1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.2.4 - Bug and interoperability fixes 32 33 * Switch back to certificate verification code from LibreSSL 3.1.x. The 34 new verifier is not bug compatible with the old verifier causing issues 35 with applications expecting behavior of the old verifier. 36 37 * Unbreak DTLS retransmissions for flights that include a CCS 38 39 * Only check BIO_should_read() on read and BIO_should_write() on write 40 41 * Implement autochain for the TLSv1.3 server 42 43 * Use the legacy verifier for autochain 44 45 * Implement exporter for TLSv1.3 46 47 * Free alert_data and phh_data in tls13_record_layer_free() 48 49 * Plug leak in x509_verify_chain_dup() 50 51 * Free the policy tree in x509_vfy_check_policy() 52 533.2.3 - Security fix 54 55 * Malformed ASN.1 in a certificate revocation list or a timestamp 56 response token can lead to a NULL pointer dereference. 57 583.2.2 - Stable release 59 60 * This is the first stable release with the new TLSv1.3 61 implementation enabled by default for both client and server. The 62 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 63 in an upcoming release. 64 65 * New X509 certificate chain validator that correctly handles 66 multiple paths through intermediate certificates. Loosely based on 67 Go's X509 validator. 68 69 * New name constraints verification implementation which passes the 70 bettertls.com certificate validation check suite. 71 72 * Improve the handling of BIO_read()/BIO_write() failures in the 73 TLSv1.3 stack. 74 75 * Start replacing the existing TLSv1.2 record layer. 76 77 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 78 79 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 80 81 * Send alert on ssl_get_prev_session() failure. 82 83 * Zero out variable on the stack to avoid leaving garbage in the tail 84 of short session IDs. 85 86 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 87 that it gets correctly reinitialized across a SSL_set_ssl_method() 88 call. 89 90 * Avoid an out-of-bounds write in BN_rand(). 91 92 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 93 the code in ui_lib.c. 94 95 * Correctly track selected ALPN length to avoid a potential segmentation 96 fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 97 98 * Include machine/endian.h gost2814789.c in order to pick up the 99 __STRICT_ALIGNMENT define. 100 101 * Simplify SSL method lookups. 102 103 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 104 SSL_set_ssl_method() and several internal functions. 105 106 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 107 108 * Refactor dtls1_new(), dtls1_hm_fragment_new(), 109 dtls1_drain_fragments(), dtls1_clear_queues(). 110 111 * Copy the session ID directly in ssl_get_prev_session() instead of 112 handing it through several functions for copying. 113 114 * Clean up and refactor ssl_get_prev_session(); simplify 115 tls_decrypt_ticket() and tls1_process_ticket() exit paths. 116 117 * Avoid memset() before memcpy() in CBS_add_bytes(). 118 119 * Rewrite X509_INFO_{new,free}() more idiomatically. 120 121 * Remove unnecessary zeroing after recallocarray() in 122 ASN1_BIT_STRING_set_bit(). 123 124 * Convert openssl(1) ocsp new option handling. 125 126 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 127 128 * Document return value from EC_KEY_get0_public_key(3). 129 130 * Greatly expanded test coverage via the tlsfuzzer test scripts. 131 132 * Expanded test coverage via the bettertls certificate test suite. 133 134 * Test interoperability with the Botan TLS client. 135 136 * Make pthread_mutex static initialisation work on Windows. 137 138 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 139 1403.2.1 - Development release 141 142 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 143 functions. 144 145 * Send a record overflow alert for TLSv1.3 messages having overlong 146 plaintext or inner plaintext. 147 148 * Send an illegal parameter alert if a client sends an invalid DH key 149 share. 150 151 * Document PKCS7_final(3), PKCS7_add_attribute(3). 152 153 * Collapse x509v3 directory into x509. 154 155 * Improve TLSv1.3 client certificate selection to allow EC certificates 156 instead of only RSA certificates. 157 158 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 159 of constructing a broken objects that may cause NULL pointer accesses. 160 161 * Add support for additional GOST curves from RFC 7836 and 162 draft-deremin-rfc4491-bis. 163 164 * Add OIDs for HMAC using the Streebog hash function. 165 166 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 167 168 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 169 170 * Handle GOST in ssl_cert_dup(). 171 172 * Stop sending GOST R 34.10-94 as a CertificateType. 173 174 * Use IANA allocated GOST ClientCertificateTypes. 175 176 * Add a custom copy handler for AES keywrap to fix a use-after-free. 177 178 * Enforce in the TLSv1.3 server that that ClientHello messages after 179 a HelloRetryRequest match the original ClientHello as per RFC 8446 180 section 4.1.2 181 182 * Document more PKCS7 attribute functions. 183 184 * Document PKCS7_get_signer_info(3). 185 186 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 187 188 * Document PEM_def_callback(3). 189 190 * Document EVP_read_pw_string_min(3). 191 192 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 193 194 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 195 196 * Document X509_get0_pubkey_bitstr(3). 197 198 * Fix an off-by-one in the CBC padding removal. From BoringSSL. 199 200 * Enforce restrictions on extensions present in the ClientHello as per 201 RFC 8446, section 9.2. 202 203 * Add new CMAC_Init(3) and ChaCha(3) manual pages. 204 205 * Fix SSL_shutdown behavior to match the legacy stack. The previous 206 behavior could cause a hang. 207 208 * Add initial support for openbsd/powerpc64. 209 210 * Make the message type available in the internal TLS extensions API 211 functions. 212 213 * Enable TLSv1.3 for the generic TLS_method(). 214 215 * Convert openssl(1) s_client option handling. 216 217 * Document openssl(1) certhash. 218 219 * Convert openssl(1) verify option handling. 220 221 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 222 use-after-free and double-free issues in calling programs. 223 224 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 225 226 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 227 228 * Convert openssl(1) s_server option handling. 229 230 * Add minimal info callback support for TLSv1.3. 231 232 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 233 234 * Correctly handle server requests for an OCSP response. 235 236 * Add the P-521 curve to the list of curves supported by default 237 in the client. 238 239 * Convert openssl(1) req option handling. 240 241 * Avoid calling freezero with a negative size if a server sends a 242 malformed plaintext of all zeroes. 243 244 * Send an unexpected message alert if no valid content type is found 245 in a TLSv1.3 record. 246 2473.2.0 - Development release 248 249 * Enable TLS 1.3 server side in addition to client by default. 250 With this change TLS 1.3 is handled entirely on the new stack 251 and state machine, with fallback to the legacy stack and 252 state machine for older versions. Note that the OpenSSL TLS 1.3 253 API is not yet visible/available. 254 255 * Improve length checks in the TLS 1.3 record layer and provide 256 appropriate alerts for violations of record layer limits. 257 258 * Enforce that SNI hostnames received by the TLS server are correctly 259 formed as per RFC 5890 and RFC 6066, responding with illegal parameter 260 for a nonconformant host name. 261 262 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 263 retry of handshake messages. 264 265 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 266 similar to new OpenSSL releases. 267 268 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 269 various commands. 270 271 * Add tlsfuzzer based regression tests. 272 273 * Support sending certificate status requests from the TLS 1.3 274 client to request OCSP staples for leaf certificates. 275 276 * Support sending certificate status replies from the TLS 1.3 server 277 in order to send OCSP staples for leaf certificates. 278 279 * Send correct alerts when handling failed key share extensions 280 on the TLS 1.3 server. 281 282 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 283 switching from the new to legacy stacks. 284 285 * Support TLS 1.3 options in the openssl(1) command. 286 287 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 288 conditions. 289 290 * Modify "openssl x509" to display invalid certificate times as 291 invalid, and correctly deal with the failing return case from 292 X509_cmp_time so that a certificate with an invalid NotAfter does 293 not appear valid. 294 295 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 296 compatibility. 297 298 * Ensure only PSS signatures are used with RSA in TLS 1.3. 299 300 * Ensure that TLS 1.3 clients advertise exactly the "null" compression 301 method in its legacy_compression_methods. 302 303 * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 304 s_client, which could lead to using 14 bytes of stack garbage instead 305 of an IPv6 address in DTLS mode. 306 307 * Use non-expired certificates first when building a certificate chain. 308 3093.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 310 311 * Improve client certificate selection to allow EC certificates 312 instead of only RSA certificates. 313 314 * Do not error out if a TLSv1.3 server requests an OCSP response as 315 part of a certificate request. 316 317 * Fix SSL_shutdown behavior to match the legacy stack. The previous 318 behaviour could cause a hang. 319 320 * Fix a memory leak and add a missing error check in the handling of 321 the key update message. 322 323 * Fix a memory leak in tls13_record_layer_set_traffic_key. 324 325 * Avoid calling freezero with a negative size if a server sends a 326 malformed plaintext of all zeroes. 327 328 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 329 to avoid using PKCS1-based signatures. 330 331 * Add the P-521 curve to the list of curves supported by default 332 in the client. 333 3343.1.3 - Bug fix 335 336 * libcrypto may fail to build a valid certificate chain due to 337 expired untrusted issuer certificates. 338 3393.1.2 - Bug fix 340 341 * A TLS client with peer verification disabled may crash when 342 contacting a server that sends an empty certificate list. 343 3443.1.1 - Stable release 345 346 * Improved cipher suite handling to automatically include TLSv1.3 347 cipher suites when they are not explicitly referred to in the 348 cipher string. 349 350 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 351 state transitions and ensuring that the legacy session identifer 352 retains the same value across the handshake. 353 354 * Provided TLSv1.3 cipher suite aliases to match the names used 355 in RFC 8446. 356 357 * Improved TLSv1.3 client key share handling to allow the use of 358 any groups in our configured NID list. 359 360 * Fixed printing the serialNumber with X509_print_ex() fall back to 361 the colon separated hex bytes in case greater than int value. 362 363 * Fix to disallow setting the AES-GCM IV length to zero. 364 365 * Added -groups option to openssl(1) s_server subcommand. 366 367 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 368 369 * Improved portable builds to support the use of static MSVC runtimes. 370 371 * Fixed portable builds to avoid exporting a sleep() symbol. 372 3733.1.0 - Development release 374 375 * Completed initial TLS 1.3 implementation with a completely new state 376 machine and record layer. TLS 1.3 is now enabled by default for the 377 client side, with the server side to be enabled in a future release. 378 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 379 380 * Many more code cleanups, fixes, and improvements to memory handling 381 and protocol parsing. 382 383 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 384 385 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 386 1.1.1 and enabled by default. 387 388 * Improved compatibility by backporting functionality and documentation 389 from OpenSSL 1.1.1. 390 391 * Added many new additional crypto test vectors. 392 393 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 394 395 * Default CA bundle location is now configurable in portable builds. 396 397 * Added cms subcommand to openssl(1). 398 399 * Added -addext option to openssl(1) req subcommand. 400 4013.0.2 - Stable release 402 403 * Use a valid curve when constructing an EC_KEY that looks like X25519. 404 The recent EC group cofactor change results in stricter validation, 405 which causes the EC_GROUP_set_generator() call to fail. 406 Issue reported and fix tested by rsadowski@ 407 408 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 409 (Note that the CMS code is currently disabled) 410 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 411 412 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 413 or -HTTP options, due to incomplete path check logic. 414 Issue reported and fix tested by Jobert Abma 415 4163.0.1 - Development release 417 418 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 419 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 420 it using Hasse's bound. This works as long as the cofactor is small 421 enough. 422 423 * Fixed a memory leak in error paths for eckey_type2param(). 424 425 * Initial work on supporting Cryptographic Message Syntax (CMS) in 426 libcrypto (not enabled). 427 428 * Various manual page improvements and additions. 429 430 * Added a CMake check for an existing uninstall target, facilitating 431 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 432 4333.0.0 - Development release 434 435 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 436 437 * Documented undescribed options and removed unfunctional options 438 description in openssl(1) manual. 439 440 * A plethora of small fixes due to regular oss-fuzz testing. 441 442 * Various side channels in DSA and ECDSA were addressed. These are some of 443 the many issues found in an extensive systematic analysis of bignum usage 444 by Samuel Weiser, David Schrammel et al. 445 446 * Enabled openssl(1) speed subcommand on Windows platform. 447 448 * Enabled performance optimizations when building with Visual Studio on Windows. 449 450 * Fixed incorrect carry operation in 512 addition for Streebog. 451 452 * Fixed -modulus option with openssl(1) dsa subcommand. 453 454 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 455 4562.9.2 - Bug fixes 457 458 * Fixed portable builds with older versions of MacOS, 459 Android targets < API 21, and Solaris 10 460 461 * Fixed SRTP profile advertisement for DTLS servers. 462 4632.9.1 - Stable release 464 465 * Added support for XChaCha20 and XChaCha20-Poly1305. 466 467 * Added support for AES key wrap constructions via the EVP interface. 468 469 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 470 471 * Added pbkdf2 key derivation support to openssl(1) 472 473 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 474 475 * Changed the default digest type of openssl(1) enc to to sha256. 476 477 * Changed the default digest type of openssl(1) dgst to sha256. 478 479 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 480 481 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 482 483 * Improved Windows, Android, and ARM compatibility, including assembly 484 optimizations on Mingw-w64 targets. 485 4862.9.0 - Development release 487 488 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 489 490 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 491 492 * Fixed CMake builds on systems where getpagesize is defined as an 493 inline function. 494 495 * CRYPTO_LOCK is now automatically initialized, with the legacy 496 callbacks stubbed for compatibility. 497 498 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 499 500 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 501 502 * Added extensive interoperability tests between LibreSSL and OpenSSL 503 1.0 and 1.1. 504 505 * Added additional Wycheproof tests and related bug fixes. 506 507 * Simplified sigalgs option processing and handshake signing algorithm 508 509 * Added the ability to use the RSA PSS algorithm for handshake 510 signatures. 511 512 * Added bn_rand_interval() and use it in code needing ranges of random 513 bn values. 514 515 * Added functionality to derive early, handshake, and application 516 secrets as per RFC8446. 517 518 * Added handshake state machine from RFC8446. 519 520 * Removed some ASN.1 related code from libcrypto that had not been used 521 since around 2000. 522 523 * Unexported internal symbols and internalized more record layer structs. 524 525 * Added support for assembly optimizations on 32-bit ARM ELF targets. 526 527 * Improved protection against timing side channels in ECDSA signature 528 generation. 529 530 * Coordinate blinding was added to some elliptic curves. This is the 531 last bit of the work by Brumley et al. to protect against the 532 Portsmash vulnerability. 533 534 * Ensure transcript handshake is always freed with TLS 1.2. 535 5362.8.2 - Stable release 537 538 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 539 along with test harness fixes. 540 541 * Fixed memory leak in nc(1) 542 5432.8.1 - Test and compatibility improvements 544 545 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 546 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 547 X25519 test vectors. Applied appropriate fixes for errors uncovered 548 by tests. 549 550 * Simplified key exchange signature generation and verification. 551 552 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 553 554 * Converted more code paths to use CBB/CBS. All handshake messages are 555 now created by CBB. 556 557 * Fixed various memory leaks found by Coverity. 558 559 * Simplified session ticket parsing and handling, inspired by 560 BoringSSL. 561 562 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 563 is a no-op in LibreSSL, so this function returns an error to not 564 indicate the (non-)existence of memory leaks. 565 566 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 567 X509_OBJECT_up_ref_count now return an int for error handling, 568 matching OpenSSL. 569 570 * Converted a number of #defines into proper functions, matching 571 OpenSSL's ABI. 572 573 * Added X509_get0_serialNumber from OpenSSL. 574 575 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 576 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 577 OpenSSL. 578 579 * Removed broken pkcs8 formats from openssl(1). 580 581 * Converted more functions in public API to use const arguments. 582 583 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 584 EVP_AEAD interface. 585 586 * Stopped using composite EVP_CIPHER AEADs. 587 588 * Added timing-safe compares for checking results of signature 589 verification. There are no known attacks, this is just inexpensive 590 prudence. 591 592 * Correctly clear the current cipher state, when changing cipher state. 593 This fixed an issue where renegotiation of cipher suites would fail 594 when switched from AEAD to non-AEAD or vice-versa. 595 Issue reported by Bernard Spil. 596 597 * Added more cipher tests to appstest.sh, including all TLSv1.2 598 ciphers. 599 600 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 601 602 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 603 retrieved and set with appropriate validation. 604 6052.8.0 - Bug fixes, security, and compatibility improvements 606 607 * Extensive documentation updates and additional API history. 608 609 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 610 611 * Tighten up checks for various X509_VERIFY_PARAM functions, 612 'poisoning' parameters so that an unverified certificate cannot be 613 used if it fails verification. 614 615 * Fixed a potential memory leak on failure in ASN1_item_digest 616 617 * Fixed a potential memory alignment crash in asn1_item_combine_free 618 619 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 620 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 621 622 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 623 624 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 625 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 626 627 * Added const annotations to many existing APIs from OpenSSL, making 628 interoperability easier for downstream applications. 629 630 * Fixed small timing side-channels in ecdsa_sign_setup and 631 dsa_sign_setup. 632 633 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 634 operation of BN_* functions. 635 636 * Updated BN_clear to use explicit_bzero. 637 638 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 639 640 * More CBS conversions, including simplifications to RSA key exchange, 641 and converted code to use dedicated buffers for secrets. 642 643 * Removed three remaining single DES cipher suites. 644 645 * Fixed a potential leak/incorrect return value in DSA signature 646 generation. 647 648 * Added a blinding value when generating DSA and ECDSA signatures, in 649 order to reduce the possibility of a side-channel attack leaking the 650 private key. 651 652 * Added ECC constant time scalar multiplication support. 653 From Billy Brumley and his team at Tampere University of Technology. 654 655 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 656 specification in RFC 8017. Based on an OpenSSL commit by David 657 Benjamin. 658 659 * Cleaned up BN_* implementations following changes made in OpenSSL by 660 Davide Galassi and others. 661 6622.7.4 - Security fixes 663 664 * Avoid a timing side-channel leak when generating DSA and ECDSA 665 signatures. This is caused by an attempt to do fast modular 666 arithmetic, which introduces branches that leak information 667 regarding secret values. Issue identified and reported by Keegan 668 Ryan of NCC Group. 669 670 * Reject excessively large primes in DH key generation. Problem 671 reported by Guido Vranken to OpenSSL 672 (https://github.com/openssl/openssl/pull/6457) and based on his 673 diff. 674 6752.7.3 - Bug fixes 676 677 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 678 Sury 679 680 * Fixed an issue normalizing CPU architecture in the configure script, 681 which disabled assembly optimizations on platforms that get detected 682 as 'amd64', opposed to 'x86_64' 683 684 * Limited tls_config_clear_keys() to only clear private keys. 685 This was inadvertently clearing the keypair, which includes the OCSP 686 staple and pubkey hash - if an application called tls_configure() 687 followed by tls_config_clear_keys(), this would prevent OCSP staples 688 from working. 689 6902.7.2 - Stable release 691 692 * Updated and added extensive new HISTORY sections to API manuals. 693 694 * Added support for shared library builds with CMake on all supported 695 platforms. Note that some of the CMake options have changed, consult 696 the README for details. 697 6982.7.1 - Bug fixes 699 700 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 701 length provided is 0 to match the OpenSSL behaviour. Issue noticed 702 by Christian Heimes <christian@python.org>. 703 704 * Fixed builds macOS 10.11 and older. 705 7062.7.0 - Bug fixes and improvements 707 708 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 709 observations of real-world usage in applications. These are 710 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 711 changes have not been made to existing structs, allowing code written 712 for older OpenSSL APIs to continue working. 713 714 * Extensive corrections, improvements, and additions to the 715 API documentation, including new public APIs from OpenSSL that had 716 no pre-existing documentation. 717 718 * Added support for automatic library initialization in libcrypto, 719 libssl, and libtls. Support for pthread_once or a compatible 720 equivalent is now required of the target operating system. As a 721 side-effect, minimum Windows support is Vista or higher. 722 723 * Converted more packet handling methods to CBB, which improves 724 resiliency when generating TLS messages. 725 726 * Completed TLS extension handling rewrite, improving consistency of 727 checks for malformed and duplicate extensions. 728 729 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 730 This removes the last remaining use of the old M_ASN1_* macros 731 (asn1_mac.h) from API that needs to continue to exist. 732 733 * Added support for client-side session resumption in libtls. 734 A libtls client can specify a session file descriptor (a regular 735 file with appropriate ownership and permissions) and libtls will 736 manage reading and writing of session data across TLS handshakes. 737 738 * Improved support for strict alignment on ARMv7 architectures, 739 conditionally enabling assembly in those cases. 740 741 * Fixed a memory leak in libtls when reusing a tls_config. 742 743 * Merged more DTLS support into the regular TLS code path, removing 744 duplicated code. 745 746 * Many improvements to Windows Cmake-based builds and tests, 747 especially when targeting Visual Studio. 748 7492.6.4 - Bug fixes 750 751 * Make tls_config_parse_protocols() work correctly when passed a NULL 752 pointer for a protocol string. Issue found by semarie@, who also 753 provided the diff. 754 755 * Correct TLS extensions handling when no extensions are present. 756 If no TLS extensions are present in a client hello or server hello, 757 omit the entire extensions block, rather than including it with a 758 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 759 providing packet captures and testing the fix. 760 761 * Fixed portable builds on older Android systems, and systems with out 762 IPV6_TCLASS support. 763 7642.6.3 - OpenBSD 6.2 Release 765 766 * No core changes from LibreSSL 2.6.2 767 768 * Minor compatibility fixes in portable version. 769 7702.6.2 - Bug fixes 771 772 * Provide a useful error with libtls if there are no OCSP URLs in a 773 peer certificate. 774 775 * Keep track of which keypair is in use by a TLS context, fixing a bug 776 where a TLS server with SNI would only return the OCSP staple for the 777 default keypair. Issue reported by William Graeber and confirmed by 778 Andreas Bartelt. 779 780 * Fixed various issues in the OCSP extension parsing code. 781 The original code incorrectly passes the pointer allocated via 782 CBS_stow() (using malloc()) to a d2i_*() function and then calls 783 free() on the now incremented pointer, most likely resulting in a 784 crash. This issue was reported by Robert Swiecki who found the issue 785 using honggfuzz. 786 787 * If tls_config_parse_protocols() is called with a NULL pointer, 788 return the default protocols instead of crashing - this makes the 789 behaviour more useful and mirrors what we already do in 790 tls_config_set_ciphers() et al. 791 7922.6.1 - Code removal, rewrites 793 794 * Added a "-T tlscompat" option to nc(1), which enables the use of all 795 TLS protocols and "compat" ciphers. This allows for TLS connections 796 to TLS servers that are using less than ideal cipher suites, without 797 having to resort to "-T tlsall" which enables all known cipher 798 suites. Diff from Kyle J. McKay. 799 800 * Added a new TLS extension handling framework, somewhat analogous to 801 BoringSSL, and converted all TLS extensions to use it. Added new TLS 802 extension regression tests. 803 804 * Improved and added many new manpages. Updated *check_private_key 805 manpages with additional cautions regarding their use. 806 807 * Cleaned up the EC key/curve configuration handling. 808 809 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 810 of the eliptical curves that may be used during client and server 811 key exchange to be specified. 812 813 * Converted more code paths to use CBB/CBS. 814 815 * Removed support for DSS/DSA, since we removed the cipher suites a 816 while back. 817 818 * Removed NPN support. NPN was never standardised and the last draft 819 expired in October 2012. ALPN was standardised in July 2014 and has 820 been supported in LibreSSL since December 2014. NPN has also been 821 removed from Chromium in May 2016. 822 823 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 824 CryptoPro clients. 825 826 * Removed support for the TLS padding extension, which was added as a 827 workaround for an old bug in F5's TLS termination. 828 829 * Worked around another bug in F5's TLS termination handling of the 830 elliptical curves extension. RFC 4492 only defines elliptic_curves 831 for ClientHello. However, F5 is sending it in ServerHello. We need 832 to skip over it since our TLS extension parsing code is now more 833 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 834 835 * Added ability to clamp notafter valies in certificates for systems 836 with 32-bit time_t. This is necessary to conform to RFC 5280 837 4.1.2.5. 838 839 * Implemented the SSL_CTX_set_min_proto_version(3) API. 840 841 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 842 843 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 844 8452.6.0 - New APIs, bug fixes and improvements 846 847 * Added support for providing CRLs to libtls. Once a CRL is provided we 848 enable CRL checking for the full certificate chain. Based on a diff 849 from Jack Burton 850 851 * Allow non-compliant clients using IP literal addresses with SNI 852 to connect to a server using libtls. 853 854 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 855 Reported by Robert Swiecki, who found the issue using honggfuzz. 856 857 * Added definitions for three OIDs used in EV certificates. 858 From Kyle J. McKay 859 860 * Added tls_peer_cert_chain_pem to libtls, useful in private 861 certificate validation callbacks such as those in relayd. 862 863 * Converted explicit clear/free sequences to use freezero(3). 864 865 * Reworked TLS certificate name verification code to more strictly 866 follow RFC 6125. 867 868 * Cleaned up and simplified server key exchange EC point handling. 869 870 * Added tls_keypair_clear_key for clearing key material. 871 872 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 873 simplified BIO_get_host_ip and BIO_accept. 874 875 * Fixed the openssl(1) ca command so that is generates certificates 876 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 877 878 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 879 880 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 881 882 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 883 884 * Provided a tls_unload_file() function that frees the memory returned 885 from a tls_load_file() call, ensuring that it the contents become 886 inaccessible. This is specifically needed on platforms where the 887 library allocators may be different from the application allocator. 888 889 * Perform reference counting for tls_config. This allows 890 tls_config_free() to be called as soon as it has been passed to the 891 final tls_configure() call, simplifying lifetime tracking for the 892 application. 893 894 * Moved internal state of SSL and other structures to be opaque. 895 896 * Dropped cipher suites with DSS authentication. 897 898 * nc(1) improvements, including: 899 nc -W to terminate nc after receiving a number of packets 900 nc -Z for saving the peer certificate and chain in a pem file 901 9022.5.5 - Bug fixes 903 904 * Distinguish between self-issued certificates and self-signed 905 certificates. The certificate verification code has special cases 906 for self-signed certificates and without this change, self-issued 907 certificates (which it seems are common place with 908 openvpn/easyrsa) were also being included in this category. 909 910 * Added getpagesize fallback, needed for Android bionic libc. 911 9122.5.4 - Security Updates 913 914 * Revert a previous change that forced consistency between return 915 value and error code when specifing a certificate verification 916 callback, since this breaks the documented API. When a user supplied 917 callback always returns 1, and later code checks the error code to 918 potentially abort post verification, this will result in incorrect 919 successul certificate verification. 920 921 * Switched Linux getrandom() usage to non-blocking mode, continuing to 922 use fallback mechanims if unsuccessful. This works around a design 923 flaw in Linux getrandom(2) where early boot usage in a library makes 924 it impossible to recover if getrandom(2) is not yet initialized. 925 926 * Fixed a bug caused by the return value being set early to signal 927 successful DTLS cookie validation. This can mask a later failure and 928 result in a positive return value being returned from 929 ssl3_get_client_hello(), when it should return a negative value to 930 propagate the error. 931 932 * Fixed a build error on non-x86/x86_64 systems running Solaris. 933 9342.5.3 - OpenBSD 6.1 Release 935 936 * Documentation updates 937 938 * Improved ocspcheck(1) error handling 939 9402.5.2 - Security features and bugfixes 941 942 * Added the recallocarray(3) memory allocation function, and converted 943 various places in the library to use it, such as CBB and BUF_MEM_grow. 944 recallocarray(3) is similar to reallocarray. Newly allocated memory 945 is cleared similar to calloc(3). Memory that becomes unallocated 946 while shrinking or moving existing allocations is explicitly 947 discarded by unmapping or clearing to 0 948 949 * Added new root CAs from SECOM Trust Systems / Security Communication 950 of Japan. 951 952 * Added EVP interface for MD5+SHA1 hashes. 953 954 * Fixed DTLS client failures when the server sends a certificate 955 request. 956 957 * Correct handling of padding when upgrading an SSLv2 challenge into 958 an SSLv3/TLS connection. 959 960 * Allow protocols and ciphers to be set on a TLS config object in 961 libtls. 962 963 * Improved nc(1) TLS handshake CPU usage and server-side error 964 reporting. 965 9662.5.1 - Bug and security fixes, new features, documentation updates 967 968 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 969 error. Reported by Theofilos Petsios. 970 971 * Detect zero-length encrypted session data early, instead of when 972 malloc(0) fails or the HMAC check fails. Noted independently by 973 jsing@ and Kurt Cancemi. 974 975 * Check for and handle failure of HMAC_{Update,Final} or 976 EVP_DecryptUpdate(). 977 978 * Massive update and normalization of manpages, conversion to 979 mandoc format. Many pages were rewritten for clarity and accuracy. 980 Portable doc links are up-to-date with a new conversion tool. 981 982 * Curve25519 Key Exchange support. 983 984 * Support for alternate chains for certificate verification. 985 986 * Code cleanups, CBS conversions, further unification of DTLS/SSL 987 handshake code, further ASN1 macro expansion and removal. 988 989 * Private symbol are now hidden in libssl and libcryto. 990 991 * Friendly certificate verification error messages in libtls, peer 992 verification is now always enabled. 993 994 * Added OCSP stapling support to libtls and netcat. 995 996 * Added ocspcheck utility to validate a certificate against its OCSP 997 responder and save the reply for stapling 998 999 * Enhanced regression tests and error handling for libtls. 1000 1001 * Added explicit constant and non-constant time BN functions, 1002 defaulting to constant time wherever possible. 1003 1004 * Moved many leaked implementation details in public structs behind 1005 opaque pointers. 1006 1007 * Added ticket support to libtls. 1008 1009 * Added support for setting the supported EC curves via 1010 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 1011 SSL{_CTX}_set1_curves{_list} names. This also changes the default 1012 list of curves to be X25519, P-256 and P-384. All other curves must 1013 be manually enabled. 1014 1015 * Added -groups option to openssl(1) s_client for specifying the curves 1016 to be used in a colon-separated list. 1017 1018 * Merged client/server version negotiation code paths into one, 1019 reducing much duplicate code. 1020 1021 * Removed error function codes from libssl and libcrypto. 1022 1023 * Fixed an issue where a truncated packet could crash via an OOB read. 1024 1025 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 1026 client-initiated renegotiation. This is the default for libtls 1027 servers. 1028 1029 * Avoid a side-channel cache-timing attack that can leak the ECDSA 1030 private keys when signing. This is due to BN_mod_inverse() being 1031 used without the constant time flag being set. Reported by Cesar 1032 Pereida Garcia and Billy Brumley (Tampere University of Technology). 1033 The fix was developed by Cesar Pereida Garcia. 1034 1035 * iOS and MacOS compatibility updates from Simone Basso and Jacob 1036 Berkman. 1037 1038 10392.5.0 - New APIs, bug fixes and improvements 1040 1041 * libtls now supports ALPN and SNI 1042 1043 * libtls adds a new callback interface for integrating custom IO 1044 functions. Thanks to Tobias Pape. 1045 1046 * libtls now handles 4 cipher suite groups: 1047 "secure" (TLSv1.2+AEAD+PFS) 1048 "compat" (HIGH:!aNULL) 1049 "legacy" (HIGH:MEDIUM:!aNULL) 1050 "insecure" (ALL:!aNULL:!eNULL) 1051 1052 This allows for flexibility and finer grained control, rather than 1053 having two extremes (an issue raised by Marko Kreen some time ago). 1054 1055 * Tightened error handling for tls_config_set_ciphers(). 1056 1057 * libtls now always loads CA, key and certificate files at the time the 1058 configuration function is called. This simplifies code and results in 1059 a single memory based code path being used to provide data to libssl. 1060 1061 * Add support for OCSP intermediate certificates. 1062 1063 * Added functions used by stunnel and exim from BoringSSL - this 1064 brings in X509_check_host, X509_check_email, X509_check_ip, and 1065 X509_check_ip_asc. 1066 1067 * Added initial support for iOS, thanks to Jacob Berkman. 1068 1069 * Improved behavior of arc4random on Windows when using memory leak 1070 analysis software. 1071 1072 * Correctly handle an EOF that occurs prior to the TLS handshake 1073 completing. Reported by Vasily Kolobkov, based on a diff from Marko 1074 Kreen. 1075 1076 * Limit the support of the "backward compatible" ssl2 handshake to 1077 only be used if TLS 1.0 is enabled. 1078 1079 * Fix incorrect results in certain cases on 64-bit systems when 1080 BN_mod_word() can return incorrect results. BN_mod_word() now can 1081 return an error condition. Thanks to Brian Smith. 1082 1083 * Added constant-time updates to address CVE-2016-0702 1084 1085 * Fixed undefined behavior in BN_GF2m_mod_arr() 1086 1087 * Removed unused Cryptographic Message Support (CMS) 1088 1089 * More conversions of long long idioms to time_t 1090 1091 * Improved compatibility by avoiding printing NULL strings with 1092 printf. 1093 1094 * Reverted change that cleans up the EVP cipher context in 1095 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 1096 previous behaviour. 1097 1098 * Avoid unbounded memory growth in libssl, which can be triggered by a 1099 TLS client repeatedly renegotiating and sending OCSP Status Request 1100 TLS extensions. 1101 1102 * Avoid falling back to a weak digest for (EC)DH when using SNI with 1103 libssl. 1104 11052.4.2 - Bug fixes and improvements 1106 1107 * Fixed loading default certificate locations with openssl s_client. 1108 1109 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 1110 RFC6960. Also added fixes for OCSP to work with intermediate 1111 certificates provided in responses. 1112 1113 * Improved behavior of arc4random on Windows to not appear to leak 1114 memory in debug tools, reduced privileges of allocated memory. 1115 1116 * Fixed incorrect results from BN_mod_word() when the modulus is too 1117 large, thanks to Brian Smith from BoringSSL. 1118 1119 * Correctly handle an EOF prior to completing the TLS handshake in 1120 libtls. 1121 1122 * Improved libtls ceritificate loading and cipher string validation. 1123 1124 * Updated libtls cipher group suites into four categories: 1125 "secure" (TLSv1.2+AEAD+PFS) 1126 "compat" (HIGH:!aNULL) 1127 "legacy" (HIGH:MEDIUM:!aNULL) 1128 "insecure" (ALL:!aNULL:!eNULL) 1129 This allows for flexibility and finer grained control, rather than 1130 having two extremes. 1131 1132 * Limited support for 'backward compatible' SSLv2 handshake packets to 1133 when TLS 1.0 is enabled, providing more restricted compatibility 1134 with TLS 1.0 clients. 1135 1136 * openssl(1) and other documentation improvements. 1137 1138 * Removed flags for disabling constant-time operations. 1139 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 1140 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 1141 all of these operations unconditionally constant-time. 1142 1143 11442.4.1 - Security fix 1145 1146 * Correct a problem that prevents the DSA signing algorithm from 1147 running in constant time even if the flag BN_FLG_CONSTTIME is set. 1148 This issue was reported by Cesar Pereida (Aalto University), Billy 1149 Brumley (Tampere University of Technology), and Yuval Yarom (The 1150 University of Adelaide and NICTA). The fix was developed by Cesar 1151 Pereida. 1152 11532.4.0 - Build improvements, new features 1154 1155 * Many improvements to the CMake build infrastructure, including 1156 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 1157 Inoguchi for this work. 1158 1159 * Added missing error handling around bn_wexpand() calls. 1160 1161 * Added explicit_bzero calls for freed ASN.1 objects. 1162 1163 * Fixed X509_*set_object functions to return 0 on allocation failure. 1164 1165 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 1166 1167 * Changed default EVP_aead_chacha20_poly1305() implementation to the 1168 IETF version, which is now the default. 1169 1170 * Fixed password prompts from openssl(1) to properly handle ^C. 1171 1172 * Reworked error handling in libtls so that configuration errors are 1173 visible. 1174 1175 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 1176 1177 * Manpage fixes and updates 1178 11792.3.5 - Reliability fix 1180 1181 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 1182 11832.3.4 - Security Update 1184 1185 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 1186 From OpenSSL. 1187 1188 * Minor build fixes 1189 11902.3.3 - OpenBSD 5.9 release branch tagged 1191 1192 * Reworked build scripts to better sync with OpenNTPD-portable 1193 1194 * Fixed broken manpage links 1195 1196 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 1197 1198 * Fixed HP-UX builds 1199 1200 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 1201 binary builds 1202 1203 * cert.pem has been reorganized and synced with Mozilla's certificate store 1204 12052.3.2 - Compatibility and Reliability fixes 1206 1207 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 1208 OPENSSL_VERSION_NUMBER, see: 1209 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 1210 1211 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 1212 construction introduced in RFC 7539, which is different than that 1213 already used in TLS with EVP_aead_chacha20_poly1305() 1214 1215 * Avoid a potential undefined C99+ behavior due to shift overflow in 1216 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 1217 1218 * More man pages converted from pod to mdoc format 1219 1220 * Added COMODO RSA Certification Authority and QuoVadis 1221 root certificates to cert.pem 1222 1223 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 1224 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 1225 certificate from cert.pem 1226 1227 * Added support for building nc(1) on Solaris 1228 1229 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 1230 1231 * Improved console handling with openssl(1) on Windows 1232 1233 * Ensure the network stack is enabled on Windows when running 1234 tls_init() 1235 1236 * Fixed incorrect TLS certificate loading by nc(1) 1237 1238 * Added support for Solaris 11.3's getentropy(2) system call 1239 1240 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 1241 1242 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 1243 1244 * Fixes from OpenSSL 1.0.1q 1245 - CVE-2015-3194 - NULL pointer dereference in client side certificate 1246 validation. 1247 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 1248 1249 * The following OpenSSL CVEs did not apply to LibreSSL 1250 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 1251 squaring procedure. 1252 - CVE-2015-3196 - Double free race condition of the identify hint 1253 data. 1254 1255 See https://marc.info/?l=openbsd-announce&m=144925068504102 1256 12572.3.1 - ASN.1 and time handling cleanups 1258 1259 * ASN.1 cleanups and RFC5280 compliance fixes. 1260 1261 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 1262 now checks if the host OS supports 64-bit time_t. 1263 1264 * Fixed a leak in SSL_new in the error path. 1265 1266 * Support always extracting the peer cipher and version with libtls. 1267 1268 * Added ability to check certificate validity times with libtls, 1269 tls_peer_cert_notbefore and tls_peer_cert_notafter. 1270 1271 * Changed tls_connect_servername to use the first address that resolves with 1272 getaddrinfo(). 1273 1274 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 1275 initial commit in 2004). 1276 1277 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 1278 by Qualys Security. 1279 1280 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 1281 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 1282 1283 * Reject too small bits value in BN_generate_prime_ex(), so that it does 1284 not risk becoming negative in probable_prime_dh_safe(), reported by 1285 Franck Denis. 1286 1287 * Enable nc(1) builds on more platforms. 1288 12892.3.0 - SSLv3 removed, libtls API changes, portability improvements 1290 1291 * SSLv3 is now permanently removed from the tree. 1292 1293 * The libtls API is changed from the 2.2.x series. 1294 1295 The read/write functions work correctly with external event 1296 libraries. See the tls_init man page for examples of using libtls 1297 correctly in asynchronous mode. 1298 1299 Client-side verification is now supported, with the client supplying 1300 the certificate to the server. 1301 1302 Also, when using tls_connect_fds, tls_connect_socket or 1303 tls_accept_fds, libtls no longer implicitly closes the passed in 1304 sockets. The caller is responsible for closing them in this case. 1305 1306 * When loading a DSA key from an raw (without DH parameters) ASN.1 1307 serialization, perform some consistency checks on its `p' and `q' 1308 values, and return an error if the checks failed. 1309 1310 Thanks for Georgi Guninski (guninski at guninski dot com) for 1311 mentioning the possibility of a weak (non prime) q value and 1312 providing a test case. 1313 1314 See 1315 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1316 for a longer discussion. 1317 1318 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1319 of the result key without error. A coding error could cause software 1320 to use much shorter keys than intended. 1321 1322 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1323 longer supported. 1324 1325 * The engine command and parameters are removed from the openssl(1). 1326 Previous releases removed dynamic and builtin engine support 1327 already. 1328 1329 * SHA-0 is removed, which was withdrawn shortly after publication 20 1330 years ago. 1331 1332 * Added Certplus CA root certificate to the default cert.pem file. 1333 1334 * New interface OPENSSL_cpu_caps is provided that does not allow 1335 software to inadvertently modify cpu capability flags. 1336 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1337 1338 * The out_len argument of AEAD changed from ssize_t to size_t. 1339 1340 * Deduplicated DTLS code, sharing bugfixes and improvements with 1341 TLS. 1342 1343 * Converted 'nc' to use libtls for client and server operations; it is 1344 included in the libressl-portable distribution as an example of how 1345 to use the library. 1346 13472.2.3 - Bug fixes, build enhancements 1348 1349 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1350 include TLS extensions, resulting in such handshakes being aborted. 1351 This release corrects the handling of such messages. Thanks to 1352 Ligushka from github for reporting the issue. 1353 1354 * Added install target for cmake builds. Thanks to TheNietsnie from 1355 github. 1356 1357 * Updated pkgconfig files to correctly report the release version 1358 number, not the individual library ABI version numbers. Thanks to 1359 Jan Engelhardt for reporting the issue. 1360 13612.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1362 1363 * Switched 'openssl dhparam' default from 512 to 2048 bits 1364 1365 * Reworked openssl(1) option handling 1366 1367 * More CRYPTO ByteString (CBC) packet parsing conversions 1368 1369 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1370 1371 * Fixed dozens of Coverity issues including dead code, memory leaks, 1372 logic errors and more. 1373 1374 * Ensure that openssl(1) restores terminal echo state after reading a 1375 password. 1376 1377 * Incorporated fix for OpenSSL Issue #3683 1378 1379 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1380 for each portable release. 1381 1382 * Removed workarounds for TLS client padding bugs. 1383 1384 * No longer disable ECDHE-ECDSA on OS X 1385 1386 * Removed SSLv3 support from openssl(1) 1387 1388 * Removed IE 6 SSLv3 workarounds. 1389 1390 * Modified tls_write in libtls to allow partial writes, clarified with 1391 examples in the documentation. 1392 1393 * Removed RSAX engine 1394 1395 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1396 applications that were not ready to build without SSLv3 yet. For 1397 now, building a program that intentionally uses SSLv3 will result in 1398 a linker warning. 1399 1400 * Added TLS_method, TLS_client_method and TLS_server_method as a 1401 replacement for the SSLv23_*method calls. 1402 1403 * Added initial cmake build support, including support for building with 1404 Visual Studio, currently tested with Visual Studio 2013 Community 1405 Edition. 1406 1407 * --with-enginesdir is removed as a configuration parameter 1408 1409 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1410 installed under $sysconfdir/ssl or the directory specified by 1411 --with-openssldir. Previous versions of LibreSSL left these empty. 1412 14132.2.1 - Build fixes, feature added, features removed 1414 1415 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1416 1417 * Initial support for Windows Embedded 2009, Server 2003, XP 1418 1419 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1420 1421 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1422 1423 * Removed Dynamic Engine support 1424 1425 * Removed unused and obsolete MDC-2DES cipher 1426 1427 * Removed workarounds for obsolete SSL implementations 1428 14292.2.0 - Build cleanups and new OS support, Security Updates 1430 1431 * AIX Support - thanks to Michael Felt 1432 1433 * Cygwin Support - thanks to Corinna Vinschen 1434 1435 * Refactored build macros, support packaging libtls independently. 1436 There are more pieces required to support building and using OpenSSL 1437 with libtls, but this is an initial start at providing an 1438 independent package for people to start hacking on. 1439 1440 * Removal of OPENSSL_issetugid and all library getenv calls. 1441 Applications can and should no longer rely on environment variables 1442 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1443 supported with the openssl(1) command. 1444 1445 * libtls API and documentation additions 1446 1447 * Various bug fixes and simplifications to libssl and libcrypto 1448 1449 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1450 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1451 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1452 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1453 1454 * The following CVEs did not apply to LibreSSL or were fixed in 1455 earlier releases: 1456 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1457 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1458 - CVE-2014-8176 - Invalid free in DTLS 1459 1460 * Fixes for the following CVEs are still in review for LibreSSL 1461 - CVE-2015-1791 - Race condition handling NewSessionTicket 1462 14632.1.6 - Security update 1464 1465 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1466 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1467 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1468 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1469 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1470 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1471 1472 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1473 is integrated for safety, but LibreSSL is not vulnerable. 1474 1475 * Libtls is now built by default. The --enable-libtls 1476 configuration option is no longer required. 1477 The libtls API is now stable for the 2.1.x series. 1478 14792.1.5 - Bug fixes and a security update 1480 * Fix incorrect comparison function in openssl(1) certhash command. 1481 Thanks to Christian Neukirchen / Void Linux. 1482 1483 * Windows port improvements and bug fixes. 1484 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1485 - Correct a hang in openssl(1) reading from stdin on an connection. 1486 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1487 any other network-related commands to function properly. 1488 1489 * Reject all server DH keys smaller than 1024 bits. 1490 14912.1.4 - Security and feature updates 1492 * Improvements to libtls: 1493 - a new API for loading CA chains directly from memory instead of a 1494 file, allowing verification with privilege separation in a chroot 1495 without direct access to CA certificate files. 1496 1497 - Ciphers default to TLSv1.2 with AEAD and PFS. 1498 1499 - Improved error handling and message generation 1500 1501 - New APIs and improved documentation 1502 1503 * Added X509_STORE_load_mem API for loading certificates from memory. 1504 This facilitates accessing certificates from a chrooted environment. 1505 1506 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1507 using 'TLSv1.2+AEAD' as the cipher selection string. 1508 1509 * Dead and disabled code removal including MD5, Netscape workarounds, 1510 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1511 1512 * ASN1 macro maze expanded to aid reading and searching the code. 1513 1514 * NULL pointer asserts removed in favor of letting the OS/signal 1515 handler catch them. 1516 1517 * Refactored argument handling in openssl(1) for consistency and 1518 maintainability. 1519 1520 * New openssl(1) command 'certhash' replaces the c_rehash script. 1521 1522 * Support for building with OPENSSL_NO_DEPRECATED 1523 1524 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1525 various auditor and vulnerability scanners. 1526 1527 * Dozens of issues found with the Coverity scanner fixed. 1528 1529 * Security Updates: 1530 1531 - Fix a minor information leak that was introduced in t1_lib.c 1532 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1533 provided to the network. In most cases this is a non-issue since 1534 the memory content is already public. Issue found and reported by 1535 Felix Groebert of the Google Security Team. 1536 1537 - Fixes for the following low-severity issues were integrated into 1538 LibreSSL from OpenSSL 1.0.1k: 1539 1540 CVE-2015-0205 - DH client certificates accepted without 1541 verification 1542 CVE-2014-3570 - Bignum squaring may produce incorrect results 1543 CVE-2014-8275 - Certificate fingerprints can be modified 1544 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1545 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1546 1547 The following CVEs were fixed in earlier LibreSSL releases: 1548 CVE-2015-0206 - Memory leak handling repeated DLTS records 1549 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1550 1551 The following CVEs did not apply to LibreSSL: 1552 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1553 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1554 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1555 15562.1.3 - Security update and OS support improvements 1557 * Fixed various memory leaks in DTLS, including fixes for 1558 CVE-2015-0206. 1559 1560 * Added Application-Layer Protocol Negotiation (ALPN) support. 1561 1562 * Removed GOST R 34.10-94 signature authentication. 1563 1564 * Removed nonfunctional Netscape browser-hang workaround code. 1565 1566 * Simplified and refactored SSL/DTLS handshake code. 1567 1568 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1569 1570 * Hide timing info about padding errors during handshakes. 1571 1572 * Improved libtls support for non-blocking sockets, added randomized 1573 session ID contexts. Work is ongoing with this library - feedback 1574 and potential use-cases are welcome. 1575 1576 * Support building Windows DLLs. 1577 Thanks to Jan Engelhard. 1578 1579 * Packaged config wrapper for better compatibility with OpenSSL-based 1580 build systems. 1581 Thanks to @technion from github 1582 1583 * Ensure the stack is marked non-executable for assembly sections. 1584 Thanks to Anthony G. Bastile. 1585 1586 * Enable extra compiler hardening flags by default, where applicable. 1587 The default set of hardening features can vary by OS to OS, so 1588 feedback is welcome on this. To disable the default hardening flags, 1589 specify '--disable-hardening' during configure. 1590 Thanks to Jim Barlow 1591 1592 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1593 Thanks to Kinichiro Inoguchi 1594 1595 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1596 Imported from OpenNTPD, thanks to @gitisihara from github 1597 15982.1.2 - Many new features and improvements 1599 * Added reworked GOST cipher suite support 1600 thanks to Dmitry Eremin-Solenikov 1601 1602 * Enabled Camellia ciphers due to improved patent situation 1603 1604 * Use builtin arc4random implementation on OS X and FreeBSD 1605 this addresses some deficiencies in the native implementations of 1606 these operating systems, see commit logs for more information 1607 1608 * Added initial Windows mingw-w64 support (32 and 64-bit) 1609 thanks to Song Dongsheng and others for code and feedback 1610 1611 * Enabled assembly optimizations on x86_64 CPUs 1612 supports Linux, *BSD, Solaris and OS X operating systems 1613 thanks to Wouter Clarie for the initial implementation 1614 1615 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1616 1617 * Improved build infrastructure, 'make distcheck' now passes 1618 this simplifies and speeds developer efficiency 1619 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1620 1621 * Allow conditional building of the libtls library 1622 expect the API and ABI of the library to change 1623 feedback is welcome 1624 1625 * Fixes for more memory leaks, cleanups, etc. 1626 16272.1.1 - Security update 1628 * Address POODLE attack by disabling SSLv3 by default 1629 1630 * Fix Eliptical Curve cipher selection bug 1631 (https://github.com/libressl-portable/portable/issues/35) 1632 16332.1.0 - First release from the OpenBSD 5.7 tree 1634 * Added support for automatic ephemeral EC keys 1635 1636 * Fixes for many memory leaks and overflows in error handlers 1637 1638 * The TLS padding extension (that works around bugs in F5 terminators) is 1639 off by default 1640 1641 * support for getrandom(2) on Linux 3.17 1642 1643 * the NO_ASM macro is no longer being set, providing the first bits toward 1644 enabling other assembly offloads. 1645 16462.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1647 * CVE-2014-3506 1648 * CVE-2014-3507 1649 * CVE-2014-3508 (partially vulnerable)he 1650 * CVE-2014-3509 1651 * CVE-2014-3510 1652 * CVE-2014-3511 1653 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1654 16552.0.4 - Portability fixes, deleted unused SRP code 1656 16572.0.3 - Portability fixes, improvements to fork detection 1658 16592.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1660 16612.0.1 - Portability fixes: 1662 * Removed -Werror and and other non-portable compiler flags 1663 1664 * Allow setting OPENSSLDIR and ENGINSDIR 1665 16662.0.0 - First release from the OpenBSD 5.6 tree 1667 * Removal of many obsolete features and coding conventions from the OpenSSL 1668 1.0.1h source 1669