1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.6.1 - Stable release 32 33 * Bug fixes 34 - Custom verification callbacks could cause the X.509 verifier to 35 fail to store errors resulting from leaf certificate verification. 36 Reported by Ilya Shipitsin. 37 - Unbreak ASN.1 indefinite length encoding. 38 Reported by Niklas Hallqvist. 39 403.6.0 - Development release 41 42 * Internal improvements 43 - Avoid expensive RFC 3779 checks during cert verification. 44 - The templated ASN.1 decoder has been cleaned up, refactored, 45 modernized with parts rewritten using CBB and CBS. 46 - The ASN.1 time parser has been rewritten. 47 - Rewrite and fix ASN1_STRING_to_UTF8(). 48 - Use asn1_abs_set_unused_bits() rather than inlining it. 49 - Simplify ec_asn1_group2curve(). 50 - First pass at a clean up of ASN1_item_sign_ctx() 51 - ssl_txt.c was cleaned up. 52 - Internal function arguments and struct member have been changed 53 to size_t. 54 - Lots of missing error checks of EVP API were added. 55 - Clean up and clarify BN_kronecker(). 56 - Simplify ASN1_INTEGER_cmp() 57 - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse 58 the ASN1_INTEGER functions for ASN1_ENUMERATED. 59 - Use ASN1_INTEGER to parse and build {Z,}LONG_it 60 - Refactored and cleaned up group (elliptic curve) handling in 61 t1_lib.c. 62 - Simplify certificate list handling code in the legacy server. 63 - Make CBB_finish() fail if *out_data is not NULL. 64 - Remove tls_buffer_set_data() and remove/revise callers. 65 - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS. 66 - Simplify tlsext_supported_groups_server_parse(). 67 - Remove redundant length checks in tlsext parse functions. 68 - Simplify tls13_server_encrypted_extensions_recv(). 69 - Add read and write support to tls_buffer. 70 - Convert TLS transcript from BUF_MEM to tls_buffer. 71 - Clear key on exit in PKCS12_gen_mac(). 72 - Minor fixes in PKCS12_parse(). 73 - Provide and use a primitive clear function for BIGNUM_it. 74 - Use ASN1_INTEGER to encode/decode BIGNUM_it. 75 - Add stack frames to AES-NI x86_64 assembly. 76 - Use named initialisers for BIGNUMs. 77 - Tidy up some of BN_nist_mod_*. 78 - Expand BLOCK_CIPHER_* and related macros. 79 - Avoid shadowing the cbs function parameter in 80 tlsext_alpn_server_parse() 81 - Deduplicate peer certificate chain processing code. 82 - Make it possible to signal an error from an i2c_* function. 83 - Rewrite i2c_ASN1_INTEGER() using CBB/CBS. 84 - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20(). 85 - Remove bogus length checks from EVP_aead_chacha20_poly1305(). 86 - Reworked DSA_size() and ECDSA_size(). 87 - Stop using CBIGNUM_it internal to libcrypto. 88 - Provide c2i_ASN1_ENUMERATED_cbs() and call it from 89 asn1_c2i_primitive(). 90 - Ensure ASN.1 types are appropriately encoded. 91 - Avoid recycling ASN1_STRINGs when decoding ASN.1. 92 - Tidy up asn1_c2i_primitive() slightly. 93 - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR, 94 BLOCK_CIPHER and the looney M_do_cipher macros. 95 - Use correct length for EVP CFB mode ciphers. 96 - Provide a version of ssl_msg_callback() that takes a CBS. 97 - Use CBS to parse TLS alerts in the legacy stack. 98 - Increment the input and output position for EVP AES CFB1. 99 - Ensure there is no trailing data for a CCS received by the 100 TLSv1.3 stack. 101 - Use CBS when procesing a CCS message in the legacy stack. 102 - Be stricter with middlebox compatibility mode in the TLSv1.3 103 server. 104 * Compatibility changes 105 - The ASN.1 time parser has been refactored and rewritten using CBS. 106 It has been made stricter in that it now enforces the rules from 107 RFC 5280. 108 - ASN1_AFLG_BROKEN was removed. 109 - Error check tls_session_secret_cb() like OpenSSL. 110 - Added ASN1_INTEGER_{get,set}_{u,}int64() 111 - Move leaf certificate checks to the last thing after chain 112 validation. 113 - Added -s option to openssl(1) ciphers that only shows the ciphers 114 supported by the specified protocol. 115 - Use TLS_client_method() instead of TLSv1_client_method() in 116 the openssl(1) ciphers command. 117 - Validate the protocols in SSL{_CTX,}_set_alpn_protos(). 118 - Made TS and PKCS12 opaque. 119 - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. 120 - Align PKCS12_key_gen_uni() with OpenSSL 121 - Various PKCS12 and TS accessors were added. In particular, the 122 TS_RESP_CTX_set_time_cb() function was added back. 123 - Allow a NULL header in PEM_write{,_bio}() 124 - Allow empty attribute sets in CSRs. 125 - Adjust signatures of BIO_ctrl functions. 126 - Provide additional defines for EVP AEAD. 127 - Provide OPENSSL_cleanup(). 128 - Make BIO_info_cb() identical to bio_info_cb(). 129 * Bug fixes 130 - Avoid use of uninitialized in BN_mod_exp_recp(). 131 - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is 132 set on X509_get_purpose() failure. 133 - Fix HMAC() with NULL key. 134 - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings(). 135 - Avoid strict aliasing violations in BN_nist_mod_*(). 136 - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). 137 No return value of X509_check_ca() indicates failure. Application 138 code should therefore issue a checked call to X509_check_purpose() 139 before calling X509_check_ca(). 140 - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some 141 valid input. 142 - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). 143 - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. 144 - Avoid use of uninitialized in ASN1_STRING_to_UTF8(). 145 - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). 146 - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy. 147 - Do not reject primes in trial divisions. 148 - Error out on negative shifts in BN_{r,l}shift() instead of 149 accessing arrays out of bounds. 150 - Fix URI name constraints, allow for URI's with no host part. 151 - Fix the legacy verifier callback behaviour for untrusted certs. 152 - Correct serfver-side handling of TLSv1.3 key updates. 153 - Plug leak in PKCS12_setup_mac(). 154 - Plug leak in X509V3_add1_i2d(). 155 - Only print X.509 versions we know about. 156 - Avoid signed integer overflow due to unary negation 157 - Initialize readbytes in BIO_gets(). 158 - Plug memory leak in CMS_add_simple_smimecap(). 159 - Plug memory leak in X509_REQ_print_ex(). 160 - Check HMAC() return value to avoid a later use of uninitialized. 161 - Avoid potential NULL dereference in ssl_set_pkey(). 162 - Check return values in ssl_print_tmp_key(). 163 - Switch loop bounds from size_t to int in check_hosts(). 164 - Avoid division by zero if no connection was made in s_time.c. 165 - Check sk_SSL_CIPHER_push() return value 166 - Avoid out-of-bounds read in ssl_cipher_process_rulestr(). 167 - Use LONG_MAX as the limit for ciphers with long based APIs. 168 * New features 169 - EVP API for HKDF ported from OpenSSL and subsequently cleaned up. 170 - The security level API (SSL_{,CTX}_{get,set}_security_level()) is 171 now available. Callbacks and ex_data are not supported. Sane 172 software will not be using this. 173 - Experimental support for the BoringSSL QUIC API. 174 - Add initial support for TS ESSCertIDv2 verification. 175 - LibreSSL now uses the Baillie-PSW primality test instead of 176 Miller-Rabin . 177 1783.5.3 - Reliability fix 179 180 * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing 181 the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for 182 reporting the issue and testing the fix. 183 1843.5.2 - Stable release 185 186 * Bug fixes 187 - Avoid single byte overread in asn1_parse2(). 188 - Allow name constraints with a leading dot. From Alex Wilson. 189 - Relax a check in x509_constraints_dirname() to allow prefixes. 190 From Alex Wilson. 191 - Fix NULL dereferences in openssl(1) cms option parsing. 192 - Do not zero the computed cofactor on ec_guess_cofactor() success. 193 - Bound cofactor in EC_GROUP_set_generator() to reduce the number of 194 bogus groups that can be described with nonsensical parameters. 195 - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low 196 memory conditions. Reported for HMAC by Masaru Masuda. 197 - Plug leak in ASN1_TIME_adj_internal(). 198 - Avoid infinite loop for custom curves of order 1. 199 Issue reported by Hanno Boeck, comments by David Benjamin. 200 - Avoid an infinite loop on parsing DSA private keys by validating 201 that the provided parameters conform to FIPS 186-4. 202 Issue reported by Hanno Boeck, comments by David Benjamin. 203 * Compatibility improvements 204 - Allow non-standard name constraints of the form @domain.com. 205 * Internal improvements 206 - Limit OID text conversion to 64 bits per arc. 207 - Clean up and simplify memory BIO code. 208 - Reduce number of memmove() calls in memory BIOs. 209 - Factor out alert handling code in the legacy stack. 210 - Add sanity checks on p and q in old_dsa_priv_decode() 211 - Cache the SHA-512 hash instead of the SHA-1 for CRLs. 212 - Suppress various compiler warnings for old gcc versions. 213 - Remove free_cont from asn1_d2i_ex_primitive()/asn1_ex_c2i(). 214 - Rework ownership handling in x509_constraints_validate(). 215 - Rework ASN1_STRING_set(). 216 - Remove const from tls1_transcript_hash_value(). 217 - Clean up and simplify ssl3_renegotiate{,_check}(). 218 - Rewrite legacy TLS and DTLS unexpected handshake message handling. 219 - Simplify SSL_do_handshake(). 220 - Rewrite ASCII/text to ASN.1 object conversion. 221 - Provide t2i_ASN1_OBJECT_internal() and use it for OBJ_txt2obj(). 222 - Split armv7 and aarch64 code into separate locations. 223 - Rewrote openssl(1) ts to use the new option handling and cleaned 224 up the C code. 225 - Provide asn1_get_primitive(). 226 - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. 227 - Remove the minimum record length checks from dtls1_read_bytes(). 228 - Clean up {dtls1,ssl3}_read_bytes(). 229 - Be more careful with embedded and terminating NULs in the new 230 name constraints code. 231 - Check EVP_Digest* return codes in openssl(1) ts 232 - Various minor code cleanup in openssl(1) pkcs12 233 - Use calloc() in pkey_hmac_init(). 234 - Simplify priv_key handling in d2i_ECPrivateKey(). 235 * Documentation improvements 236 - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after 237 refactoring and bug fixes. 238 - Fixed numerous minor grammar, spelling, wording, and punctuation 239 issues. 240 2413.5.1 - Security release 242 243 * A malicious certificate can cause an infinite loop. 244 Reported by and fix from Tavis Ormandy and David Benjamin, Google. 245 2463.5.0 - Development release 247 248 * New Features 249 - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed, 250 regression tests were added and the code was cleaned up. 251 - Certificate Transparency was ported from OpenSSL. Many internal 252 improvements were made, resulting in cleaner and safer code. 253 Regress coverage was added. libssl does not yet make use of it. 254 * Portable Improvements 255 - Fixed various POSIX compliance and other portability issues 256 found by the port to the Sortix operating system. 257 - Add libmd as platform specific libraries for Solaris. 258 Issue reported from (ihsan <at> opencsw org) on libressl ML. 259 - Set IA-64 compiler flag only if it is HP-UX with IA-64. 260 Suggested from Larkin Nickle (me <at> larbob org) by libressl ML. 261 - Enabled and scheduled Coverity scan. 262 Contributed by Ilya Shipitsin (chipitsine <at> gmail com> on github. 263 * Compatibility Changes 264 - Most structs that were previously defined in the following headers 265 are now opaque as they are in OpenSSL 1.1: 266 bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h, 267 x509.h, x509v3.h, x509_vfy.h 268 - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_ 269 OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead 270 of using something consistent with the previous naming. Various 271 test suites expect these names (instead of checking for the much 272 more sensible cipher numbers). The old names are still accepted 273 as aliases. 274 - Subject alternative names and name constraints are now validated 275 when they are added to certificates. Various interoperability 276 problems with stacks that validate certificates more strictly 277 than OpenSSL can be avoided this way. 278 - Attempt to opportunistically use the host name for SNI in s_client 279 * Bug fixes 280 - In some situations, the verifier would discard the error on an 281 unvalidated certificate chain. This would happen when the 282 verification callback was in use, instructing the verifier to 283 continue unconditionally. This could lead to incorrect decisions 284 being made in software. 285 - Avoid an infinite loop in SSL_shutdown() 286 - Fix another return 0 bug in SSL_shutdown() 287 - Handle zero byte reads/writes that trigger handshakes in the 288 TLSv1.3 stack 289 - A long standing memleak in libtls CRL handling was fixed 290 * Internal Improvements 291 - Cache the SHA-512 hash instead of the SHA-1 hash and cache 292 notBefore and notAfter times when X.509 certificates are parsed. 293 - The X.509 lookup code has been simplified and cleaned up. 294 - Fixed numerous issues flagged by coverity and the cryptofuzz 295 project 296 - Increased the number of Miller-Rabin checks in DH and DSA 297 key/parameter generation 298 - Started using the bytestring API in libcrypto for cleaner and 299 safer code 300 - Convert {i2d,d2i}_{,EC_,DSA_,RSA_}PUBKEY{,_bio,_fp}() to templated 301 ASN1 302 - Convert ASN1_OBJECT_new() to calloc() 303 - Convert ASN1_STRING_type_new() to calloc() 304 - Rewrite ASN1_STRING_cmp() 305 - Use calloc() for X509_CRL_METHOD_new() instead of malloc() 306 - Convert ASN1_PCTX_new() to calloc() 307 - Replace asn1_tlc_clear and asn1_tlc_clear_nc macros with a 308 function 309 - Consolidate {d2i,i2d}_{pr,pu}.c 310 - Remove handling of a NULL BUF_MEM from asn1_collect() 311 - Pull the recursion depth check up to the top of asn1_collect() 312 - Inline collect_data() in asn1_collect() 313 - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB 314 - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN() 315 - Consolidate ASN.1 universal tag type data 316 - Rewrite ASN.1 identifier/length parsing in CBS 317 - Make OBJ_obj2nid() work correctly with NID_undef 318 - tlsext_tick_lifetime_hint is now an uint32_t 319 - Untangle ssl3_get_message() return values 320 - Rename tls13_buffer to tls_buffer 321 - Fold DTLS_STATE_INTERNAL into DTLS1_STATE 322 - Provide a way to determine our maximum legacy version 323 - Mop up enc_read_ctx and read_hash 324 - Fold SSL_SESSION_INTERNAL into SSL_SESSION 325 - Use ssl_force_want_read in the DTLS code 326 - Add record processing limit to DTLS code 327 - Add explicit CBS_contains_zero_byte() check in CBS_strdup() 328 - Improve SNI hostname validation 329 - Ensure SSL_set_tlsext_host_name() is given a valid hostname 330 - Fix a strange check in the auto DH codepath 331 - Factor out/rewrite DHE key exchange 332 - Convert server serialisation of DHE parameters/public key to new 333 functions 334 - Check DH public key in ssl_kex_peer_public_dhe() 335 - Move the minimum DHE key size check into ssl_kex_peer_params_dhe() 336 - Clean up and refactor server side DHE key exchange 337 - Provide CBS_get_last_u8() 338 - Provide CBS_get_u64() 339 - Provide CBS_add_u64() 340 - Provide various CBS_peek_* functions 341 - Use CBS_get_last_u8() to find the content type in TLSv1.3 records 342 - unifdef TLS13_USE_LEGACY_CLIENT_AUTH 343 - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack 344 - Only allow zero length key shares when we know we're doing HRR 345 - Pull key share group/length CBB code up from 346 tls13_key_share_public() 347 - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and 348 validation 349 - Return 0 on failure from send/get kex functions in the legacy 350 stack 351 - Rename tls13_key_share to tls_key_share 352 - Allocate and free the EVP_AEAD_CTX struct in 353 tls13_record_protection 354 - Convert legacy TLS client to tls_key_share 355 - Convert legacy TLS server to tls_key_share 356 - Stop attempting to duplicate the public and private key of dh_tmp 357 - Rename dh_tmp to dhe_params 358 - Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY 359 - Clean up pkey handling in ssl3_get_server_key_exchange() 360 - Fix GOST skip certificate verify handling 361 - Simplify tlsext_keyshare_server_parse() 362 - Plumb decode errors through key share parsing code 363 - Simplify SSL_get_peer_certificate() 364 - Cleanup/simplify ssl_cert_type() 365 - The S3I macro was removed 366 - The openssl(1) cms and smime subcommands option handling was 367 converted and the C source was cleaned up. 368 * Documentation improvements 369 - 45 new manual pages, most of which were written from scratch. 370 Documentation coverage of ASN.1 and X.509 code has been 371 significantly improved. 372 * API additions and removals 373 - libssl 374 API additions 375 SSL_get0_verified_chain SSL_peek_ex SSL_read_ex SSL_write_ex 376 API stubs for compatibility 377 SSL_CTX_get_keylog_callback SSL_CTX_get_num_tickets 378 SSL_CTX_set_keylog_callback SSL_CTX_set_num_tickets 379 SSL_get_num_tickets SSL_set_num_tickets 380 - libcrypto 381 added API (some of these were previously available as macros): 382 ASIdOrRange_free ASIdOrRange_new ASIdentifierChoice_free 383 ASIdentifierChoice_new ASIdentifiers_free ASIdentifiers_new 384 ASN1_TIME_diff ASRange_free ASRange_new BIO_get_callback_ex 385 BIO_get_init BIO_set_callback_ex BIO_set_next 386 BIO_set_retry_reason BN_GENCB_set BN_GENCB_set_old 387 BN_abs_is_word BN_get_flags BN_is_negative 388 BN_is_odd BN_is_one BN_is_word BN_is_zero BN_set_flags 389 BN_to_montgomery BN_with_flags BN_zero_ex CTLOG_STORE_free 390 CTLOG_STORE_get0_log_by_id CTLOG_STORE_load_default_file 391 CTLOG_STORE_load_file CTLOG_STORE_new CTLOG_free 392 CTLOG_get0_log_id CTLOG_get0_name CTLOG_get0_public_key 393 CTLOG_new CTLOG_new_from_base64 CT_POLICY_EVAL_CTX_free 394 CT_POLICY_EVAL_CTX_get0_cert CT_POLICY_EVAL_CTX_get0_issuer 395 CT_POLICY_EVAL_CTX_get0_log_store CT_POLICY_EVAL_CTX_get_time 396 CT_POLICY_EVAL_CTX_new CT_POLICY_EVAL_CTX_set1_cert 397 CT_POLICY_EVAL_CTX_set1_issuer 398 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE 399 CT_POLICY_EVAL_CTX_set_time DH_get0_g DH_get0_p DH_get0_priv_key 400 DH_get0_pub_key DH_get0_q DH_get_length DSA_bits DSA_get0_g 401 DSA_get0_p DSA_get0_priv_key DSA_get0_pub_key DSA_get0_q 402 ECDSA_SIG_get0_r ECDSA_SIG_get0_s EVP_AEAD_CTX_free 403 EVP_AEAD_CTX_new EVP_CIPHER_CTX_buf_noconst 404 EVP_CIPHER_CTX_get_cipher_data EVP_CIPHER_CTX_set_cipher_data 405 EVP_MD_CTX_md_data EVP_MD_CTX_pkey_ctx EVP_MD_CTX_set_pkey_ctx 406 EVP_MD_meth_dup EVP_MD_meth_free EVP_MD_meth_new 407 EVP_MD_meth_set_app_datasize EVP_MD_meth_set_cleanup 408 EVP_MD_meth_set_copy EVP_MD_meth_set_ctrl EVP_MD_meth_set_final 409 EVP_MD_meth_set_flags EVP_MD_meth_set_init 410 EVP_MD_meth_set_input_blocksize EVP_MD_meth_set_result_size 411 EVP_MD_meth_set_update EVP_PKEY_asn1_set_check 412 EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_public_check 413 EVP_PKEY_check EVP_PKEY_meth_set_check 414 EVP_PKEY_meth_set_param_check EVP_PKEY_meth_set_public_check 415 EVP_PKEY_param_check EVP_PKEY_public_check FIPS_mode 416 FIPS_mode_set IPAddressChoice_free IPAddressChoice_new 417 IPAddressFamily_free IPAddressFamily_new IPAddressOrRange_free 418 IPAddressOrRange_new IPAddressRange_free IPAddressRange_new 419 OBJ_get0_data OBJ_length OCSP_resp_get0_certs OCSP_resp_get0_id 420 OCSP_resp_get0_produced_at OCSP_resp_get0_respdata 421 OCSP_resp_get0_signature OCSP_resp_get0_signer 422 OCSP_resp_get0_tbs_sigalg PEM_write_bio_PrivateKey_traditional 423 RSA_get0_d RSA_get0_dmp1 RSA_get0_dmq1 RSA_get0_e RSA_get0_iqmp 424 RSA_get0_n RSA_get0_p RSA_get0_pss_params RSA_get0_q 425 SCT_LIST_free SCT_LIST_print SCT_LIST_validate SCT_free 426 SCT_get0_extensions SCT_get0_log_id SCT_get0_signature 427 SCT_get_log_entry_type SCT_get_signature_nid SCT_get_source 428 SCT_get_timestamp SCT_get_validation_status SCT_get_version 429 SCT_new SCT_new_from_base64 SCT_print SCT_set0_extensions 430 SCT_set0_log_id SCT_set0_signature SCT_set1_extensions 431 SCT_set1_log_id SCT_set1_signature SCT_set_log_entry_type 432 SCT_set_signature_nid SCT_set_source SCT_set_timestamp 433 SCT_set_version SCT_validate SCT_validation_status_string 434 X509_OBJECT_free X509_OBJECT_new X509_REQ_get0_pubkey 435 X509_SIG_get0 X509_SIG_getm X509_STORE_CTX_get_by_subject 436 X509_STORE_CTX_get_num_untrusted 437 X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify 438 X509_STORE_CTX_get_verify_cb X509_STORE_CTX_set0_verified_chain 439 X509_STORE_CTX_set_current_cert X509_STORE_CTX_set_error_depth 440 X509_STORE_CTX_set_verify X509_STORE_get_verify 441 X509_STORE_get_verify_cb X509_STORE_set_verify 442 X509_get_X509_PUBKEY X509_get_extended_key_usage 443 X509_get_extension_flags X509_get_key_usage 444 X509v3_addr_add_inherit X509v3_addr_add_prefix 445 X509v3_addr_add_range X509v3_addr_canonize X509v3_addr_get_afi 446 X509v3_addr_get_range X509v3_addr_inherits 447 X509v3_addr_is_canonical X509v3_addr_subset 448 X509v3_addr_validate_path X509v3_addr_validate_resource_set 449 X509v3_asid_add_id_or_range X509v3_asid_add_inherit 450 X509v3_asid_canonize X509v3_asid_inherits 451 X509v3_asid_is_canonical X509v3_asid_subset 452 X509v3_asid_validate_path X509v3_asid_validate_resource_set 453 d2i_ASIdOrRange d2i_ASIdentifierChoice d2i_ASIdentifiers 454 d2i_ASRange d2i_IPAddressChoice d2i_IPAddressFamily 455 d2i_IPAddressOrRange d2i_IPAddressRange d2i_SCT_LIST 456 i2d_ASIdOrRange i2d_ASIdentifierChoice i2d_ASIdentifiers 457 i2d_ASRange i2d_IPAddressChoice i2d_IPAddressFamily 458 i2d_IPAddressOrRange i2d_IPAddressRange i2d_SCT_LIST 459 i2d_re_X509_CRL_tbs i2d_re_X509_REQ_tbs i2d_re_X509_tbs i2o_SCT 460 i2o_SCT_LIST o2i_SCT o2i_SCT_LIST 461 removed API: 462 ASN1_check_infinite_end ASN1_const_check_infinite_end EVP_dss 463 EVP_dss1 EVP_ecdsa HMAC_CTX_cleanup HMAC_CTX_init 464 NETSCAPE_ENCRYPTED_PKEY_free NETSCAPE_ENCRYPTED_PKEY_new 465 NETSCAPE_PKEY_free NETSCAPE_PKEY_new NETSCAPE_X509_free 466 NETSCAPE_X509_new OBJ_bsearch_ex_ PEM_SealFinal PEM_SealInit 467 PEM_SealUpdate PEM_read_X509_CERT_PAIR 468 PEM_read_bio_X509_CERT_PAIR PEM_write_X509_CERT_PAIR 469 PEM_write_bio_X509_CERT_PAIR X509_CERT_PAIR_free 470 X509_CERT_PAIR_new X509_OBJECT_free_contents asn1_do_adb 471 asn1_do_lock asn1_enc_free asn1_enc_init asn1_enc_restore 472 asn1_enc_save asn1_ex_c2i asn1_get_choice_selector 473 asn1_get_field_ptr asn1_set_choice_selector check_defer 474 d2i_ASN1_BOOLEAN d2i_NETSCAPE_ENCRYPTED_PKEY d2i_NETSCAPE_PKEY 475 d2i_NETSCAPE_X509 d2i_Netscape_RSA d2i_RSA_NET 476 d2i_X509_CERT_PAIR i2d_ASN1_BOOLEAN i2d_NETSCAPE_ENCRYPTED_PKEY 477 i2d_NETSCAPE_PKEY i2d_NETSCAPE_X509 i2d_Netscape_RSA i2d_RSA_NET 478 i2d_X509_CERT_PAIR name_cmp obj_cleanup_defer 479 4803.4.1 - Stable release 481 482 * New Features 483 - Added support for OpenSSL 1.1.1 TLSv1.3 APIs. 484 - Enabled the new X.509 validator to allow verification of 485 modern certificate chains. 486 * Portable Improvements 487 - Ported continuous integration and test infrastructure to Github 488 actions. 489 - Added Universal Windows Platform (UWP) build support. 490 - Fixed mingw-w64 builds on newer versions with missing SSP support. 491 - Added non-executable stack annotations for CMake builds. 492 * API and Documentation Enhancements 493 - Added the following APIs from OpenSSL 494 BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve 495 EC_GROUP_order_bits EC_GROUP_set_curve 496 EC_POINT_get_affine_coordinates 497 EC_POINT_set_affine_coordinates 498 EC_POINT_set_compressed_coordinates EVP_DigestSign 499 EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey 500 SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method 501 SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data 502 SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher 503 SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable 504 SSL_SESSION_set_max_early_data SSL_get_early_data_status 505 SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio 506 SSL_set_ciphersuites SSL_set_max_early_data 507 SSL_set_post_handshake_auth 508 SSL_set_psk_use_session_callback 509 SSL_verify_client_post_handshake SSL_write_early_data 510 - Added AES-GCM constants from RFC 7714 for SRTP. 511 * Compatibility Changes 512 - Implement flushing for TLSv1.3 handshakes behavior, needed for Apache. 513 - Call the info callback on connect/accept exit in TLSv1.3, 514 needed for p5-Net-SSLeay. 515 - Default to using named curve parameter encoding from 516 pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE. 517 - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback. 518 * Testing and Proactive Security 519 - Added additional state machine test coverage. 520 - Improved integration test support with ruby/openssl tests. 521 - Error codes and callback support in new X.509 validator made 522 compatible with p5-Net_SSLeay tests. 523 * Internal Improvements 524 - Numerous fixes and improvements to the new X.509 validator to 525 ensure compatible error codes and callback support compatible 526 with the legacy OpenSSL validator. 527 5283.4.0 - Development release 529 530 * Add support for OpenSSL 1.1.1 TLSv1.3 APIs. 531 532 * Enable new x509 validator. 533 534 * More details to come, testing is appreciated. 535 5363.3.5 - Security fix 537 538 * A stack overread could occur when checking X.509 name constraints. 539 From GoldBinocle on GitHub. 540 541 * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. 542 This compensates for the expiry of the DST Root X3 certificate. 543 5443.3.4 - Security fix 545 546 * In LibreSSL, printing a certificate can result in a crash in 547 X509_CERT_AUX_print(). 548 From Ingo Schwarze 549 550 * Ensure GNU-stack is set on ELF platforms when building with CMake to 551 enable non-executable stack annotations for the GNU toolchain. 552 From Tobias Heider 553 5543.3.3 - Stable release 555 556 * This is the first stable release from the 3.3.x series. 557 There are no changes from 3.3.2. 558 5593.3.2 - Development release 560 561 * This release adds support for DTLSv1.2 and continues the rewrite 562 of the record layer for the legacy stack. Numerous bugs and 563 interoperability issues were fixed in the new verifier. A few bugs 564 and incompatibilities remain, so this release uses the old verifier 565 by default. The OpenSSL 1.1 TLSv1.3 API is not yet available. 566 567 * Switch finish{,_peer}_md_len from an int to a size_t. 568 569 * Make SSL_get{,_peer}_finished() work when used with TLSv1.3. 570 571 * Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as size 572 for cert_verify_md[], finish_md[] and peer_finish_md[]. The factor 2 573 was a historical artefact. 574 575 * Correct the return value type from ERR_peek_error() to a long. 576 577 * Avoid use of uninitialized in ASN1_time_parse() which could happen 578 on parsing UTCTime if the caller did not initialise the passed 579 struct tm. 580 581 * Destroy the mutex in a tls_config object on tls_config_free(). 582 583 * Free alert_data and phh_data in tls13_record_layer_free() 584 these could leak if SSL_shutdown() or tls_close() were called 585 after closing the underlying socket(). 586 587 * Free struct members in tls13_record_layer_free() in their natural 588 order for reviewability. 589 590 * Gracefully handle root certificates being both trusted and 591 untrusted. 592 593 * Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new 594 verifier. 595 596 * Use the legacy verifier when building auto chains for TLS. 597 598 * Use consistent names in tls13_{client,server}_finished_{recv,send}(). 599 600 * Add tls13_secret_{init,cleanup}() and use them throughout the 601 TLSv1.3 code base. 602 603 * Move the read MAC key into the TLSv1.2 record layer. 604 605 * Make tls12_record_layer_free() NULL safe. 606 607 * Search the intermediates only after searching the root certs in the 608 new verifier to avoid problems with the legacy callback. 609 610 * Bail out early after finding a single chain in the new verifier, if 611 we have been called via the legacy verifier API. 612 613 * Set (invalid and likely incomplete) chain on the xsc on chain build 614 failure prior to calling the callback. This is required by various 615 callers, including auto chain. 616 617 * Align SSL_get_shared_ciphers() with OpenSSL. This takes into account 618 that it never returned server ciphers, so now it will fail when 619 called from the client side. 620 621 * Add support for SSL_get_shared_ciphers() with TLSv1.3. 622 623 * Split the record protection from the TLSv1.2 record layer. 624 625 * Clean up sequence number handling in the new TLSv1.2 record layer. 626 627 * Clean up sequence number handling in DTLS. 628 629 * Clean up dtls1_reset_seq_numbers(). 630 631 * Factor out code for explicit IV length, block size and MAC length 632 from tls12_record_layer_open_record_protected_cipher(). 633 634 * Provide record layer overhead for DTLS. 635 636 * Provide functions to determine if TLSv1.2 record protection is 637 engaged. 638 639 * Add code to handle change of cipher state in the new TLSv1.2 record 640 layer. 641 642 * Mop up now unused dtls1_build_sequence_numbers() function. 643 644 * Allow setting a keypair on a tls context without specifying the 645 private key, and fake it internally in libtls. This removes the 646 need for privsep engines like relayd to use bogus keys. 647 648 * Skip the private key check for fake private keys. 649 650 * Move the private key setup from tls_configure_ssl_keypair() to a 651 helper function with proper error checking. 652 653 * Change the internal tls_configure_ssl_keypair() function to 654 return -1 instead of 1 on failure. 655 656 * Move sequence numbers into the new TLSv1.2 record layer. 657 658 * Move AEAD handling into the new TLSv1.2 record layer. 659 660 * Remove direct assignment of aead_ctx to avoid a leak. 661 662 * Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182, 8360, 663 draft-ietf-sidrops-rpki-rta, and draft-ietf-opsawg-finding-geofeeds. 664 665 * Fail early in legacy exporter if the master secret is not available 666 to avoid a segfault if it is called when the handshake is not 667 completed. 668 669 * Factor out legacy stack version checks. 670 671 * Correct handshake MAC/PRF for various TLSv1.2 cipher suites which 672 were originally added with the default handshake MAC and PRF rather 673 than the SHA256 handshake MAC and PRF. 674 675 * Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md(). 676 677 * Use dtls1_record_retrieve_buffered_record() to load buffered 678 application data. 679 680 * Enforce read ahead with DTLS. 681 682 * Remove bogus DTLS checks that disabled ECC and OCSP. 683 684 * Sync cert.pem with Mozilla NSS root CAs except "GeoTrust Global CA". 685 686 * Only print the certificate file once on verification failure. 687 688 * Pull in fix for EVP_CipherUpdate() overflow from OpenSSL. 689 690 * Clean up and simplify dtls1_get_cipher(). 691 692 * Group HelloVerifyRequest decoding and add missing check for trailing 693 data. 694 695 * Revise HelloVerifyRequest handling for DTLSv1.2. 696 697 * Handle DTLS1_2_VERSION in various places. 698 699 * Add DTLSv1.2 methods. 700 701 * Make SSL{_CTX,}_get_{min,max}_proto_version() return a version of 702 zero if the minimum or maximum has been set to zero to match 703 OpenSSL's behavior. 704 705 * Rename the "truncated" label into "decode_err" and the "f_err" 706 label into "fatal_err". 707 708 * Factor out and change some of the legacy client version code. 709 710 * Simplify version checks in the TLSv1.3 client. Ensure that the 711 server announced TLSv1.3 and nothing higher and check that the 712 legacy_version is set to TLSv1.2 as required by RFC 8446. 713 714 * Fix an off-by-one in x509_verify_set_xsc_chain() to make sure that 715 the new validator checks for EXFLAG_CRITICAL in 716 x509_vfy_check_chain_extension() for all untrusted certs in the 717 chain. Take into account that the root is not necessarily trusted. 718 719 * Avoid passing last and depth to x509_verify_cert_error() on ENOMEM. 720 721 * Rename depth to num_untrusted. 722 723 * Only use TLS versions internally rather than both TLS and DTLS 724 versions since the latter are the one's complement of the human 725 readable version numbers, which means that newer versions decrease 726 in value. 727 728 * Fix two bugs in the legacy verifier that resulted from refactoring 729 of X509_verify_cert() for the new verifier: a return value was 730 incorrectly treated as boolean, making it insufficient to decide 731 whether validation should carry on or not. 732 733 * Identify DTLS based on the version major value. 734 735 * Move handling of cipher/hash based cipher suites into the new record 736 layer. 737 738 * Add tls12_record_protection_unused() and call it from CCS functions. 739 740 * Move key/IV length checks closer to usage sites. Also add explicit 741 checks against EVP_CIPHER_{iv,key}_length(). 742 743 * Replace two handrolled tls12_record_protection_engaged(). 744 745 * Improve internal version handling: add handshake fields for our 746 minimum version, our maximum version and the TLS version negotiated 747 during the handshake. Convert most of the internal code to use these 748 version fields. 749 750 * Guard against future internal use of TLS1_get_{client,}_version() 751 macros. 752 753 * Remove the internal ssl_downgrade_max_version() function which is no 754 longer needed. 755 756 * Fix checks for memory caps of constraints names. There are internal 757 caps on the number of name constraints and other names, that the new 758 name constraints code allocates per cert chain. These limits were 759 checked too late, making them only partially effective. 760 761 * Use EXFLAG_INVALID to handle out of memory and parse errors in 762 x509v3_cache_extensions(). 763 764 * Add support for DTLSv1.2 version handling. 765 766 * Enable DTLSv1.2 support. 767 768 * Add DTLSv1.2 support to openssl s_client/s_server. 769 770 * Remove no longer needed read ahead workarounds in the s_client and 771 s_server. 772 773 * Fix a copy-paste error - skid was confused with an akid when 774 checking for EXFLAG_INVALID. This broke OCSP validation with 775 certain mirrors. 776 777 * Make supported protocols and options for DHE params more prominent 778 in tls_config_set_protocols.3. 779 780 * Avoid a use-after-scope in tls13_cert_add(). 781 782 * Split TLSv1.3 record protection from record layer. 783 784 * Move the TLSv1.3 handshake struct inside the shared handshake 785 struct. 786 787 * Fully initialize rrec in tls12_record_layer_open_record_protected() 788 to avoid confusing some static analyzers. 789 790 * Use tls_set_errorx() on OCSP_basic_verify() failure since the latter 791 does not set errno. 792 793 * Convert openssl(1) x509 to new option handling and do the usual 794 clean up that goes along with it. 795 796 * Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data. 797 798 * Rename new_cipher to cipher to align naming with keyblock or other 799 parts of the handshake data. 800 801 * Avoid mangled output in BIO_debug_callback(). 802 803 * Fix client initiated renegotiation by replacing use of s->internal-type 804 with s->server. 805 806 * Move the TLSv1.2 record number increment into the new record layer. 807 808 * Move finished and peer finished into the handshake struct. 809 810 * Avoid transcript initialization when sending a TLS HelloRequest, 811 fixing server initiated renegotiation. 812 813 * Remove pointless assignment in SSL_get0_alpn_selected(). 814 815 * Provide EVP_PKEY_new_CMAC_KEY(3). 816 817 * Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h. 818 819 * Add DTLSv1.2 to openssl(1) s_server and s_client protocol message 820 logging. 821 822 * Avoid leaking param->name in x509_verify_param_zero(). 823 824 * Avoid a leak in an error path in openssl(1) x509. 825 826 * Add some error checking to openssl(1) x509. 827 828 * When sending an alert in TLSv1.3, only set its error code when no 829 other error was set previously. Certain clients rely on specific 830 SSL_R_ error codes to identify that they are dealing with a self 831 signed cert. 832 833 * Switch to the legacy verifier for the stable release. 834 835 * Provide SSL_use_certificate_chain_file(3). 836 837 * Provide SSL_set_hostflags(3) and SSL_get0_peername(3). 838 839 * Provide various DTLSv1.2 specific functions and defines. 840 841 * Document meaning of '*' in the genrsa output. 842 843 * Updated documentation for SSL_get_shared_ciphers(3). 844 845 * Add documentation for SSL_get_finished(3). 846 847 * Document EVP_PKEY_new_CMAC_key(3) 848 849 * Document SSL_use_certificate_chain_file(3). 850 851 * Document SSL_set_hostflags(3) and SSL_get0_peername(3). 852 853 * Update SSL_get_version.3 manual for DTLSv.1.2 support. 854 855 * Added '--enable-libtls-only' build option, which builds and installs a 856 statically-linked libtls, skipping libcrypto and libssl. This is useful 857 for systems that ship with OpenSSL but wish to also package libtls. 858 8593.3.1 - Security fix 860 861 * Malformed ASN.1 in a certificate revocation list or a timestamp 862 response token can lead to a NULL pointer dereference. 863 864 Bug fixes 865 866 * Move point-on-curve check to set_affine_coordinates to avoid 867 verifying ECDSA signatures with unchecked public keys. 868 869 * Fix SSL_is_server() to behave as documented by re-introducing the 870 client-specific methods. 871 872 * Avoid undefined behavior due to memcpy(NULL, NULL, 0). 873 874 * Mark a few more internal static tables const. 875 8763.3.0 - Development release 877 878 * Make openssl(1) s_server ignore -4 and -6 for compatibility with 879 OpenSSL. 880 881 * Further cleanup of the DTLS record handling. 882 883 * Continue the replacement of the TLSv1.2 record layer by 884 reimplementing the read side of the TLSv1.2 record handling. 885 886 * Replace DTLSv1_enc_data() with TLSv1_1_enc_data(). 887 888 * Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c. 889 890 * When switching from the TLSv1.3 stack to the legacy stack include 891 a TLS record header. This is necessary if there is more than one 892 handshake message in the TLS plaintext record. 893 894 * Set SO_REUSEADDR on the server socket in the openssl(1) ocsp 895 command. 896 897 * Fix resource handling on error in OCSP_request_add0_id(). 898 899 * Add const to ssl_ciphers and tls1[23]_sigalgs* to push them into 900 .data.rel.ro and .rodata, respectively. 901 902 * Add a const qualifier to srtp_known_profiles. 903 904 * Simplify TLS method by removing the client and server specific 905 methods internally. 906 907 * Avoid casting away const in ssl_ctx_make_profiles(). 908 909 * Make sure there is enough room for stashing the handshake message 910 when switching to the legacy TLS stack. 911 912 * Avoid explicitly conditioning an assert on DTLS1_VERSION to make 913 the assert work for newer DTLS versions. 914 915 * Merge SSL_ENC_METHOD into SSL_METHOD_INTERNAL. 916 917 * Send a host header with OCSP queries to make openssl(1) ocsp 918 work with some widely used OCSP responders. 919 920 * Fix a memory leak in the openssl(1) s_client. 921 922 * Add a flag to mark DTLS methods as DTLS to have an easy way to 923 recognize DTLS methods that avoids inspecting the version number. 924 925 * Implement SSL_is_dtls() and use it internally in place of the 926 SSL_IS_DTLS macro. 927 928 * Unbreak DTLS retransmissions for flights that include a CCS. 929 930 * Add ability to ocspcheck(8) to parse a port in the specified 931 OCSP URL. 932 933 * Refactor and clean up ocspcheck(8) and add regression tests. 934 935 * If x509_verify() fails, ensure that the error is set on both 936 the x509_verify_ctx() and its store context to make some failures 937 visible from SSL_get_verify_result(). 938 939 * Use the X509_STORE_CTX get_issuer() callback from the new X.509 940 verifier to fix hashed certificate directories. 941 942 * Only check BIO_should_read() on read and BIO_should_write() on 943 write. Previously, BIO_should_write() was also checked after read 944 and BIO_should_read() after write which could cause stalls in 945 software that uses the same BIO for read and write. 946 947 * In openssl(1) verify, also check for error on the store context 948 since the return value of X509_verify_cert() is unreliable in 949 presence of a callback that returns 1 too often. 950 951 * Update getentropy on Windows to use Cryptography Next Generation 952 (CNG). wincrypt is deprecated and no longer works with newer Windows 953 environments, such as in Windows Store apps. 954 955 * Implement auto chain for the TLSv1.3 server since some software 956 relies on this. 957 958 * Handle additional certificate error cases in the new X.509 verifier. 959 Keep track of the errors encountered if a verify callback tells the 960 verifier to continue and report them back via the error on the store 961 context. This mimics the behavior of the old verifier that would 962 persist the first error encountered while building the chain. 963 964 * Report specific failures for "self signed certificates" in a way 965 compatible with the old verifier since software relies on the 966 error code. 967 968 * Implement key exporter for TLSv1.3. 969 970 * Plug a large memory leak in the new verifier caused by calling 971 X509_policy_check() repeatedly. 972 973 * Avoid leaking memory in x509_verify_chain_dup(). 974 975 * Various documentation improvements, particularly around TLS methods. 976 9773.2.3 - Security fix 978 979 * Malformed ASN.1 in a certificate revocation list or a timestamp 980 response token can lead to a NULL pointer dereference. 981 9823.2.2 - Stable release 983 984 * This is the first stable release with the new TLSv1.3 985 implementation enabled by default for both client and server. The 986 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 987 in an upcoming release. 988 989 * New X509 certificate chain validator that correctly handles 990 multiple paths through intermediate certificates. Loosely based on 991 Go's X509 validator. 992 993 * New name constraints verification implementation which passes the 994 bettertls.com certificate validation check suite. 995 996 * Improve the handling of BIO_read()/BIO_write() failures in the 997 TLSv1.3 stack. 998 999 * Start replacing the existing TLSv1.2 record layer. 1000 1001 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 1002 1003 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 1004 1005 * Send alert on ssl_get_prev_session() failure. 1006 1007 * Zero out variable on the stack to avoid leaving garbage in the tail 1008 of short session IDs. 1009 1010 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 1011 that it gets correctly reinitialized across a SSL_set_ssl_method() 1012 call. 1013 1014 * Avoid an out-of-bounds write in BN_rand(). 1015 1016 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 1017 the code in ui_lib.c. 1018 1019 * Correctly track selected ALPN length to avoid a potential segmentation 1020 fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 1021 1022 * Include machine/endian.h gost2814789.c in order to pick up the 1023 __STRICT_ALIGNMENT define. 1024 1025 * Simplify SSL method lookups. 1026 1027 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 1028 SSL_set_ssl_method() and several internal functions. 1029 1030 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 1031 1032 * Refactor dtls1_new(), dtls1_hm_fragment_new(), 1033 dtls1_drain_fragments(), dtls1_clear_queues(). 1034 1035 * Copy the session ID directly in ssl_get_prev_session() instead of 1036 handing it through several functions for copying. 1037 1038 * Clean up and refactor ssl_get_prev_session(); simplify 1039 tls_decrypt_ticket() and tls1_process_ticket() exit paths. 1040 1041 * Avoid memset() before memcpy() in CBS_add_bytes(). 1042 1043 * Rewrite X509_INFO_{new,free}() more idiomatically. 1044 1045 * Remove unnecessary zeroing after recallocarray() in 1046 ASN1_BIT_STRING_set_bit(). 1047 1048 * Convert openssl(1) ocsp new option handling. 1049 1050 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 1051 1052 * Document return value from EC_KEY_get0_public_key(3). 1053 1054 * Greatly expanded test coverage via the tlsfuzzer test scripts. 1055 1056 * Expanded test coverage via the bettertls certificate test suite. 1057 1058 * Test interoperability with the Botan TLS client. 1059 1060 * Make pthread_mutex static initialisation work on Windows. 1061 1062 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 1063 10643.2.1 - Development release 1065 1066 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 1067 functions. 1068 1069 * Send a record overflow alert for TLSv1.3 messages having overlong 1070 plaintext or inner plaintext. 1071 1072 * Send an illegal parameter alert if a client sends an invalid DH key 1073 share. 1074 1075 * Document PKCS7_final(3), PKCS7_add_attribute(3). 1076 1077 * Collapse x509v3 directory into x509. 1078 1079 * Improve TLSv1.3 client certificate selection to allow EC certificates 1080 instead of only RSA certificates. 1081 1082 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 1083 of constructing a broken objects that may cause NULL pointer accesses. 1084 1085 * Add support for additional GOST curves from RFC 7836 and 1086 draft-deremin-rfc4491-bis. 1087 1088 * Add OIDs for HMAC using the Streebog hash function. 1089 1090 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 1091 1092 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 1093 1094 * Handle GOST in ssl_cert_dup(). 1095 1096 * Stop sending GOST R 34.10-94 as a CertificateType. 1097 1098 * Use IANA allocated GOST ClientCertificateTypes. 1099 1100 * Add a custom copy handler for AES keywrap to fix a use-after-free. 1101 1102 * Enforce in the TLSv1.3 server that that ClientHello messages after 1103 a HelloRetryRequest match the original ClientHello as per RFC 8446 1104 section 4.1.2 1105 1106 * Document more PKCS7 attribute functions. 1107 1108 * Document PKCS7_get_signer_info(3). 1109 1110 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 1111 1112 * Document PEM_def_callback(3). 1113 1114 * Document EVP_read_pw_string_min(3). 1115 1116 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 1117 1118 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 1119 1120 * Document X509_get0_pubkey_bitstr(3). 1121 1122 * Fix an off-by-one in the CBC padding removal. From BoringSSL. 1123 1124 * Enforce restrictions on extensions present in the ClientHello as per 1125 RFC 8446, section 9.2. 1126 1127 * Add new CMAC_Init(3) and ChaCha(3) manual pages. 1128 1129 * Fix SSL_shutdown behavior to match the legacy stack. The previous 1130 behavior could cause a hang. 1131 1132 * Add initial support for openbsd/powerpc64. 1133 1134 * Make the message type available in the internal TLS extensions API 1135 functions. 1136 1137 * Enable TLSv1.3 for the generic TLS_method(). 1138 1139 * Convert openssl(1) s_client option handling. 1140 1141 * Document openssl(1) certhash. 1142 1143 * Convert openssl(1) verify option handling. 1144 1145 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 1146 use-after-free and double-free issues in calling programs. 1147 1148 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 1149 1150 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 1151 1152 * Convert openssl(1) s_server option handling. 1153 1154 * Add minimal info callback support for TLSv1.3. 1155 1156 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 1157 1158 * Correctly handle server requests for an OCSP response. 1159 1160 * Add the P-521 curve to the list of curves supported by default 1161 in the client. 1162 1163 * Convert openssl(1) req option handling. 1164 1165 * Avoid calling freezero with a negative size if a server sends a 1166 malformed plaintext of all zeroes. 1167 1168 * Send an unexpected message alert if no valid content type is found 1169 in a TLSv1.3 record. 1170 11713.2.0 - Development release 1172 1173 * Enable TLS 1.3 server side in addition to client by default. 1174 With this change TLS 1.3 is handled entirely on the new stack 1175 and state machine, with fallback to the legacy stack and 1176 state machine for older versions. Note that the OpenSSL TLS 1.3 1177 API is not yet visible/available. 1178 1179 * Improve length checks in the TLS 1.3 record layer and provide 1180 appropriate alerts for violations of record layer limits. 1181 1182 * Enforce that SNI hostnames received by the TLS server are correctly 1183 formed as per RFC 5890 and RFC 6066, responding with illegal parameter 1184 for a nonconformant host name. 1185 1186 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 1187 retry of handshake messages. 1188 1189 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 1190 similar to new OpenSSL releases. 1191 1192 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 1193 various commands. 1194 1195 * Add tlsfuzzer based regression tests. 1196 1197 * Support sending certificate status requests from the TLS 1.3 1198 client to request OCSP staples for leaf certificates. 1199 1200 * Support sending certificate status replies from the TLS 1.3 server 1201 in order to send OCSP staples for leaf certificates. 1202 1203 * Send correct alerts when handling failed key share extensions 1204 on the TLS 1.3 server. 1205 1206 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 1207 switching from the new to legacy stacks. 1208 1209 * Support TLS 1.3 options in the openssl(1) command. 1210 1211 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 1212 conditions. 1213 1214 * Modify "openssl x509" to display invalid certificate times as 1215 invalid, and correctly deal with the failing return case from 1216 X509_cmp_time so that a certificate with an invalid NotAfter does 1217 not appear valid. 1218 1219 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 1220 compatibility. 1221 1222 * Ensure only PSS signatures are used with RSA in TLS 1.3. 1223 1224 * Ensure that TLS 1.3 clients advertise exactly the "null" compression 1225 method in its legacy_compression_methods. 1226 1227 * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 1228 s_client, which could lead to using 14 bytes of stack garbage instead 1229 of an IPv6 address in DTLS mode. 1230 1231 * Use non-expired certificates first when building a certificate chain. 1232 12333.1.5 - Security fix 1234 1235 * Malformed ASN.1 in a certificate revocation list or a timestamp 1236 response token can lead to a NULL pointer dereference. 1237 12383.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 1239 1240 * Improve client certificate selection to allow EC certificates 1241 instead of only RSA certificates. 1242 1243 * Do not error out if a TLSv1.3 server requests an OCSP response as 1244 part of a certificate request. 1245 1246 * Fix SSL_shutdown behavior to match the legacy stack. The previous 1247 behaviour could cause a hang. 1248 1249 * Fix a memory leak and add a missing error check in the handling of 1250 the key update message. 1251 1252 * Fix a memory leak in tls13_record_layer_set_traffic_key. 1253 1254 * Avoid calling freezero with a negative size if a server sends a 1255 malformed plaintext of all zeroes. 1256 1257 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 1258 to avoid using PKCS1-based signatures. 1259 1260 * Add the P-521 curve to the list of curves supported by default 1261 in the client. 1262 12633.1.3 - Bug fix 1264 1265 * libcrypto may fail to build a valid certificate chain due to 1266 expired untrusted issuer certificates. 1267 12683.1.2 - Bug fix 1269 1270 * A TLS client with peer verification disabled may crash when 1271 contacting a server that sends an empty certificate list. 1272 12733.1.1 - Stable release 1274 1275 * Improved cipher suite handling to automatically include TLSv1.3 1276 cipher suites when they are not explicitly referred to in the 1277 cipher string. 1278 1279 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 1280 state transitions and ensuring that the legacy session identifer 1281 retains the same value across the handshake. 1282 1283 * Provided TLSv1.3 cipher suite aliases to match the names used 1284 in RFC 8446. 1285 1286 * Improved TLSv1.3 client key share handling to allow the use of 1287 any groups in our configured NID list. 1288 1289 * Fixed printing the serialNumber with X509_print_ex() fall back to 1290 the colon separated hex bytes in case greater than int value. 1291 1292 * Fix to disallow setting the AES-GCM IV length to zero. 1293 1294 * Added -groups option to openssl(1) s_server subcommand. 1295 1296 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 1297 1298 * Improved portable builds to support the use of static MSVC runtimes. 1299 1300 * Fixed portable builds to avoid exporting a sleep() symbol. 1301 13023.1.0 - Development release 1303 1304 * Completed initial TLS 1.3 implementation with a completely new state 1305 machine and record layer. TLS 1.3 is now enabled by default for the 1306 client side, with the server side to be enabled in a future release. 1307 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 1308 1309 * Many more code cleanups, fixes, and improvements to memory handling 1310 and protocol parsing. 1311 1312 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 1313 1314 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 1315 1.1.1 and enabled by default. 1316 1317 * Improved compatibility by backporting functionality and documentation 1318 from OpenSSL 1.1.1. 1319 1320 * Added many new additional crypto test vectors. 1321 1322 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 1323 1324 * Default CA bundle location is now configurable in portable builds. 1325 1326 * Added cms subcommand to openssl(1). 1327 1328 * Added -addext option to openssl(1) req subcommand. 1329 13303.0.2 - Stable release 1331 1332 * Use a valid curve when constructing an EC_KEY that looks like X25519. 1333 The recent EC group cofactor change results in stricter validation, 1334 which causes the EC_GROUP_set_generator() call to fail. 1335 Issue reported and fix tested by rsadowski@ 1336 1337 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 1338 (Note that the CMS code is currently disabled) 1339 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 1340 1341 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 1342 or -HTTP options, due to incomplete path check logic. 1343 Issue reported and fix tested by Jobert Abma 1344 13453.0.1 - Development release 1346 1347 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 1348 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 1349 it using Hasse's bound. This works as long as the cofactor is small 1350 enough. 1351 1352 * Fixed a memory leak in error paths for eckey_type2param(). 1353 1354 * Initial work on supporting Cryptographic Message Syntax (CMS) in 1355 libcrypto (not enabled). 1356 1357 * Various manual page improvements and additions. 1358 1359 * Added a CMake check for an existing uninstall target, facilitating 1360 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 1361 13623.0.0 - Development release 1363 1364 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 1365 1366 * Documented undescribed options and removed unfunctional options 1367 description in openssl(1) manual. 1368 1369 * A plethora of small fixes due to regular oss-fuzz testing. 1370 1371 * Various side channels in DSA and ECDSA were addressed. These are some of 1372 the many issues found in an extensive systematic analysis of bignum usage 1373 by Samuel Weiser, David Schrammel et al. 1374 1375 * Enabled openssl(1) speed subcommand on Windows platform. 1376 1377 * Enabled performance optimizations when building with Visual Studio on Windows. 1378 1379 * Fixed incorrect carry operation in 512 addition for Streebog. 1380 1381 * Fixed -modulus option with openssl(1) dsa subcommand. 1382 1383 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 1384 13852.9.2 - Bug fixes 1386 1387 * Fixed portable builds with older versions of MacOS, 1388 Android targets < API 21, and Solaris 10 1389 1390 * Fixed SRTP profile advertisement for DTLS servers. 1391 13922.9.1 - Stable release 1393 1394 * Added support for XChaCha20 and XChaCha20-Poly1305. 1395 1396 * Added support for AES key wrap constructions via the EVP interface. 1397 1398 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 1399 1400 * Added pbkdf2 key derivation support to openssl(1) 1401 1402 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 1403 1404 * Changed the default digest type of openssl(1) enc to to sha256. 1405 1406 * Changed the default digest type of openssl(1) dgst to sha256. 1407 1408 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 1409 1410 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 1411 1412 * Improved Windows, Android, and ARM compatibility, including assembly 1413 optimizations on Mingw-w64 targets. 1414 14152.9.0 - Development release 1416 1417 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 1418 1419 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 1420 1421 * Fixed CMake builds on systems where getpagesize is defined as an 1422 inline function. 1423 1424 * CRYPTO_LOCK is now automatically initialized, with the legacy 1425 callbacks stubbed for compatibility. 1426 1427 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 1428 1429 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 1430 1431 * Added extensive interoperability tests between LibreSSL and OpenSSL 1432 1.0 and 1.1. 1433 1434 * Added additional Wycheproof tests and related bug fixes. 1435 1436 * Simplified sigalgs option processing and handshake signing algorithm 1437 1438 * Added the ability to use the RSA PSS algorithm for handshake 1439 signatures. 1440 1441 * Added bn_rand_interval() and use it in code needing ranges of random 1442 bn values. 1443 1444 * Added functionality to derive early, handshake, and application 1445 secrets as per RFC8446. 1446 1447 * Added handshake state machine from RFC8446. 1448 1449 * Removed some ASN.1 related code from libcrypto that had not been used 1450 since around 2000. 1451 1452 * Unexported internal symbols and internalized more record layer structs. 1453 1454 * Added support for assembly optimizations on 32-bit ARM ELF targets. 1455 1456 * Improved protection against timing side channels in ECDSA signature 1457 generation. 1458 1459 * Coordinate blinding was added to some elliptic curves. This is the 1460 last bit of the work by Brumley et al. to protect against the 1461 Portsmash vulnerability. 1462 1463 * Ensure transcript handshake is always freed with TLS 1.2. 1464 14652.8.2 - Stable release 1466 1467 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 1468 along with test harness fixes. 1469 1470 * Fixed memory leak in nc(1) 1471 14722.8.1 - Test and compatibility improvements 1473 1474 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 1475 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 1476 X25519 test vectors. Applied appropriate fixes for errors uncovered 1477 by tests. 1478 1479 * Simplified key exchange signature generation and verification. 1480 1481 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 1482 1483 * Converted more code paths to use CBB/CBS. All handshake messages are 1484 now created by CBB. 1485 1486 * Fixed various memory leaks found by Coverity. 1487 1488 * Simplified session ticket parsing and handling, inspired by 1489 BoringSSL. 1490 1491 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 1492 is a no-op in LibreSSL, so this function returns an error to not 1493 indicate the (non-)existence of memory leaks. 1494 1495 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 1496 X509_OBJECT_up_ref_count now return an int for error handling, 1497 matching OpenSSL. 1498 1499 * Converted a number of #defines into proper functions, matching 1500 OpenSSL's ABI. 1501 1502 * Added X509_get0_serialNumber from OpenSSL. 1503 1504 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 1505 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 1506 OpenSSL. 1507 1508 * Removed broken pkcs8 formats from openssl(1). 1509 1510 * Converted more functions in public API to use const arguments. 1511 1512 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 1513 EVP_AEAD interface. 1514 1515 * Stopped using composite EVP_CIPHER AEADs. 1516 1517 * Added timing-safe compares for checking results of signature 1518 verification. There are no known attacks, this is just inexpensive 1519 prudence. 1520 1521 * Correctly clear the current cipher state, when changing cipher state. 1522 This fixed an issue where renegotiation of cipher suites would fail 1523 when switched from AEAD to non-AEAD or vice-versa. 1524 Issue reported by Bernard Spil. 1525 1526 * Added more cipher tests to appstest.sh, including all TLSv1.2 1527 ciphers. 1528 1529 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 1530 1531 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 1532 retrieved and set with appropriate validation. 1533 15342.8.0 - Bug fixes, security, and compatibility improvements 1535 1536 * Extensive documentation updates and additional API history. 1537 1538 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 1539 1540 * Tighten up checks for various X509_VERIFY_PARAM functions, 1541 'poisoning' parameters so that an unverified certificate cannot be 1542 used if it fails verification. 1543 1544 * Fixed a potential memory leak on failure in ASN1_item_digest 1545 1546 * Fixed a potential memory alignment crash in asn1_item_combine_free 1547 1548 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 1549 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 1550 1551 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 1552 1553 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 1554 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 1555 1556 * Added const annotations to many existing APIs from OpenSSL, making 1557 interoperability easier for downstream applications. 1558 1559 * Fixed small timing side-channels in ecdsa_sign_setup and 1560 dsa_sign_setup. 1561 1562 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 1563 operation of BN_* functions. 1564 1565 * Updated BN_clear to use explicit_bzero. 1566 1567 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 1568 1569 * More CBS conversions, including simplifications to RSA key exchange, 1570 and converted code to use dedicated buffers for secrets. 1571 1572 * Removed three remaining single DES cipher suites. 1573 1574 * Fixed a potential leak/incorrect return value in DSA signature 1575 generation. 1576 1577 * Added a blinding value when generating DSA and ECDSA signatures, in 1578 order to reduce the possibility of a side-channel attack leaking the 1579 private key. 1580 1581 * Added ECC constant time scalar multiplication support. 1582 From Billy Brumley and his team at Tampere University of Technology. 1583 1584 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 1585 specification in RFC 8017. Based on an OpenSSL commit by David 1586 Benjamin. 1587 1588 * Cleaned up BN_* implementations following changes made in OpenSSL by 1589 Davide Galassi and others. 1590 15912.7.4 - Security fixes 1592 1593 * Avoid a timing side-channel leak when generating DSA and ECDSA 1594 signatures. This is caused by an attempt to do fast modular 1595 arithmetic, which introduces branches that leak information 1596 regarding secret values. Issue identified and reported by Keegan 1597 Ryan of NCC Group. 1598 1599 * Reject excessively large primes in DH key generation. Problem 1600 reported by Guido Vranken to OpenSSL 1601 (https://github.com/openssl/openssl/pull/6457) and based on his 1602 diff. 1603 16042.7.3 - Bug fixes 1605 1606 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 1607 Sury 1608 1609 * Fixed an issue normalizing CPU architecture in the configure script, 1610 which disabled assembly optimizations on platforms that get detected 1611 as 'amd64', opposed to 'x86_64' 1612 1613 * Limited tls_config_clear_keys() to only clear private keys. 1614 This was inadvertently clearing the keypair, which includes the OCSP 1615 staple and pubkey hash - if an application called tls_configure() 1616 followed by tls_config_clear_keys(), this would prevent OCSP staples 1617 from working. 1618 16192.7.2 - Stable release 1620 1621 * Updated and added extensive new HISTORY sections to API manuals. 1622 1623 * Added support for shared library builds with CMake on all supported 1624 platforms. Note that some of the CMake options have changed, consult 1625 the README for details. 1626 16272.7.1 - Bug fixes 1628 1629 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 1630 length provided is 0 to match the OpenSSL behaviour. Issue noticed 1631 by Christian Heimes <christian@python.org>. 1632 1633 * Fixed builds macOS 10.11 and older. 1634 16352.7.0 - Bug fixes and improvements 1636 1637 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 1638 observations of real-world usage in applications. These are 1639 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 1640 changes have not been made to existing structs, allowing code written 1641 for older OpenSSL APIs to continue working. 1642 1643 * Extensive corrections, improvements, and additions to the 1644 API documentation, including new public APIs from OpenSSL that had 1645 no pre-existing documentation. 1646 1647 * Added support for automatic library initialization in libcrypto, 1648 libssl, and libtls. Support for pthread_once or a compatible 1649 equivalent is now required of the target operating system. As a 1650 side-effect, minimum Windows support is Vista or higher. 1651 1652 * Converted more packet handling methods to CBB, which improves 1653 resiliency when generating TLS messages. 1654 1655 * Completed TLS extension handling rewrite, improving consistency of 1656 checks for malformed and duplicate extensions. 1657 1658 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 1659 This removes the last remaining use of the old M_ASN1_* macros 1660 (asn1_mac.h) from API that needs to continue to exist. 1661 1662 * Added support for client-side session resumption in libtls. 1663 A libtls client can specify a session file descriptor (a regular 1664 file with appropriate ownership and permissions) and libtls will 1665 manage reading and writing of session data across TLS handshakes. 1666 1667 * Improved support for strict alignment on ARMv7 architectures, 1668 conditionally enabling assembly in those cases. 1669 1670 * Fixed a memory leak in libtls when reusing a tls_config. 1671 1672 * Merged more DTLS support into the regular TLS code path, removing 1673 duplicated code. 1674 1675 * Many improvements to Windows Cmake-based builds and tests, 1676 especially when targeting Visual Studio. 1677 16782.6.4 - Bug fixes 1679 1680 * Make tls_config_parse_protocols() work correctly when passed a NULL 1681 pointer for a protocol string. Issue found by semarie@, who also 1682 provided the diff. 1683 1684 * Correct TLS extensions handling when no extensions are present. 1685 If no TLS extensions are present in a client hello or server hello, 1686 omit the entire extensions block, rather than including it with a 1687 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 1688 providing packet captures and testing the fix. 1689 1690 * Fixed portable builds on older Android systems, and systems with out 1691 IPV6_TCLASS support. 1692 16932.6.3 - OpenBSD 6.2 Release 1694 1695 * No core changes from LibreSSL 2.6.2 1696 1697 * Minor compatibility fixes in portable version. 1698 16992.6.2 - Bug fixes 1700 1701 * Provide a useful error with libtls if there are no OCSP URLs in a 1702 peer certificate. 1703 1704 * Keep track of which keypair is in use by a TLS context, fixing a bug 1705 where a TLS server with SNI would only return the OCSP staple for the 1706 default keypair. Issue reported by William Graeber and confirmed by 1707 Andreas Bartelt. 1708 1709 * Fixed various issues in the OCSP extension parsing code. 1710 The original code incorrectly passes the pointer allocated via 1711 CBS_stow() (using malloc()) to a d2i_*() function and then calls 1712 free() on the now incremented pointer, most likely resulting in a 1713 crash. This issue was reported by Robert Swiecki who found the issue 1714 using honggfuzz. 1715 1716 * If tls_config_parse_protocols() is called with a NULL pointer, 1717 return the default protocols instead of crashing - this makes the 1718 behaviour more useful and mirrors what we already do in 1719 tls_config_set_ciphers() et al. 1720 17212.6.1 - Code removal, rewrites 1722 1723 * Added a "-T tlscompat" option to nc(1), which enables the use of all 1724 TLS protocols and "compat" ciphers. This allows for TLS connections 1725 to TLS servers that are using less than ideal cipher suites, without 1726 having to resort to "-T tlsall" which enables all known cipher 1727 suites. Diff from Kyle J. McKay. 1728 1729 * Added a new TLS extension handling framework, somewhat analogous to 1730 BoringSSL, and converted all TLS extensions to use it. Added new TLS 1731 extension regression tests. 1732 1733 * Improved and added many new manpages. Updated *check_private_key 1734 manpages with additional cautions regarding their use. 1735 1736 * Cleaned up the EC key/curve configuration handling. 1737 1738 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 1739 of the eliptical curves that may be used during client and server 1740 key exchange to be specified. 1741 1742 * Converted more code paths to use CBB/CBS. 1743 1744 * Removed support for DSS/DSA, since we removed the cipher suites a 1745 while back. 1746 1747 * Removed NPN support. NPN was never standardised and the last draft 1748 expired in October 2012. ALPN was standardised in July 2014 and has 1749 been supported in LibreSSL since December 2014. NPN has also been 1750 removed from Chromium in May 2016. 1751 1752 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 1753 CryptoPro clients. 1754 1755 * Removed support for the TLS padding extension, which was added as a 1756 workaround for an old bug in F5's TLS termination. 1757 1758 * Worked around another bug in F5's TLS termination handling of the 1759 elliptical curves extension. RFC 4492 only defines elliptic_curves 1760 for ClientHello. However, F5 is sending it in ServerHello. We need 1761 to skip over it since our TLS extension parsing code is now more 1762 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 1763 1764 * Added ability to clamp notafter valies in certificates for systems 1765 with 32-bit time_t. This is necessary to conform to RFC 5280 1766 4.1.2.5. 1767 1768 * Implemented the SSL_CTX_set_min_proto_version(3) API. 1769 1770 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 1771 1772 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 1773 17742.6.0 - New APIs, bug fixes and improvements 1775 1776 * Added support for providing CRLs to libtls. Once a CRL is provided we 1777 enable CRL checking for the full certificate chain. Based on a diff 1778 from Jack Burton 1779 1780 * Allow non-compliant clients using IP literal addresses with SNI 1781 to connect to a server using libtls. 1782 1783 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 1784 Reported by Robert Swiecki, who found the issue using honggfuzz. 1785 1786 * Added definitions for three OIDs used in EV certificates. 1787 From Kyle J. McKay 1788 1789 * Added tls_peer_cert_chain_pem to libtls, useful in private 1790 certificate validation callbacks such as those in relayd. 1791 1792 * Converted explicit clear/free sequences to use freezero(3). 1793 1794 * Reworked TLS certificate name verification code to more strictly 1795 follow RFC 6125. 1796 1797 * Cleaned up and simplified server key exchange EC point handling. 1798 1799 * Added tls_keypair_clear_key for clearing key material. 1800 1801 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 1802 simplified BIO_get_host_ip and BIO_accept. 1803 1804 * Fixed the openssl(1) ca command so that is generates certificates 1805 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 1806 1807 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 1808 1809 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 1810 1811 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 1812 1813 * Provided a tls_unload_file() function that frees the memory returned 1814 from a tls_load_file() call, ensuring that it the contents become 1815 inaccessible. This is specifically needed on platforms where the 1816 library allocators may be different from the application allocator. 1817 1818 * Perform reference counting for tls_config. This allows 1819 tls_config_free() to be called as soon as it has been passed to the 1820 final tls_configure() call, simplifying lifetime tracking for the 1821 application. 1822 1823 * Moved internal state of SSL and other structures to be opaque. 1824 1825 * Dropped cipher suites with DSS authentication. 1826 1827 * nc(1) improvements, including: 1828 nc -W to terminate nc after receiving a number of packets 1829 nc -Z for saving the peer certificate and chain in a pem file 1830 18312.5.5 - Bug fixes 1832 1833 * Distinguish between self-issued certificates and self-signed 1834 certificates. The certificate verification code has special cases 1835 for self-signed certificates and without this change, self-issued 1836 certificates (which it seems are common place with 1837 openvpn/easyrsa) were also being included in this category. 1838 1839 * Added getpagesize fallback, needed for Android bionic libc. 1840 18412.5.4 - Security Updates 1842 1843 * Revert a previous change that forced consistency between return 1844 value and error code when specifing a certificate verification 1845 callback, since this breaks the documented API. When a user supplied 1846 callback always returns 1, and later code checks the error code to 1847 potentially abort post verification, this will result in incorrect 1848 successul certificate verification. 1849 1850 * Switched Linux getrandom() usage to non-blocking mode, continuing to 1851 use fallback mechanims if unsuccessful. This works around a design 1852 flaw in Linux getrandom(2) where early boot usage in a library makes 1853 it impossible to recover if getrandom(2) is not yet initialized. 1854 1855 * Fixed a bug caused by the return value being set early to signal 1856 successful DTLS cookie validation. This can mask a later failure and 1857 result in a positive return value being returned from 1858 ssl3_get_client_hello(), when it should return a negative value to 1859 propagate the error. 1860 1861 * Fixed a build error on non-x86/x86_64 systems running Solaris. 1862 18632.5.3 - OpenBSD 6.1 Release 1864 1865 * Documentation updates 1866 1867 * Improved ocspcheck(1) error handling 1868 18692.5.2 - Security features and bugfixes 1870 1871 * Added the recallocarray(3) memory allocation function, and converted 1872 various places in the library to use it, such as CBB and BUF_MEM_grow. 1873 recallocarray(3) is similar to reallocarray. Newly allocated memory 1874 is cleared similar to calloc(3). Memory that becomes unallocated 1875 while shrinking or moving existing allocations is explicitly 1876 discarded by unmapping or clearing to 0 1877 1878 * Added new root CAs from SECOM Trust Systems / Security Communication 1879 of Japan. 1880 1881 * Added EVP interface for MD5+SHA1 hashes. 1882 1883 * Fixed DTLS client failures when the server sends a certificate 1884 request. 1885 1886 * Correct handling of padding when upgrading an SSLv2 challenge into 1887 an SSLv3/TLS connection. 1888 1889 * Allow protocols and ciphers to be set on a TLS config object in 1890 libtls. 1891 1892 * Improved nc(1) TLS handshake CPU usage and server-side error 1893 reporting. 1894 18952.5.1 - Bug and security fixes, new features, documentation updates 1896 1897 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 1898 error. Reported by Theofilos Petsios. 1899 1900 * Detect zero-length encrypted session data early, instead of when 1901 malloc(0) fails or the HMAC check fails. Noted independently by 1902 jsing@ and Kurt Cancemi. 1903 1904 * Check for and handle failure of HMAC_{Update,Final} or 1905 EVP_DecryptUpdate(). 1906 1907 * Massive update and normalization of manpages, conversion to 1908 mandoc format. Many pages were rewritten for clarity and accuracy. 1909 Portable doc links are up-to-date with a new conversion tool. 1910 1911 * Curve25519 Key Exchange support. 1912 1913 * Support for alternate chains for certificate verification. 1914 1915 * Code cleanups, CBS conversions, further unification of DTLS/SSL 1916 handshake code, further ASN1 macro expansion and removal. 1917 1918 * Private symbol are now hidden in libssl and libcryto. 1919 1920 * Friendly certificate verification error messages in libtls, peer 1921 verification is now always enabled. 1922 1923 * Added OCSP stapling support to libtls and netcat. 1924 1925 * Added ocspcheck utility to validate a certificate against its OCSP 1926 responder and save the reply for stapling 1927 1928 * Enhanced regression tests and error handling for libtls. 1929 1930 * Added explicit constant and non-constant time BN functions, 1931 defaulting to constant time wherever possible. 1932 1933 * Moved many leaked implementation details in public structs behind 1934 opaque pointers. 1935 1936 * Added ticket support to libtls. 1937 1938 * Added support for setting the supported EC curves via 1939 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 1940 SSL{_CTX}_set1_curves{_list} names. This also changes the default 1941 list of curves to be X25519, P-256 and P-384. All other curves must 1942 be manually enabled. 1943 1944 * Added -groups option to openssl(1) s_client for specifying the curves 1945 to be used in a colon-separated list. 1946 1947 * Merged client/server version negotiation code paths into one, 1948 reducing much duplicate code. 1949 1950 * Removed error function codes from libssl and libcrypto. 1951 1952 * Fixed an issue where a truncated packet could crash via an OOB read. 1953 1954 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 1955 client-initiated renegotiation. This is the default for libtls 1956 servers. 1957 1958 * Avoid a side-channel cache-timing attack that can leak the ECDSA 1959 private keys when signing. This is due to BN_mod_inverse() being 1960 used without the constant time flag being set. Reported by Cesar 1961 Pereida Garcia and Billy Brumley (Tampere University of Technology). 1962 The fix was developed by Cesar Pereida Garcia. 1963 1964 * iOS and MacOS compatibility updates from Simone Basso and Jacob 1965 Berkman. 1966 1967 19682.5.0 - New APIs, bug fixes and improvements 1969 1970 * libtls now supports ALPN and SNI 1971 1972 * libtls adds a new callback interface for integrating custom IO 1973 functions. Thanks to Tobias Pape. 1974 1975 * libtls now handles 4 cipher suite groups: 1976 "secure" (TLSv1.2+AEAD+PFS) 1977 "compat" (HIGH:!aNULL) 1978 "legacy" (HIGH:MEDIUM:!aNULL) 1979 "insecure" (ALL:!aNULL:!eNULL) 1980 1981 This allows for flexibility and finer grained control, rather than 1982 having two extremes (an issue raised by Marko Kreen some time ago). 1983 1984 * Tightened error handling for tls_config_set_ciphers(). 1985 1986 * libtls now always loads CA, key and certificate files at the time the 1987 configuration function is called. This simplifies code and results in 1988 a single memory based code path being used to provide data to libssl. 1989 1990 * Add support for OCSP intermediate certificates. 1991 1992 * Added functions used by stunnel and exim from BoringSSL - this 1993 brings in X509_check_host, X509_check_email, X509_check_ip, and 1994 X509_check_ip_asc. 1995 1996 * Added initial support for iOS, thanks to Jacob Berkman. 1997 1998 * Improved behavior of arc4random on Windows when using memory leak 1999 analysis software. 2000 2001 * Correctly handle an EOF that occurs prior to the TLS handshake 2002 completing. Reported by Vasily Kolobkov, based on a diff from Marko 2003 Kreen. 2004 2005 * Limit the support of the "backward compatible" ssl2 handshake to 2006 only be used if TLS 1.0 is enabled. 2007 2008 * Fix incorrect results in certain cases on 64-bit systems when 2009 BN_mod_word() can return incorrect results. BN_mod_word() now can 2010 return an error condition. Thanks to Brian Smith. 2011 2012 * Added constant-time updates to address CVE-2016-0702 2013 2014 * Fixed undefined behavior in BN_GF2m_mod_arr() 2015 2016 * Removed unused Cryptographic Message Support (CMS) 2017 2018 * More conversions of long long idioms to time_t 2019 2020 * Improved compatibility by avoiding printing NULL strings with 2021 printf. 2022 2023 * Reverted change that cleans up the EVP cipher context in 2024 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 2025 previous behaviour. 2026 2027 * Avoid unbounded memory growth in libssl, which can be triggered by a 2028 TLS client repeatedly renegotiating and sending OCSP Status Request 2029 TLS extensions. 2030 2031 * Avoid falling back to a weak digest for (EC)DH when using SNI with 2032 libssl. 2033 20342.4.2 - Bug fixes and improvements 2035 2036 * Fixed loading default certificate locations with openssl s_client. 2037 2038 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 2039 RFC6960. Also added fixes for OCSP to work with intermediate 2040 certificates provided in responses. 2041 2042 * Improved behavior of arc4random on Windows to not appear to leak 2043 memory in debug tools, reduced privileges of allocated memory. 2044 2045 * Fixed incorrect results from BN_mod_word() when the modulus is too 2046 large, thanks to Brian Smith from BoringSSL. 2047 2048 * Correctly handle an EOF prior to completing the TLS handshake in 2049 libtls. 2050 2051 * Improved libtls ceritificate loading and cipher string validation. 2052 2053 * Updated libtls cipher group suites into four categories: 2054 "secure" (TLSv1.2+AEAD+PFS) 2055 "compat" (HIGH:!aNULL) 2056 "legacy" (HIGH:MEDIUM:!aNULL) 2057 "insecure" (ALL:!aNULL:!eNULL) 2058 This allows for flexibility and finer grained control, rather than 2059 having two extremes. 2060 2061 * Limited support for 'backward compatible' SSLv2 handshake packets to 2062 when TLS 1.0 is enabled, providing more restricted compatibility 2063 with TLS 1.0 clients. 2064 2065 * openssl(1) and other documentation improvements. 2066 2067 * Removed flags for disabling constant-time operations. 2068 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 2069 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 2070 all of these operations unconditionally constant-time. 2071 2072 20732.4.1 - Security fix 2074 2075 * Correct a problem that prevents the DSA signing algorithm from 2076 running in constant time even if the flag BN_FLG_CONSTTIME is set. 2077 This issue was reported by Cesar Pereida (Aalto University), Billy 2078 Brumley (Tampere University of Technology), and Yuval Yarom (The 2079 University of Adelaide and NICTA). The fix was developed by Cesar 2080 Pereida. 2081 20822.4.0 - Build improvements, new features 2083 2084 * Many improvements to the CMake build infrastructure, including 2085 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 2086 Inoguchi for this work. 2087 2088 * Added missing error handling around bn_wexpand() calls. 2089 2090 * Added explicit_bzero calls for freed ASN.1 objects. 2091 2092 * Fixed X509_*set_object functions to return 0 on allocation failure. 2093 2094 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 2095 2096 * Changed default EVP_aead_chacha20_poly1305() implementation to the 2097 IETF version, which is now the default. 2098 2099 * Fixed password prompts from openssl(1) to properly handle ^C. 2100 2101 * Reworked error handling in libtls so that configuration errors are 2102 visible. 2103 2104 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 2105 2106 * Manpage fixes and updates 2107 21082.3.5 - Reliability fix 2109 2110 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 2111 21122.3.4 - Security Update 2113 2114 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 2115 From OpenSSL. 2116 2117 * Minor build fixes 2118 21192.3.3 - OpenBSD 5.9 release branch tagged 2120 2121 * Reworked build scripts to better sync with OpenNTPD-portable 2122 2123 * Fixed broken manpage links 2124 2125 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 2126 2127 * Fixed HP-UX builds 2128 2129 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 2130 binary builds 2131 2132 * cert.pem has been reorganized and synced with Mozilla's certificate store 2133 21342.3.2 - Compatibility and Reliability fixes 2135 2136 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 2137 OPENSSL_VERSION_NUMBER, see: 2138 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 2139 2140 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 2141 construction introduced in RFC 7539, which is different than that 2142 already used in TLS with EVP_aead_chacha20_poly1305() 2143 2144 * Avoid a potential undefined C99+ behavior due to shift overflow in 2145 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 2146 2147 * More man pages converted from pod to mdoc format 2148 2149 * Added COMODO RSA Certification Authority and QuoVadis 2150 root certificates to cert.pem 2151 2152 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 2153 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 2154 certificate from cert.pem 2155 2156 * Added support for building nc(1) on Solaris 2157 2158 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 2159 2160 * Improved console handling with openssl(1) on Windows 2161 2162 * Ensure the network stack is enabled on Windows when running 2163 tls_init() 2164 2165 * Fixed incorrect TLS certificate loading by nc(1) 2166 2167 * Added support for Solaris 11.3's getentropy(2) system call 2168 2169 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 2170 2171 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 2172 2173 * Fixes from OpenSSL 1.0.1q 2174 - CVE-2015-3194 - NULL pointer dereference in client side certificate 2175 validation. 2176 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 2177 2178 * The following OpenSSL CVEs did not apply to LibreSSL 2179 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 2180 squaring procedure. 2181 - CVE-2015-3196 - Double free race condition of the identify hint 2182 data. 2183 2184 See https://marc.info/?l=openbsd-announce&m=144925068504102 2185 21862.3.1 - ASN.1 and time handling cleanups 2187 2188 * ASN.1 cleanups and RFC5280 compliance fixes. 2189 2190 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 2191 now checks if the host OS supports 64-bit time_t. 2192 2193 * Fixed a leak in SSL_new in the error path. 2194 2195 * Support always extracting the peer cipher and version with libtls. 2196 2197 * Added ability to check certificate validity times with libtls, 2198 tls_peer_cert_notbefore and tls_peer_cert_notafter. 2199 2200 * Changed tls_connect_servername to use the first address that resolves with 2201 getaddrinfo(). 2202 2203 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 2204 initial commit in 2004). 2205 2206 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 2207 by Qualys Security. 2208 2209 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 2210 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 2211 2212 * Reject too small bits value in BN_generate_prime_ex(), so that it does 2213 not risk becoming negative in probable_prime_dh_safe(), reported by 2214 Franck Denis. 2215 2216 * Enable nc(1) builds on more platforms. 2217 22182.3.0 - SSLv3 removed, libtls API changes, portability improvements 2219 2220 * SSLv3 is now permanently removed from the tree. 2221 2222 * The libtls API is changed from the 2.2.x series. 2223 2224 The read/write functions work correctly with external event 2225 libraries. See the tls_init man page for examples of using libtls 2226 correctly in asynchronous mode. 2227 2228 Client-side verification is now supported, with the client supplying 2229 the certificate to the server. 2230 2231 Also, when using tls_connect_fds, tls_connect_socket or 2232 tls_accept_fds, libtls no longer implicitly closes the passed in 2233 sockets. The caller is responsible for closing them in this case. 2234 2235 * When loading a DSA key from an raw (without DH parameters) ASN.1 2236 serialization, perform some consistency checks on its `p' and `q' 2237 values, and return an error if the checks failed. 2238 2239 Thanks for Georgi Guninski (guninski at guninski dot com) for 2240 mentioning the possibility of a weak (non prime) q value and 2241 providing a test case. 2242 2243 See 2244 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 2245 for a longer discussion. 2246 2247 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 2248 of the result key without error. A coding error could cause software 2249 to use much shorter keys than intended. 2250 2251 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 2252 longer supported. 2253 2254 * The engine command and parameters are removed from the openssl(1). 2255 Previous releases removed dynamic and builtin engine support 2256 already. 2257 2258 * SHA-0 is removed, which was withdrawn shortly after publication 20 2259 years ago. 2260 2261 * Added Certplus CA root certificate to the default cert.pem file. 2262 2263 * New interface OPENSSL_cpu_caps is provided that does not allow 2264 software to inadvertently modify cpu capability flags. 2265 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 2266 2267 * The out_len argument of AEAD changed from ssize_t to size_t. 2268 2269 * Deduplicated DTLS code, sharing bugfixes and improvements with 2270 TLS. 2271 2272 * Converted 'nc' to use libtls for client and server operations; it is 2273 included in the libressl-portable distribution as an example of how 2274 to use the library. 2275 22762.2.3 - Bug fixes, build enhancements 2277 2278 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 2279 include TLS extensions, resulting in such handshakes being aborted. 2280 This release corrects the handling of such messages. Thanks to 2281 Ligushka from github for reporting the issue. 2282 2283 * Added install target for cmake builds. Thanks to TheNietsnie from 2284 github. 2285 2286 * Updated pkgconfig files to correctly report the release version 2287 number, not the individual library ABI version numbers. Thanks to 2288 Jan Engelhardt for reporting the issue. 2289 22902.2.2 - More TLS parser rework, bug fixes, expanded portable build support 2291 2292 * Switched 'openssl dhparam' default from 512 to 2048 bits 2293 2294 * Reworked openssl(1) option handling 2295 2296 * More CRYPTO ByteString (CBC) packet parsing conversions 2297 2298 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 2299 2300 * Fixed dozens of Coverity issues including dead code, memory leaks, 2301 logic errors and more. 2302 2303 * Ensure that openssl(1) restores terminal echo state after reading a 2304 password. 2305 2306 * Incorporated fix for OpenSSL Issue #3683 2307 2308 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 2309 for each portable release. 2310 2311 * Removed workarounds for TLS client padding bugs. 2312 2313 * No longer disable ECDHE-ECDSA on OS X 2314 2315 * Removed SSLv3 support from openssl(1) 2316 2317 * Removed IE 6 SSLv3 workarounds. 2318 2319 * Modified tls_write in libtls to allow partial writes, clarified with 2320 examples in the documentation. 2321 2322 * Removed RSAX engine 2323 2324 * Tested SSLv3 removal with the OpenBSD ports tree and found several 2325 applications that were not ready to build without SSLv3 yet. For 2326 now, building a program that intentionally uses SSLv3 will result in 2327 a linker warning. 2328 2329 * Added TLS_method, TLS_client_method and TLS_server_method as a 2330 replacement for the SSLv23_*method calls. 2331 2332 * Added initial cmake build support, including support for building with 2333 Visual Studio, currently tested with Visual Studio 2013 Community 2334 Edition. 2335 2336 * --with-enginesdir is removed as a configuration parameter 2337 2338 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 2339 installed under $sysconfdir/ssl or the directory specified by 2340 --with-openssldir. Previous versions of LibreSSL left these empty. 2341 23422.2.1 - Build fixes, feature added, features removed 2343 2344 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 2345 2346 * Initial support for Windows Embedded 2009, Server 2003, XP 2347 2348 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 2349 2350 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 2351 2352 * Removed Dynamic Engine support 2353 2354 * Removed unused and obsolete MDC-2DES cipher 2355 2356 * Removed workarounds for obsolete SSL implementations 2357 23582.2.0 - Build cleanups and new OS support, Security Updates 2359 2360 * AIX Support - thanks to Michael Felt 2361 2362 * Cygwin Support - thanks to Corinna Vinschen 2363 2364 * Refactored build macros, support packaging libtls independently. 2365 There are more pieces required to support building and using OpenSSL 2366 with libtls, but this is an initial start at providing an 2367 independent package for people to start hacking on. 2368 2369 * Removal of OPENSSL_issetugid and all library getenv calls. 2370 Applications can and should no longer rely on environment variables 2371 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 2372 supported with the openssl(1) command. 2373 2374 * libtls API and documentation additions 2375 2376 * Various bug fixes and simplifications to libssl and libcrypto 2377 2378 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 2379 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 2380 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 2381 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 2382 2383 * The following CVEs did not apply to LibreSSL or were fixed in 2384 earlier releases: 2385 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 2386 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 2387 - CVE-2014-8176 - Invalid free in DTLS 2388 2389 * Fixes for the following CVEs are still in review for LibreSSL 2390 - CVE-2015-1791 - Race condition handling NewSessionTicket 2391 23922.1.6 - Security update 2393 2394 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 2395 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 2396 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 2397 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 2398 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 2399 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 2400 2401 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 2402 is integrated for safety, but LibreSSL is not vulnerable. 2403 2404 * Libtls is now built by default. The --enable-libtls 2405 configuration option is no longer required. 2406 The libtls API is now stable for the 2.1.x series. 2407 24082.1.5 - Bug fixes and a security update 2409 * Fix incorrect comparison function in openssl(1) certhash command. 2410 Thanks to Christian Neukirchen / Void Linux. 2411 2412 * Windows port improvements and bug fixes. 2413 - Removed a dependency on libgcc in 32-bit dynamic libraries. 2414 - Correct a hang in openssl(1) reading from stdin on an connection. 2415 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 2416 any other network-related commands to function properly. 2417 2418 * Reject all server DH keys smaller than 1024 bits. 2419 24202.1.4 - Security and feature updates 2421 * Improvements to libtls: 2422 - a new API for loading CA chains directly from memory instead of a 2423 file, allowing verification with privilege separation in a chroot 2424 without direct access to CA certificate files. 2425 2426 - Ciphers default to TLSv1.2 with AEAD and PFS. 2427 2428 - Improved error handling and message generation 2429 2430 - New APIs and improved documentation 2431 2432 * Added X509_STORE_load_mem API for loading certificates from memory. 2433 This facilitates accessing certificates from a chrooted environment. 2434 2435 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 2436 using 'TLSv1.2+AEAD' as the cipher selection string. 2437 2438 * Dead and disabled code removal including MD5, Netscape workarounds, 2439 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 2440 2441 * ASN1 macro maze expanded to aid reading and searching the code. 2442 2443 * NULL pointer asserts removed in favor of letting the OS/signal 2444 handler catch them. 2445 2446 * Refactored argument handling in openssl(1) for consistency and 2447 maintainability. 2448 2449 * New openssl(1) command 'certhash' replaces the c_rehash script. 2450 2451 * Support for building with OPENSSL_NO_DEPRECATED 2452 2453 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 2454 various auditor and vulnerability scanners. 2455 2456 * Dozens of issues found with the Coverity scanner fixed. 2457 2458 * Security Updates: 2459 2460 - Fix a minor information leak that was introduced in t1_lib.c 2461 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 2462 provided to the network. In most cases this is a non-issue since 2463 the memory content is already public. Issue found and reported by 2464 Felix Groebert of the Google Security Team. 2465 2466 - Fixes for the following low-severity issues were integrated into 2467 LibreSSL from OpenSSL 1.0.1k: 2468 2469 CVE-2015-0205 - DH client certificates accepted without 2470 verification 2471 CVE-2014-3570 - Bignum squaring may produce incorrect results 2472 CVE-2014-8275 - Certificate fingerprints can be modified 2473 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 2474 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 2475 2476 The following CVEs were fixed in earlier LibreSSL releases: 2477 CVE-2015-0206 - Memory leak handling repeated DLTS records 2478 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 2479 2480 The following CVEs did not apply to LibreSSL: 2481 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 2482 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 2483 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 2484 24852.1.3 - Security update and OS support improvements 2486 * Fixed various memory leaks in DTLS, including fixes for 2487 CVE-2015-0206. 2488 2489 * Added Application-Layer Protocol Negotiation (ALPN) support. 2490 2491 * Removed GOST R 34.10-94 signature authentication. 2492 2493 * Removed nonfunctional Netscape browser-hang workaround code. 2494 2495 * Simplified and refactored SSL/DTLS handshake code. 2496 2497 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 2498 2499 * Hide timing info about padding errors during handshakes. 2500 2501 * Improved libtls support for non-blocking sockets, added randomized 2502 session ID contexts. Work is ongoing with this library - feedback 2503 and potential use-cases are welcome. 2504 2505 * Support building Windows DLLs. 2506 Thanks to Jan Engelhard. 2507 2508 * Packaged config wrapper for better compatibility with OpenSSL-based 2509 build systems. 2510 Thanks to @technion from github 2511 2512 * Ensure the stack is marked non-executable for assembly sections. 2513 Thanks to Anthony G. Bastile. 2514 2515 * Enable extra compiler hardening flags by default, where applicable. 2516 The default set of hardening features can vary by OS to OS, so 2517 feedback is welcome on this. To disable the default hardening flags, 2518 specify '--disable-hardening' during configure. 2519 Thanks to Jim Barlow 2520 2521 * Initial HP-UX support, tested with HP-UX 11.31 ia64 2522 Thanks to Kinichiro Inoguchi 2523 2524 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 2525 Imported from OpenNTPD, thanks to @gitisihara from github 2526 25272.1.2 - Many new features and improvements 2528 * Added reworked GOST cipher suite support 2529 thanks to Dmitry Eremin-Solenikov 2530 2531 * Enabled Camellia ciphers due to improved patent situation 2532 2533 * Use builtin arc4random implementation on OS X and FreeBSD 2534 this addresses some deficiencies in the native implementations of 2535 these operating systems, see commit logs for more information 2536 2537 * Added initial Windows mingw-w64 support (32 and 64-bit) 2538 thanks to Song Dongsheng and others for code and feedback 2539 2540 * Enabled assembly optimizations on x86_64 CPUs 2541 supports Linux, *BSD, Solaris and OS X operating systems 2542 thanks to Wouter Clarie for the initial implementation 2543 2544 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 2545 2546 * Improved build infrastructure, 'make distcheck' now passes 2547 this simplifies and speeds developer efficiency 2548 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 2549 2550 * Allow conditional building of the libtls library 2551 expect the API and ABI of the library to change 2552 feedback is welcome 2553 2554 * Fixes for more memory leaks, cleanups, etc. 2555 25562.1.1 - Security update 2557 * Address POODLE attack by disabling SSLv3 by default 2558 2559 * Fix Eliptical Curve cipher selection bug 2560 (https://github.com/libressl-portable/portable/issues/35) 2561 25622.1.0 - First release from the OpenBSD 5.7 tree 2563 * Added support for automatic ephemeral EC keys 2564 2565 * Fixes for many memory leaks and overflows in error handlers 2566 2567 * The TLS padding extension (that works around bugs in F5 terminators) is 2568 off by default 2569 2570 * support for getrandom(2) on Linux 3.17 2571 2572 * the NO_ASM macro is no longer being set, providing the first bits toward 2573 enabling other assembly offloads. 2574 25752.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 2576 * CVE-2014-3506 2577 * CVE-2014-3507 2578 * CVE-2014-3508 (partially vulnerable)he 2579 * CVE-2014-3509 2580 * CVE-2014-3510 2581 * CVE-2014-3511 2582 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 2583 25842.0.4 - Portability fixes, deleted unused SRP code 2585 25862.0.3 - Portability fixes, improvements to fork detection 2587 25882.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 2589 25902.0.1 - Portability fixes: 2591 * Removed -Werror and and other non-portable compiler flags 2592 2593 * Allow setting OPENSSLDIR and ENGINSDIR 2594 25952.0.0 - First release from the OpenBSD 5.6 tree 2596 * Removal of many obsolete features and coding conventions from the OpenSSL 2597 1.0.1h source 2598