malformed GeneralizedTime field as an 189872c33676SMaxim Ag error. Reported by Theofilos Petsios. 189972c33676SMaxim Ag 190072c33676SMaxim Ag * Detect zero-length encrypted session data early, instead of when 190172c33676SMaxim Ag malloc(0) fails or the HMAC check fails. Noted independently by 190272c33676SMaxim Ag jsing@ and Kurt Cancemi. 190372c33676SMaxim Ag 190472c33676SMaxim Ag * Check for and handle failure of HMAC_{Update,Final} or 190572c33676SMaxim Ag EVP_DecryptUpdate(). 190672c33676SMaxim Ag 190772c33676SMaxim Ag * Massive update and normalization of manpages, conversion to 190872c33676SMaxim Ag mandoc format. Many pages were rewritten for clarity and accuracy. 190972c33676SMaxim Ag Portable doc links are up-to-date with a new conversion tool. 191072c33676SMaxim Ag 191172c33676SMaxim Ag * Curve25519 Key Exchange support. 191272c33676SMaxim Ag 191372c33676SMaxim Ag * Support for alternate chains for certificate verification. 191472c33676SMaxim Ag 191572c33676SMaxim Ag * Code cleanups, CBS conversions, further unification of DTLS/SSL 191672c33676SMaxim Ag handshake code, further ASN1 macro expansion and removal. 191772c33676SMaxim Ag 191872c33676SMaxim Ag * Private symbol are now hidden in libssl and libcryto. 191972c33676SMaxim Ag 192072c33676SMaxim Ag * Friendly certificate verification error messages in libtls, peer 192172c33676SMaxim Ag verification is now always enabled. 192272c33676SMaxim Ag 192372c33676SMaxim Ag * Added OCSP stapling support to libtls and netcat. 192472c33676SMaxim Ag 192572c33676SMaxim Ag * Added ocspcheck utility to validate a certificate against its OCSP 192672c33676SMaxim Ag responder and save the reply for stapling 192772c33676SMaxim Ag 192872c33676SMaxim Ag * Enhanced regression tests and error handling for libtls. 192972c33676SMaxim Ag 193072c33676SMaxim Ag * Added explicit constant and non-constant time BN functions, 193172c33676SMaxim Ag defaulting to constant time wherever possible. 193272c33676SMaxim Ag 193372c33676SMaxim Ag * Moved many leaked implementation details in public structs behind 193472c33676SMaxim Ag opaque pointers. 193572c33676SMaxim Ag 193672c33676SMaxim Ag * Added ticket support to libtls. 193772c33676SMaxim Ag 193872c33676SMaxim Ag * Added support for setting the supported EC curves via 193972c33676SMaxim Ag SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 194072c33676SMaxim Ag SSL{_CTX}_set1_curves{_list} names. This also changes the default 194172c33676SMaxim Ag list of curves to be X25519, P-256 and P-384. All other curves must 194272c33676SMaxim Ag be manually enabled. 194372c33676SMaxim Ag 194472c33676SMaxim Ag * Added -groups option to openssl(1) s_client for specifying the curves 194572c33676SMaxim Ag to be used in a colon-separated list. 194672c33676SMaxim Ag 194772c33676SMaxim Ag * Merged client/server version negotiation code paths into one, 194872c33676SMaxim Ag reducing much duplicate code. 194972c33676SMaxim Ag 195072c33676SMaxim Ag * Removed error function codes from libssl and libcrypto. 195172c33676SMaxim Ag 195272c33676SMaxim Ag * Fixed an issue where a truncated packet could crash via an OOB read. 195372c33676SMaxim Ag 195472c33676SMaxim Ag * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 195572c33676SMaxim Ag client-initiated renegotiation. This is the default for libtls 195672c33676SMaxim Ag servers. 195772c33676SMaxim Ag 195872c33676SMaxim Ag * Avoid a side-channel cache-timing attack that can leak the ECDSA 195972c33676SMaxim Ag private keys when signing. This is due to BN_mod_inverse() being 196072c33676SMaxim Ag used without the constant time flag being set. Reported by Cesar 196172c33676SMaxim Ag Pereida Garcia and Billy Brumley (Tampere University of Technology). 196272c33676SMaxim Ag The fix was developed by Cesar Pereida Garcia. 196372c33676SMaxim Ag 196472c33676SMaxim Ag * iOS and MacOS compatibility updates from Simone Basso and Jacob 196572c33676SMaxim Ag Berkman. 196672c33676SMaxim Ag 196772c33676SMaxim Ag 196872c33676SMaxim Ag2.5.0 - New APIs, bug fixes and improvements 196972c33676SMaxim Ag 197072c33676SMaxim Ag * libtls now supports ALPN and SNI 197172c33676SMaxim Ag 197272c33676SMaxim Ag * libtls adds a new callback interface for integrating custom IO 197372c33676SMaxim Ag functions. Thanks to Tobias Pape. 197472c33676SMaxim Ag 197572c33676SMaxim Ag * libtls now handles 4 cipher suite groups: 197672c33676SMaxim Ag "secure" (TLSv1.2+AEAD+PFS) 197772c33676SMaxim Ag "compat" (HIGH:!aNULL) 197872c33676SMaxim Ag "legacy" (HIGH:MEDIUM:!aNULL) 197972c33676SMaxim Ag "insecure" (ALL:!aNULL:!eNULL) 198072c33676SMaxim Ag 198172c33676SMaxim Ag This allows for flexibility and finer grained control, rather than 198272c33676SMaxim Ag having two extremes (an issue raised by Marko Kreen some time ago). 198372c33676SMaxim Ag 198472c33676SMaxim Ag * Tightened error handling for tls_config_set_ciphers(). 198572c33676SMaxim Ag 198672c33676SMaxim Ag * libtls now always loads CA, key and certificate files at the time the 198772c33676SMaxim Ag configuration function is called. This simplifies code and results in 198872c33676SMaxim Ag a single memory based code path being used to provide data to libssl. 198972c33676SMaxim Ag 199072c33676SMaxim Ag * Add support for OCSP intermediate certificates. 199172c33676SMaxim Ag 199272c33676SMaxim Ag * Added functions used by stunnel and exim from BoringSSL - this 199372c33676SMaxim Ag brings in X509_check_host, X509_check_email, X509_check_ip, and 199472c33676SMaxim Ag X509_check_ip_asc. 199572c33676SMaxim Ag 199672c33676SMaxim Ag * Added initial support for iOS, thanks to Jacob Berkman. 199772c33676SMaxim Ag 199872c33676SMaxim Ag * Improved behavior of arc4random on Windows when using memory leak 199972c33676SMaxim Ag analysis software. 200072c33676SMaxim Ag 200172c33676SMaxim Ag * Correctly handle an EOF that occurs prior to the TLS handshake 200272c33676SMaxim Ag completing. Reported by Vasily Kolobkov, based on a diff from Marko 200372c33676SMaxim Ag Kreen. 200472c33676SMaxim Ag 200572c33676SMaxim Ag * Limit the support of the "backward compatible" ssl2 handshake to 200672c33676SMaxim Ag only be used if TLS 1.0 is enabled. 200772c33676SMaxim Ag 200872c33676SMaxim Ag * Fix incorrect results in certain cases on 64-bit systems when 200972c33676SMaxim Ag BN_mod_word() can return incorrect results. BN_mod_word() now can 201072c33676SMaxim Ag return an error condition. Thanks to Brian Smith. 201172c33676SMaxim Ag 201272c33676SMaxim Ag * Added constant-time updates to address CVE-2016-0702 201372c33676SMaxim Ag 201472c33676SMaxim Ag * Fixed undefined behavior in BN_GF2m_mod_arr() 201572c33676SMaxim Ag 201672c33676SMaxim Ag * Removed unused Cryptographic Message Support (CMS) 201772c33676SMaxim Ag 201872c33676SMaxim Ag * More conversions of long long idioms to time_t 201972c33676SMaxim Ag 202072c33676SMaxim Ag * Improved compatibility by avoiding printing NULL strings with 202172c33676SMaxim Ag printf. 20220acf6c5cSJohn Marino 20230acf6c5cSJohn Marino * Reverted change that cleans up the EVP cipher context in 20240acf6c5cSJohn Marino EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 20250acf6c5cSJohn Marino previous behaviour. 20260acf6c5cSJohn Marino 20270acf6c5cSJohn Marino * Avoid unbounded memory growth in libssl, which can be triggered by a 20280acf6c5cSJohn Marino TLS client repeatedly renegotiating and sending OCSP Status Request 20290acf6c5cSJohn Marino TLS extensions. 20300acf6c5cSJohn Marino 20310acf6c5cSJohn Marino * Avoid falling back to a weak digest for (EC)DH when using SNI with 20320acf6c5cSJohn Marino libssl. 20330acf6c5cSJohn Marino 2034f5b1c8a1SJohn Marino2.4.2 - Bug fixes and improvements 2035f5b1c8a1SJohn Marino 2036f5b1c8a1SJohn Marino * Fixed loading default certificate locations with openssl s_client. 2037f5b1c8a1SJohn Marino 203872c33676SMaxim Ag * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 2039f5b1c8a1SJohn Marino RFC6960. Also added fixes for OCSP to work with intermediate 2040f5b1c8a1SJohn Marino certificates provided in responses. 2041f5b1c8a1SJohn Marino 2042f5b1c8a1SJohn Marino * Improved behavior of arc4random on Windows to not appear to leak 2043f5b1c8a1SJohn Marino memory in debug tools, reduced privileges of allocated memory. 2044f5b1c8a1SJohn Marino 2045f5b1c8a1SJohn Marino * Fixed incorrect results from BN_mod_word() when the modulus is too 2046f5b1c8a1SJohn Marino large, thanks to Brian Smith from BoringSSL. 2047f5b1c8a1SJohn Marino 2048f5b1c8a1SJohn Marino * Correctly handle an EOF prior to completing the TLS handshake in 2049f5b1c8a1SJohn Marino libtls. 2050f5b1c8a1SJohn Marino 2051f5b1c8a1SJohn Marino * Improved libtls ceritificate loading and cipher string validation. 2052f5b1c8a1SJohn Marino 2053f5b1c8a1SJohn Marino * Updated libtls cipher group suites into four categories: 2054f5b1c8a1SJohn Marino "secure" (TLSv1.2+AEAD+PFS) 2055f5b1c8a1SJohn Marino "compat" (HIGH:!aNULL) 2056f5b1c8a1SJohn Marino "legacy" (HIGH:MEDIUM:!aNULL) 2057f5b1c8a1SJohn Marino "insecure" (ALL:!aNULL:!eNULL) 2058f5b1c8a1SJohn Marino This allows for flexibility and finer grained control, rather than 2059f5b1c8a1SJohn Marino having two extremes. 2060f5b1c8a1SJohn Marino 2061f5b1c8a1SJohn Marino * Limited support for 'backward compatible' SSLv2 handshake packets to 2062f5b1c8a1SJohn Marino when TLS 1.0 is enabled, providing more restricted compatibility 2063f5b1c8a1SJohn Marino with TLS 1.0 clients. 2064f5b1c8a1SJohn Marino 2065f5b1c8a1SJohn Marino * openssl(1) and other documentation improvements. 2066f5b1c8a1SJohn Marino 2067f5b1c8a1SJohn Marino * Removed flags for disabling constant-time operations. 2068f5b1c8a1SJohn Marino This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 2069f5b1c8a1SJohn Marino DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 2070f5b1c8a1SJohn Marino all of these operations unconditionally constant-time. 2071f5b1c8a1SJohn Marino 2072f5b1c8a1SJohn Marino 2073f5b1c8a1SJohn Marino2.4.1 - Security fix 2074f5b1c8a1SJohn Marino 2075f5b1c8a1SJohn Marino * Correct a problem that prevents the DSA signing algorithm from 2076f5b1c8a1SJohn Marino running in constant time even if the flag BN_FLG_CONSTTIME is set. 2077f5b1c8a1SJohn Marino This issue was reported by Cesar Pereida (Aalto University), Billy 2078f5b1c8a1SJohn Marino Brumley (Tampere University of Technology), and Yuval Yarom (The 2079f5b1c8a1SJohn Marino University of Adelaide and NICTA). The fix was developed by Cesar 2080f5b1c8a1SJohn Marino Pereida. 2081f5b1c8a1SJohn Marino 2082f5b1c8a1SJohn Marino2.4.0 - Build improvements, new features 2083f5b1c8a1SJohn Marino 2084f5b1c8a1SJohn Marino * Many improvements to the CMake build infrastructure, including 2085f5b1c8a1SJohn Marino Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 2086f5b1c8a1SJohn Marino Inoguchi for this work. 2087f5b1c8a1SJohn Marino 2088f5b1c8a1SJohn Marino * Added missing error handling around bn_wexpand() calls. 2089f5b1c8a1SJohn Marino 2090f5b1c8a1SJohn Marino * Added explicit_bzero calls for freed ASN.1 objects. 2091f5b1c8a1SJohn Marino 2092f5b1c8a1SJohn Marino * Fixed X509_*set_object functions to return 0 on allocation failure. 2093f5b1c8a1SJohn Marino 2094f5b1c8a1SJohn Marino * Implemented the IETF ChaCha20-Poly1305 cipher suites. 2095f5b1c8a1SJohn Marino 2096f5b1c8a1SJohn Marino * Changed default EVP_aead_chacha20_poly1305() implementation to the 2097f5b1c8a1SJohn Marino IETF version, which is now the default. 2098f5b1c8a1SJohn Marino 2099f5b1c8a1SJohn Marino * Fixed password prompts from openssl(1) to properly handle ^C. 2100f5b1c8a1SJohn Marino 2101f5b1c8a1SJohn Marino * Reworked error handling in libtls so that configuration errors are 2102f5b1c8a1SJohn Marino visible. 2103f5b1c8a1SJohn Marino 2104f5b1c8a1SJohn Marino * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 2105f5b1c8a1SJohn Marino 2106f5b1c8a1SJohn Marino * Manpage fixes and updates 2107f5b1c8a1SJohn Marino 2108f5b1c8a1SJohn Marino2.3.5 - Reliability fix 2109f5b1c8a1SJohn Marino 2110f5b1c8a1SJohn Marino * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 2111f5b1c8a1SJohn Marino 2112f5b1c8a1SJohn Marino2.3.4 - Security Update 2113f5b1c8a1SJohn Marino 2114f5b1c8a1SJohn Marino * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 2115f5b1c8a1SJohn Marino From OpenSSL. 2116f5b1c8a1SJohn Marino 2117f5b1c8a1SJohn Marino * Minor build fixes 2118f5b1c8a1SJohn Marino 2119f5b1c8a1SJohn Marino2.3.3 - OpenBSD 5.9 release branch tagged 2120f5b1c8a1SJohn Marino 2121f5b1c8a1SJohn Marino * Reworked build scripts to better sync with OpenNTPD-portable 2122f5b1c8a1SJohn Marino 2123f5b1c8a1SJohn Marino * Fixed broken manpage links 2124f5b1c8a1SJohn Marino 2125f5b1c8a1SJohn Marino * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 2126f5b1c8a1SJohn Marino 2127f5b1c8a1SJohn Marino * Fixed HP-UX builds 2128f5b1c8a1SJohn Marino 2129f5b1c8a1SJohn Marino * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 2130f5b1c8a1SJohn Marino binary builds 2131f5b1c8a1SJohn Marino 2132f5b1c8a1SJohn Marino * cert.pem has been reorganized and synced with Mozilla's certificate store 2133f5b1c8a1SJohn Marino 2134f5b1c8a1SJohn Marino2.3.2 - Compatibility and Reliability fixes 2135f5b1c8a1SJohn Marino 2136f5b1c8a1SJohn Marino * Changed format of LIBRESSL_VERSION_NUMBER to match that of 2137f5b1c8a1SJohn Marino OPENSSL_VERSION_NUMBER, see: 2138f5b1c8a1SJohn Marino https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 2139f5b1c8a1SJohn Marino 2140f5b1c8a1SJohn Marino * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 2141f5b1c8a1SJohn Marino construction introduced in RFC 7539, which is different than that 2142f5b1c8a1SJohn Marino already used in TLS with EVP_aead_chacha20_poly1305() 2143f5b1c8a1SJohn Marino 2144f5b1c8a1SJohn Marino * Avoid a potential undefined C99+ behavior due to shift overflow in 2145f5b1c8a1SJohn Marino AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 2146f5b1c8a1SJohn Marino 2147f5b1c8a1SJohn Marino * More man pages converted from pod to mdoc format 2148f5b1c8a1SJohn Marino 2149f5b1c8a1SJohn Marino * Added COMODO RSA Certification Authority and QuoVadis 2150f5b1c8a1SJohn Marino root certificates to cert.pem 2151f5b1c8a1SJohn Marino 2152f5b1c8a1SJohn Marino * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 2153f5b1c8a1SJohn Marino Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 2154f5b1c8a1SJohn Marino certificate from cert.pem 2155f5b1c8a1SJohn Marino 2156f5b1c8a1SJohn Marino * Added support for building nc(1) on Solaris 2157f5b1c8a1SJohn Marino 2158f5b1c8a1SJohn Marino * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 2159f5b1c8a1SJohn Marino 2160f5b1c8a1SJohn Marino * Improved console handling with openssl(1) on Windows 2161f5b1c8a1SJohn Marino 2162f5b1c8a1SJohn Marino * Ensure the network stack is enabled on Windows when running 2163f5b1c8a1SJohn Marino tls_init() 2164f5b1c8a1SJohn Marino 2165f5b1c8a1SJohn Marino * Fixed incorrect TLS certificate loading by nc(1) 2166f5b1c8a1SJohn Marino 2167f5b1c8a1SJohn Marino * Added support for Solaris 11.3's getentropy(2) system call 2168f5b1c8a1SJohn Marino 2169f5b1c8a1SJohn Marino * Enabled support for using NetBSD 7.0's arc4random(3) implementation 2170f5b1c8a1SJohn Marino 2171f5b1c8a1SJohn Marino * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 2172f5b1c8a1SJohn Marino 2173f5b1c8a1SJohn Marino * Fixes from OpenSSL 1.0.1q 2174f5b1c8a1SJohn Marino - CVE-2015-3194 - NULL pointer dereference in client side certificate 2175f5b1c8a1SJohn Marino validation. 2176f5b1c8a1SJohn Marino - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 2177f5b1c8a1SJohn Marino 2178f5b1c8a1SJohn Marino * The following OpenSSL CVEs did not apply to LibreSSL 2179f5b1c8a1SJohn Marino - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 2180f5b1c8a1SJohn Marino squaring procedure. 2181f5b1c8a1SJohn Marino - CVE-2015-3196 - Double free race condition of the identify hint 2182f5b1c8a1SJohn Marino data. 2183f5b1c8a1SJohn Marino 2184f5b1c8a1SJohn Marino See https://marc.info/?l=openbsd-announce&m=144925068504102 2185f5b1c8a1SJohn Marino 2186f5b1c8a1SJohn Marino2.3.1 - ASN.1 and time handling cleanups 2187f5b1c8a1SJohn Marino 2188f5b1c8a1SJohn Marino * ASN.1 cleanups and RFC5280 compliance fixes. 2189f5b1c8a1SJohn Marino 2190f5b1c8a1SJohn Marino * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 2191f5b1c8a1SJohn Marino now checks if the host OS supports 64-bit time_t. 2192f5b1c8a1SJohn Marino 2193f5b1c8a1SJohn Marino * Fixed a leak in SSL_new in the error path. 2194f5b1c8a1SJohn Marino 2195f5b1c8a1SJohn Marino * Support always extracting the peer cipher and version with libtls. 2196f5b1c8a1SJohn Marino 2197f5b1c8a1SJohn Marino * Added ability to check certificate validity times with libtls, 2198f5b1c8a1SJohn Marino tls_peer_cert_notbefore and tls_peer_cert_notafter. 2199f5b1c8a1SJohn Marino 2200f5b1c8a1SJohn Marino * Changed tls_connect_servername to use the first address that resolves with 2201f5b1c8a1SJohn Marino getaddrinfo(). 2202f5b1c8a1SJohn Marino 2203f5b1c8a1SJohn Marino * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 2204f5b1c8a1SJohn Marino initial commit in 2004). 2205f5b1c8a1SJohn Marino 2206f5b1c8a1SJohn Marino * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 2207f5b1c8a1SJohn Marino by Qualys Security. 2208f5b1c8a1SJohn Marino 2209f5b1c8a1SJohn Marino * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 2210f5b1c8a1SJohn Marino sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 2211f5b1c8a1SJohn Marino 2212f5b1c8a1SJohn Marino * Reject too small bits value in BN_generate_prime_ex(), so that it does 2213f5b1c8a1SJohn Marino not risk becoming negative in probable_prime_dh_safe(), reported by 2214f5b1c8a1SJohn Marino Franck Denis. 2215f5b1c8a1SJohn Marino 2216f5b1c8a1SJohn Marino * Enable nc(1) builds on more platforms. 2217f5b1c8a1SJohn Marino 2218f5b1c8a1SJohn Marino2.3.0 - SSLv3 removed, libtls API changes, portability improvements 2219f5b1c8a1SJohn Marino 2220f5b1c8a1SJohn Marino * SSLv3 is now permanently removed from the tree. 2221f5b1c8a1SJohn Marino 2222f5b1c8a1SJohn Marino * The libtls API is changed from the 2.2.x series. 2223f5b1c8a1SJohn Marino 2224f5b1c8a1SJohn Marino The read/write functions work correctly with external event 2225f5b1c8a1SJohn Marino libraries. See the tls_init man page for examples of using libtls 2226f5b1c8a1SJohn Marino correctly in asynchronous mode. 2227f5b1c8a1SJohn Marino 2228f5b1c8a1SJohn Marino Client-side verification is now supported, with the client supplying 2229f5b1c8a1SJohn Marino the certificate to the server. 2230f5b1c8a1SJohn Marino 2231f5b1c8a1SJohn Marino Also, when using tls_connect_fds, tls_connect_socket or 2232f5b1c8a1SJohn Marino tls_accept_fds, libtls no longer implicitly closes the passed in 2233f5b1c8a1SJohn Marino sockets. The caller is responsible for closing them in this case. 2234f5b1c8a1SJohn Marino 2235f5b1c8a1SJohn Marino * When loading a DSA key from an raw (without DH parameters) ASN.1 2236f5b1c8a1SJohn Marino serialization, perform some consistency checks on its `p' and `q' 2237f5b1c8a1SJohn Marino values, and return an error if the checks failed. 2238f5b1c8a1SJohn Marino 2239f5b1c8a1SJohn Marino Thanks for Georgi Guninski (guninski at guninski dot com) for 2240f5b1c8a1SJohn Marino mentioning the possibility of a weak (non prime) q value and 2241f5b1c8a1SJohn Marino providing a test case. 2242f5b1c8a1SJohn Marino 2243f5b1c8a1SJohn Marino See 2244f5b1c8a1SJohn Marino https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 2245f5b1c8a1SJohn Marino for a longer discussion. 2246f5b1c8a1SJohn Marino 2247f5b1c8a1SJohn Marino * Fixed a bug in ECDH_compute_key that can lead to silent truncation 2248f5b1c8a1SJohn Marino of the result key without error. A coding error could cause software 2249f5b1c8a1SJohn Marino to use much shorter keys than intended. 2250f5b1c8a1SJohn Marino 2251f5b1c8a1SJohn Marino * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 2252f5b1c8a1SJohn Marino longer supported. 2253f5b1c8a1SJohn Marino 2254f5b1c8a1SJohn Marino * The engine command and parameters are removed from the openssl(1). 2255f5b1c8a1SJohn Marino Previous releases removed dynamic and builtin engine support 2256f5b1c8a1SJohn Marino already. 2257f5b1c8a1SJohn Marino 2258f5b1c8a1SJohn Marino * SHA-0 is removed, which was withdrawn shortly after publication 20 2259f5b1c8a1SJohn Marino years ago. 2260f5b1c8a1SJohn Marino 2261f5b1c8a1SJohn Marino * Added Certplus CA root certificate to the default cert.pem file. 2262f5b1c8a1SJohn Marino 2263f5b1c8a1SJohn Marino * New interface OPENSSL_cpu_caps is provided that does not allow 2264f5b1c8a1SJohn Marino software to inadvertently modify cpu capability flags. 2265f5b1c8a1SJohn Marino OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 2266f5b1c8a1SJohn Marino 2267f5b1c8a1SJohn Marino * The out_len argument of AEAD changed from ssize_t to size_t. 2268f5b1c8a1SJohn Marino 2269f5b1c8a1SJohn Marino * Deduplicated DTLS code, sharing bugfixes and improvements with 2270f5b1c8a1SJohn Marino TLS. 2271f5b1c8a1SJohn Marino 2272f5b1c8a1SJohn Marino * Converted 'nc' to use libtls for client and server operations; it is 2273f5b1c8a1SJohn Marino included in the libressl-portable distribution as an example of how 2274f5b1c8a1SJohn Marino to use the library. 2275f5b1c8a1SJohn Marino 2276f5b1c8a1SJohn Marino2.2.3 - Bug fixes, build enhancements 2277f5b1c8a1SJohn Marino 2278f5b1c8a1SJohn Marino * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 2279f5b1c8a1SJohn Marino include TLS extensions, resulting in such handshakes being aborted. 2280f5b1c8a1SJohn Marino This release corrects the handling of such messages. Thanks to 2281f5b1c8a1SJohn Marino Ligushka from github for reporting the issue. 2282f5b1c8a1SJohn Marino 2283f5b1c8a1SJohn Marino * Added install target for cmake builds. Thanks to TheNietsnie from 2284f5b1c8a1SJohn Marino github. 2285f5b1c8a1SJohn Marino 2286f5b1c8a1SJohn Marino * Updated pkgconfig files to correctly report the release version 2287f5b1c8a1SJohn Marino number, not the individual library ABI version numbers. Thanks to 2288f5b1c8a1SJohn Marino Jan Engelhardt for reporting the issue. 2289f5b1c8a1SJohn Marino 2290f5b1c8a1SJohn Marino2.2.2 - More TLS parser rework, bug fixes, expanded portable build support 2291f5b1c8a1SJohn Marino 2292f5b1c8a1SJohn Marino * Switched 'openssl dhparam' default from 512 to 2048 bits 2293f5b1c8a1SJohn Marino 2294f5b1c8a1SJohn Marino * Reworked openssl(1) option handling 2295f5b1c8a1SJohn Marino 2296f5b1c8a1SJohn Marino * More CRYPTO ByteString (CBC) packet parsing conversions 2297f5b1c8a1SJohn Marino 2298f5b1c8a1SJohn Marino * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 2299f5b1c8a1SJohn Marino 2300f5b1c8a1SJohn Marino * Fixed dozens of Coverity issues including dead code, memory leaks, 2301f5b1c8a1SJohn Marino logic errors and more. 2302f5b1c8a1SJohn Marino 2303f5b1c8a1SJohn Marino * Ensure that openssl(1) restores terminal echo state after reading a 2304f5b1c8a1SJohn Marino password. 2305f5b1c8a1SJohn Marino 2306f5b1c8a1SJohn Marino * Incorporated fix for OpenSSL Issue #3683 2307f5b1c8a1SJohn Marino 2308f5b1c8a1SJohn Marino * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 2309f5b1c8a1SJohn Marino for each portable release. 2310f5b1c8a1SJohn Marino 2311f5b1c8a1SJohn Marino * Removed workarounds for TLS client padding bugs. 2312f5b1c8a1SJohn Marino 2313f5b1c8a1SJohn Marino * No longer disable ECDHE-ECDSA on OS X 2314f5b1c8a1SJohn Marino 2315f5b1c8a1SJohn Marino * Removed SSLv3 support from openssl(1) 2316f5b1c8a1SJohn Marino 2317f5b1c8a1SJohn Marino * Removed IE 6 SSLv3 workarounds. 2318f5b1c8a1SJohn Marino 2319f5b1c8a1SJohn Marino * Modified tls_write in libtls to allow partial writes, clarified with 2320f5b1c8a1SJohn Marino examples in the documentation. 2321f5b1c8a1SJohn Marino 2322f5b1c8a1SJohn Marino * Removed RSAX engine 2323f5b1c8a1SJohn Marino 2324f5b1c8a1SJohn Marino * Tested SSLv3 removal with the OpenBSD ports tree and found several 2325f5b1c8a1SJohn Marino applications that were not ready to build without SSLv3 yet. For 2326f5b1c8a1SJohn Marino now, building a program that intentionally uses SSLv3 will result in 2327f5b1c8a1SJohn Marino a linker warning. 2328f5b1c8a1SJohn Marino 2329f5b1c8a1SJohn Marino * Added TLS_method, TLS_client_method and TLS_server_method as a 2330f5b1c8a1SJohn Marino replacement for the SSLv23_*method calls. 2331f5b1c8a1SJohn Marino 2332f5b1c8a1SJohn Marino * Added initial cmake build support, including support for building with 2333f5b1c8a1SJohn Marino Visual Studio, currently tested with Visual Studio 2013 Community 2334f5b1c8a1SJohn Marino Edition. 2335f5b1c8a1SJohn Marino 2336f5b1c8a1SJohn Marino * --with-enginesdir is removed as a configuration parameter 2337f5b1c8a1SJohn Marino 2338f5b1c8a1SJohn Marino * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 2339f5b1c8a1SJohn Marino installed under $sysconfdir/ssl or the directory specified by 2340f5b1c8a1SJohn Marino --with-openssldir. Previous versions of LibreSSL left these empty. 2341f5b1c8a1SJohn Marino 2342f5b1c8a1SJohn Marino2.2.1 - Build fixes, feature added, features removed 2343f5b1c8a1SJohn Marino 2344f5b1c8a1SJohn Marino * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 2345f5b1c8a1SJohn Marino 2346f5b1c8a1SJohn Marino * Initial support for Windows Embedded 2009, Server 2003, XP 2347f5b1c8a1SJohn Marino 2348f5b1c8a1SJohn Marino * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 2349f5b1c8a1SJohn Marino 2350f5b1c8a1SJohn Marino * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 2351f5b1c8a1SJohn Marino 2352f5b1c8a1SJohn Marino * Removed Dynamic Engine support 2353f5b1c8a1SJohn Marino 2354f5b1c8a1SJohn Marino * Removed unused and obsolete MDC-2DES cipher 2355f5b1c8a1SJohn Marino 2356f5b1c8a1SJohn Marino * Removed workarounds for obsolete SSL implementations 2357f5b1c8a1SJohn Marino 2358f5b1c8a1SJohn Marino2.2.0 - Build cleanups and new OS support, Security Updates 2359f5b1c8a1SJohn Marino 2360f5b1c8a1SJohn Marino * AIX Support - thanks to Michael Felt 2361f5b1c8a1SJohn Marino 2362f5b1c8a1SJohn Marino * Cygwin Support - thanks to Corinna Vinschen 2363f5b1c8a1SJohn Marino 2364f5b1c8a1SJohn Marino * Refactored build macros, support packaging libtls independently. 2365f5b1c8a1SJohn Marino There are more pieces required to support building and using OpenSSL 2366f5b1c8a1SJohn Marino with libtls, but this is an initial start at providing an 2367f5b1c8a1SJohn Marino independent package for people to start hacking on. 2368f5b1c8a1SJohn Marino 2369f5b1c8a1SJohn Marino * Removal of OPENSSL_issetugid and all library getenv calls. 2370f5b1c8a1SJohn Marino Applications can and should no longer rely on environment variables 2371f5b1c8a1SJohn Marino for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 2372f5b1c8a1SJohn Marino supported with the openssl(1) command. 2373f5b1c8a1SJohn Marino 2374f5b1c8a1SJohn Marino * libtls API and documentation additions 2375f5b1c8a1SJohn Marino 2376f5b1c8a1SJohn Marino * Various bug fixes and simplifications to libssl and libcrypto 2377f5b1c8a1SJohn Marino 2378f5b1c8a1SJohn Marino * Fixes for the following issues are integrated into LibreSSL 2.2.0: 2379f5b1c8a1SJohn Marino - CVE-2015-1788 - Malformed ECParameters causes infinite loop 2380f5b1c8a1SJohn Marino - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 2381f5b1c8a1SJohn Marino - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 2382f5b1c8a1SJohn Marino 2383f5b1c8a1SJohn Marino * The following CVEs did not apply to LibreSSL or were fixed in 2384f5b1c8a1SJohn Marino earlier releases: 2385f5b1c8a1SJohn Marino - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 2386f5b1c8a1SJohn Marino - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 2387f5b1c8a1SJohn Marino - CVE-2014-8176 - Invalid free in DTLS 2388f5b1c8a1SJohn Marino 2389f5b1c8a1SJohn Marino * Fixes for the following CVEs are still in review for LibreSSL 2390f5b1c8a1SJohn Marino - CVE-2015-1791 - Race condition handling NewSessionTicket 2391f5b1c8a1SJohn Marino 2392f5b1c8a1SJohn Marino2.1.6 - Security update 2393f5b1c8a1SJohn Marino 2394f5b1c8a1SJohn Marino * Fixes for the following issues are integrated into LibreSSL 2.1.6: 2395f5b1c8a1SJohn Marino - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 2396f5b1c8a1SJohn Marino - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 2397f5b1c8a1SJohn Marino - CVE-2015-0287 - ASN.1 structure reuse memory corruption 2398f5b1c8a1SJohn Marino - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 2399f5b1c8a1SJohn Marino - CVE-2015-0289 - PKCS7 NULL pointer dereferences 2400f5b1c8a1SJohn Marino 2401f5b1c8a1SJohn Marino * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 2402f5b1c8a1SJohn Marino is integrated for safety, but LibreSSL is not vulnerable. 2403f5b1c8a1SJohn Marino 2404f5b1c8a1SJohn Marino * Libtls is now built by default. The --enable-libtls 2405f5b1c8a1SJohn Marino configuration option is no longer required. 2406f5b1c8a1SJohn Marino The libtls API is now stable for the 2.1.x series. 2407f5b1c8a1SJohn Marino 2408f5b1c8a1SJohn Marino2.1.5 - Bug fixes and a security update 2409f5b1c8a1SJohn Marino * Fix incorrect comparison function in openssl(1) certhash command. 2410f5b1c8a1SJohn Marino Thanks to Christian Neukirchen / Void Linux. 2411f5b1c8a1SJohn Marino 2412f5b1c8a1SJohn Marino * Windows port improvements and bug fixes. 2413f5b1c8a1SJohn Marino - Removed a dependency on libgcc in 32-bit dynamic libraries. 2414f5b1c8a1SJohn Marino - Correct a hang in openssl(1) reading from stdin on an connection. 2415f5b1c8a1SJohn Marino - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 2416f5b1c8a1SJohn Marino any other network-related commands to function properly. 2417f5b1c8a1SJohn Marino 2418f5b1c8a1SJohn Marino * Reject all server DH keys smaller than 1024 bits. 2419f5b1c8a1SJohn Marino 2420f5b1c8a1SJohn Marino2.1.4 - Security and feature updates 2421f5b1c8a1SJohn Marino * Improvements to libtls: 2422f5b1c8a1SJohn Marino - a new API for loading CA chains directly from memory instead of a 2423f5b1c8a1SJohn Marino file, allowing verification with privilege separation in a chroot 2424f5b1c8a1SJohn Marino without direct access to CA certificate files. 2425f5b1c8a1SJohn Marino 2426f5b1c8a1SJohn Marino - Ciphers default to TLSv1.2 with AEAD and PFS. 2427f5b1c8a1SJohn Marino 2428f5b1c8a1SJohn Marino - Improved error handling and message generation 2429f5b1c8a1SJohn Marino 2430f5b1c8a1SJohn Marino - New APIs and improved documentation 2431f5b1c8a1SJohn Marino 2432f5b1c8a1SJohn Marino * Added X509_STORE_load_mem API for loading certificates from memory. 2433f5b1c8a1SJohn Marino This facilitates accessing certificates from a chrooted environment. 2434f5b1c8a1SJohn Marino 2435f5b1c8a1SJohn Marino * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 2436f5b1c8a1SJohn Marino using 'TLSv1.2+AEAD' as the cipher selection string. 2437f5b1c8a1SJohn Marino 2438f5b1c8a1SJohn Marino * Dead and disabled code removal including MD5, Netscape workarounds, 2439f5b1c8a1SJohn Marino non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 2440f5b1c8a1SJohn Marino 2441f5b1c8a1SJohn Marino * ASN1 macro maze expanded to aid reading and searching the code. 2442f5b1c8a1SJohn Marino 2443f5b1c8a1SJohn Marino * NULL pointer asserts removed in favor of letting the OS/signal 2444f5b1c8a1SJohn Marino handler catch them. 2445f5b1c8a1SJohn Marino 2446f5b1c8a1SJohn Marino * Refactored argument handling in openssl(1) for consistency and 2447f5b1c8a1SJohn Marino maintainability. 2448f5b1c8a1SJohn Marino 2449f5b1c8a1SJohn Marino * New openssl(1) command 'certhash' replaces the c_rehash script. 2450f5b1c8a1SJohn Marino 2451f5b1c8a1SJohn Marino * Support for building with OPENSSL_NO_DEPRECATED 2452f5b1c8a1SJohn Marino 2453f5b1c8a1SJohn Marino * Server-side support for TLS_FALLBACK_SCSV for compatibility with 2454f5b1c8a1SJohn Marino various auditor and vulnerability scanners. 2455f5b1c8a1SJohn Marino 2456f5b1c8a1SJohn Marino * Dozens of issues found with the Coverity scanner fixed. 2457f5b1c8a1SJohn Marino 2458f5b1c8a1SJohn Marino * Security Updates: 2459f5b1c8a1SJohn Marino 2460f5b1c8a1SJohn Marino - Fix a minor information leak that was introduced in t1_lib.c 2461f5b1c8a1SJohn Marino r1.71, whereby an additional 28 bytes of .rodata (or .data) is 2462f5b1c8a1SJohn Marino provided to the network. In most cases this is a non-issue since 2463f5b1c8a1SJohn Marino the memory content is already public. Issue found and reported by 2464f5b1c8a1SJohn Marino Felix Groebert of the Google Security Team. 2465f5b1c8a1SJohn Marino 2466f5b1c8a1SJohn Marino - Fixes for the following low-severity issues were integrated into 2467f5b1c8a1SJohn Marino LibreSSL from OpenSSL 1.0.1k: 2468f5b1c8a1SJohn Marino 2469f5b1c8a1SJohn Marino CVE-2015-0205 - DH client certificates accepted without 2470f5b1c8a1SJohn Marino verification 2471f5b1c8a1SJohn Marino CVE-2014-3570 - Bignum squaring may produce incorrect results 2472f5b1c8a1SJohn Marino CVE-2014-8275 - Certificate fingerprints can be modified 2473f5b1c8a1SJohn Marino CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 2474f5b1c8a1SJohn Marino Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 2475f5b1c8a1SJohn Marino 2476f5b1c8a1SJohn Marino The following CVEs were fixed in earlier LibreSSL releases: 2477f5b1c8a1SJohn Marino CVE-2015-0206 - Memory leak handling repeated DLTS records 2478f5b1c8a1SJohn Marino CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 2479f5b1c8a1SJohn Marino 2480f5b1c8a1SJohn Marino The following CVEs did not apply to LibreSSL: 2481f5b1c8a1SJohn Marino CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 2482f5b1c8a1SJohn Marino CVE-2014-3569 - no-ssl3 configuration sets method to NULL 2483f5b1c8a1SJohn Marino CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 2484f5b1c8a1SJohn Marino 2485f5b1c8a1SJohn Marino2.1.3 - Security update and OS support improvements 2486f5b1c8a1SJohn Marino * Fixed various memory leaks in DTLS, including fixes for 2487f5b1c8a1SJohn Marino CVE-2015-0206. 2488f5b1c8a1SJohn Marino 2489f5b1c8a1SJohn Marino * Added Application-Layer Protocol Negotiation (ALPN) support. 2490f5b1c8a1SJohn Marino 2491f5b1c8a1SJohn Marino * Removed GOST R 34.10-94 signature authentication. 2492f5b1c8a1SJohn Marino 2493f5b1c8a1SJohn Marino * Removed nonfunctional Netscape browser-hang workaround code. 2494f5b1c8a1SJohn Marino 249572c33676SMaxim Ag * Simplified and refactored SSL/DTLS handshake code. 2496f5b1c8a1SJohn Marino 2497f5b1c8a1SJohn Marino * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 2498f5b1c8a1SJohn Marino 2499f5b1c8a1SJohn Marino * Hide timing info about padding errors during handshakes. 2500f5b1c8a1SJohn Marino 2501f5b1c8a1SJohn Marino * Improved libtls support for non-blocking sockets, added randomized 2502f5b1c8a1SJohn Marino session ID contexts. Work is ongoing with this library - feedback 2503f5b1c8a1SJohn Marino and potential use-cases are welcome. 2504f5b1c8a1SJohn Marino 2505f5b1c8a1SJohn Marino * Support building Windows DLLs. 2506f5b1c8a1SJohn Marino Thanks to Jan Engelhard. 2507f5b1c8a1SJohn Marino 2508f5b1c8a1SJohn Marino * Packaged config wrapper for better compatibility with OpenSSL-based 2509f5b1c8a1SJohn Marino build systems. 2510f5b1c8a1SJohn Marino Thanks to @technion from github 2511f5b1c8a1SJohn Marino 2512f5b1c8a1SJohn Marino * Ensure the stack is marked non-executable for assembly sections. 2513f5b1c8a1SJohn Marino Thanks to Anthony G. Bastile. 2514f5b1c8a1SJohn Marino 2515f5b1c8a1SJohn Marino * Enable extra compiler hardening flags by default, where applicable. 2516f5b1c8a1SJohn Marino The default set of hardening features can vary by OS to OS, so 2517f5b1c8a1SJohn Marino feedback is welcome on this. To disable the default hardening flags, 2518f5b1c8a1SJohn Marino specify '--disable-hardening' during configure. 2519f5b1c8a1SJohn Marino Thanks to Jim Barlow 2520f5b1c8a1SJohn Marino 2521f5b1c8a1SJohn Marino * Initial HP-UX support, tested with HP-UX 11.31 ia64 2522f5b1c8a1SJohn Marino Thanks to Kinichiro Inoguchi 2523f5b1c8a1SJohn Marino 2524f5b1c8a1SJohn Marino * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 2525f5b1c8a1SJohn Marino Imported from OpenNTPD, thanks to @gitisihara from github 2526f5b1c8a1SJohn Marino 2527f5b1c8a1SJohn Marino2.1.2 - Many new features and improvements 2528f5b1c8a1SJohn Marino * Added reworked GOST cipher suite support 2529f5b1c8a1SJohn Marino thanks to Dmitry Eremin-Solenikov 2530f5b1c8a1SJohn Marino 2531f5b1c8a1SJohn Marino * Enabled Camellia ciphers due to improved patent situation 2532f5b1c8a1SJohn Marino 2533f5b1c8a1SJohn Marino * Use builtin arc4random implementation on OS X and FreeBSD 2534f5b1c8a1SJohn Marino this addresses some deficiencies in the native implementations of 2535f5b1c8a1SJohn Marino these operating systems, see commit logs for more information 2536f5b1c8a1SJohn Marino 2537f5b1c8a1SJohn Marino * Added initial Windows mingw-w64 support (32 and 64-bit) 2538f5b1c8a1SJohn Marino thanks to Song Dongsheng and others for code and feedback 2539f5b1c8a1SJohn Marino 2540f5b1c8a1SJohn Marino * Enabled assembly optimizations on x86_64 CPUs 2541f5b1c8a1SJohn Marino supports Linux, *BSD, Solaris and OS X operating systems 2542f5b1c8a1SJohn Marino thanks to Wouter Clarie for the initial implementation 2543f5b1c8a1SJohn Marino 2544f5b1c8a1SJohn Marino * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 2545f5b1c8a1SJohn Marino 2546f5b1c8a1SJohn Marino * Improved build infrastructure, 'make distcheck' now passes 2547f5b1c8a1SJohn Marino this simplifies and speeds developer efficiency 2548f5b1c8a1SJohn Marino thanks to Dmitry Eremin-Solenikov and Wouter Clarie 2549f5b1c8a1SJohn Marino 2550f5b1c8a1SJohn Marino * Allow conditional building of the libtls library 2551f5b1c8a1SJohn Marino expect the API and ABI of the library to change 2552f5b1c8a1SJohn Marino feedback is welcome 2553f5b1c8a1SJohn Marino 2554f5b1c8a1SJohn Marino * Fixes for more memory leaks, cleanups, etc. 2555f5b1c8a1SJohn Marino 2556f5b1c8a1SJohn Marino2.1.1 - Security update 2557f5b1c8a1SJohn Marino * Address POODLE attack by disabling SSLv3 by default 2558f5b1c8a1SJohn Marino 2559f5b1c8a1SJohn Marino * Fix Eliptical Curve cipher selection bug 2560f5b1c8a1SJohn Marino (https://github.com/libressl-portable/portable/issues/35) 2561f5b1c8a1SJohn Marino 2562f5b1c8a1SJohn Marino2.1.0 - First release from the OpenBSD 5.7 tree 2563f5b1c8a1SJohn Marino * Added support for automatic ephemeral EC keys 2564f5b1c8a1SJohn Marino 2565f5b1c8a1SJohn Marino * Fixes for many memory leaks and overflows in error handlers 2566f5b1c8a1SJohn Marino 2567f5b1c8a1SJohn Marino * The TLS padding extension (that works around bugs in F5 terminators) is 2568f5b1c8a1SJohn Marino off by default 2569f5b1c8a1SJohn Marino 2570f5b1c8a1SJohn Marino * support for getrandom(2) on Linux 3.17 2571f5b1c8a1SJohn Marino 2572f5b1c8a1SJohn Marino * the NO_ASM macro is no longer being set, providing the first bits toward 2573f5b1c8a1SJohn Marino enabling other assembly offloads. 2574f5b1c8a1SJohn Marino 2575f5b1c8a1SJohn Marino2.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 2576f5b1c8a1SJohn Marino * CVE-2014-3506 2577f5b1c8a1SJohn Marino * CVE-2014-3507 2578f5b1c8a1SJohn Marino * CVE-2014-3508 (partially vulnerable)he 2579f5b1c8a1SJohn Marino * CVE-2014-3509 2580f5b1c8a1SJohn Marino * CVE-2014-3510 2581f5b1c8a1SJohn Marino * CVE-2014-3511 2582f5b1c8a1SJohn Marino * Synced LibreSSL Portable with the release version of OpenBSD 5.6 2583f5b1c8a1SJohn Marino 2584f5b1c8a1SJohn Marino2.0.4 - Portability fixes, deleted unused SRP code 2585f5b1c8a1SJohn Marino 2586f5b1c8a1SJohn Marino2.0.3 - Portability fixes, improvements to fork detection 2587f5b1c8a1SJohn Marino 2588f5b1c8a1SJohn Marino2.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 2589f5b1c8a1SJohn Marino 2590f5b1c8a1SJohn Marino2.0.1 - Portability fixes: 2591f5b1c8a1SJohn Marino * Removed -Werror and and other non-portable compiler flags 2592f5b1c8a1SJohn Marino 2593f5b1c8a1SJohn Marino * Allow setting OPENSSLDIR and ENGINSDIR 2594f5b1c8a1SJohn Marino 2595f5b1c8a1SJohn Marino2.0.0 - First release from the OpenBSD 5.6 tree 2596f5b1c8a1SJohn Marino * Removal of many obsolete features and coding conventions from the OpenSSL 2597f5b1c8a1SJohn Marino 1.0.1h source 2598