1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 312.4.3 - Bug fixes and reliability improvements 32 33 * Reverted change that cleans up the EVP cipher context in 34 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 35 previous behaviour. 36 37 * Avoid unbounded memory growth in libssl, which can be triggered by a 38 TLS client repeatedly renegotiating and sending OCSP Status Request 39 TLS extensions. 40 41 * Avoid falling back to a weak digest for (EC)DH when using SNI with 42 libssl. 43 442.4.2 - Bug fixes and improvements 45 46 * Fixed loading default certificate locations with openssl s_client. 47 48 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per 49 RFC6960. Also added fixes for OCSP to work with intermediate 50 certificates provided in responses. 51 52 * Improved behavior of arc4random on Windows to not appear to leak 53 memory in debug tools, reduced privileges of allocated memory. 54 55 * Fixed incorrect results from BN_mod_word() when the modulus is too 56 large, thanks to Brian Smith from BoringSSL. 57 58 * Correctly handle an EOF prior to completing the TLS handshake in 59 libtls. 60 61 * Improved libtls ceritificate loading and cipher string validation. 62 63 * Updated libtls cipher group suites into four categories: 64 "secure" (TLSv1.2+AEAD+PFS) 65 "compat" (HIGH:!aNULL) 66 "legacy" (HIGH:MEDIUM:!aNULL) 67 "insecure" (ALL:!aNULL:!eNULL) 68 This allows for flexibility and finer grained control, rather than 69 having two extremes. 70 71 * Limited support for 'backward compatible' SSLv2 handshake packets to 72 when TLS 1.0 is enabled, providing more restricted compatibility 73 with TLS 1.0 clients. 74 75 * openssl(1) and other documentation improvements. 76 77 * Removed flags for disabling constant-time operations. 78 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 79 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 80 all of these operations unconditionally constant-time. 81 82 832.4.1 - Security fix 84 85 * Correct a problem that prevents the DSA signing algorithm from 86 running in constant time even if the flag BN_FLG_CONSTTIME is set. 87 This issue was reported by Cesar Pereida (Aalto University), Billy 88 Brumley (Tampere University of Technology), and Yuval Yarom (The 89 University of Adelaide and NICTA). The fix was developed by Cesar 90 Pereida. 91 922.4.0 - Build improvements, new features 93 94 * Many improvements to the CMake build infrastructure, including 95 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 96 Inoguchi for this work. 97 98 * Added missing error handling around bn_wexpand() calls. 99 100 * Added explicit_bzero calls for freed ASN.1 objects. 101 102 * Fixed X509_*set_object functions to return 0 on allocation failure. 103 104 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 105 106 * Changed default EVP_aead_chacha20_poly1305() implementation to the 107 IETF version, which is now the default. 108 109 * Fixed password prompts from openssl(1) to properly handle ^C. 110 111 * Reworked error handling in libtls so that configuration errors are 112 visible. 113 114 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 115 116 * Manpage fixes and updates 117 1182.3.5 - Reliability fix 119 120 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 121 1222.3.4 - Security Update 123 124 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 125 From OpenSSL. 126 127 * Minor build fixes 128 1292.3.3 - OpenBSD 5.9 release branch tagged 130 131 * Reworked build scripts to better sync with OpenNTPD-portable 132 133 * Fixed broken manpage links 134 135 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 136 137 * Fixed HP-UX builds 138 139 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 140 binary builds 141 142 * cert.pem has been reorganized and synced with Mozilla's certificate store 143 1442.3.2 - Compatibility and Reliability fixes 145 146 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 147 OPENSSL_VERSION_NUMBER, see: 148 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 149 150 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 151 construction introduced in RFC 7539, which is different than that 152 already used in TLS with EVP_aead_chacha20_poly1305() 153 154 * Avoid a potential undefined C99+ behavior due to shift overflow in 155 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 156 157 * More man pages converted from pod to mdoc format 158 159 * Added COMODO RSA Certification Authority and QuoVadis 160 root certificates to cert.pem 161 162 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 163 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 164 certificate from cert.pem 165 166 * Added support for building nc(1) on Solaris 167 168 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 169 170 * Improved console handling with openssl(1) on Windows 171 172 * Ensure the network stack is enabled on Windows when running 173 tls_init() 174 175 * Fixed incorrect TLS certificate loading by nc(1) 176 177 * Added support for Solaris 11.3's getentropy(2) system call 178 179 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 180 181 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 182 183 * Fixes from OpenSSL 1.0.1q 184 - CVE-2015-3194 - NULL pointer dereference in client side certificate 185 validation. 186 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 187 188 * The following OpenSSL CVEs did not apply to LibreSSL 189 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 190 squaring procedure. 191 - CVE-2015-3196 - Double free race condition of the identify hint 192 data. 193 194 See https://marc.info/?l=openbsd-announce&m=144925068504102 195 1962.3.1 - ASN.1 and time handling cleanups 197 198 * ASN.1 cleanups and RFC5280 compliance fixes. 199 200 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 201 now checks if the host OS supports 64-bit time_t. 202 203 * Fixed a leak in SSL_new in the error path. 204 205 * Support always extracting the peer cipher and version with libtls. 206 207 * Added ability to check certificate validity times with libtls, 208 tls_peer_cert_notbefore and tls_peer_cert_notafter. 209 210 * Changed tls_connect_servername to use the first address that resolves with 211 getaddrinfo(). 212 213 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 214 initial commit in 2004). 215 216 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 217 by Qualys Security. 218 219 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 220 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 221 222 * Reject too small bits value in BN_generate_prime_ex(), so that it does 223 not risk becoming negative in probable_prime_dh_safe(), reported by 224 Franck Denis. 225 226 * Enable nc(1) builds on more platforms. 227 2282.3.0 - SSLv3 removed, libtls API changes, portability improvements 229 230 * SSLv3 is now permanently removed from the tree. 231 232 * The libtls API is changed from the 2.2.x series. 233 234 The read/write functions work correctly with external event 235 libraries. See the tls_init man page for examples of using libtls 236 correctly in asynchronous mode. 237 238 Client-side verification is now supported, with the client supplying 239 the certificate to the server. 240 241 Also, when using tls_connect_fds, tls_connect_socket or 242 tls_accept_fds, libtls no longer implicitly closes the passed in 243 sockets. The caller is responsible for closing them in this case. 244 245 * When loading a DSA key from an raw (without DH parameters) ASN.1 246 serialization, perform some consistency checks on its `p' and `q' 247 values, and return an error if the checks failed. 248 249 Thanks for Georgi Guninski (guninski at guninski dot com) for 250 mentioning the possibility of a weak (non prime) q value and 251 providing a test case. 252 253 See 254 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 255 for a longer discussion. 256 257 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 258 of the result key without error. A coding error could cause software 259 to use much shorter keys than intended. 260 261 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 262 longer supported. 263 264 * The engine command and parameters are removed from the openssl(1). 265 Previous releases removed dynamic and builtin engine support 266 already. 267 268 * SHA-0 is removed, which was withdrawn shortly after publication 20 269 years ago. 270 271 * Added Certplus CA root certificate to the default cert.pem file. 272 273 * New interface OPENSSL_cpu_caps is provided that does not allow 274 software to inadvertently modify cpu capability flags. 275 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 276 277 * The out_len argument of AEAD changed from ssize_t to size_t. 278 279 * Deduplicated DTLS code, sharing bugfixes and improvements with 280 TLS. 281 282 * Converted 'nc' to use libtls for client and server operations; it is 283 included in the libressl-portable distribution as an example of how 284 to use the library. 285 2862.2.3 - Bug fixes, build enhancements 287 288 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 289 include TLS extensions, resulting in such handshakes being aborted. 290 This release corrects the handling of such messages. Thanks to 291 Ligushka from github for reporting the issue. 292 293 * Added install target for cmake builds. Thanks to TheNietsnie from 294 github. 295 296 * Updated pkgconfig files to correctly report the release version 297 number, not the individual library ABI version numbers. Thanks to 298 Jan Engelhardt for reporting the issue. 299 3002.2.2 - More TLS parser rework, bug fixes, expanded portable build support 301 302 * Switched 'openssl dhparam' default from 512 to 2048 bits 303 304 * Reworked openssl(1) option handling 305 306 * More CRYPTO ByteString (CBC) packet parsing conversions 307 308 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 309 310 * Fixed dozens of Coverity issues including dead code, memory leaks, 311 logic errors and more. 312 313 * Ensure that openssl(1) restores terminal echo state after reading a 314 password. 315 316 * Incorporated fix for OpenSSL Issue #3683 317 318 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 319 for each portable release. 320 321 * Removed workarounds for TLS client padding bugs. 322 323 * No longer disable ECDHE-ECDSA on OS X 324 325 * Removed SSLv3 support from openssl(1) 326 327 * Removed IE 6 SSLv3 workarounds. 328 329 * Modified tls_write in libtls to allow partial writes, clarified with 330 examples in the documentation. 331 332 * Removed RSAX engine 333 334 * Tested SSLv3 removal with the OpenBSD ports tree and found several 335 applications that were not ready to build without SSLv3 yet. For 336 now, building a program that intentionally uses SSLv3 will result in 337 a linker warning. 338 339 * Added TLS_method, TLS_client_method and TLS_server_method as a 340 replacement for the SSLv23_*method calls. 341 342 * Added initial cmake build support, including support for building with 343 Visual Studio, currently tested with Visual Studio 2013 Community 344 Edition. 345 346 * --with-enginesdir is removed as a configuration parameter 347 348 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 349 installed under $sysconfdir/ssl or the directory specified by 350 --with-openssldir. Previous versions of LibreSSL left these empty. 351 3522.2.1 - Build fixes, feature added, features removed 353 354 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 355 356 * Initial support for Windows Embedded 2009, Server 2003, XP 357 358 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 359 360 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 361 362 * Removed Dynamic Engine support 363 364 * Removed unused and obsolete MDC-2DES cipher 365 366 * Removed workarounds for obsolete SSL implementations 367 3682.2.0 - Build cleanups and new OS support, Security Updates 369 370 * AIX Support - thanks to Michael Felt 371 372 * Cygwin Support - thanks to Corinna Vinschen 373 374 * Refactored build macros, support packaging libtls independently. 375 There are more pieces required to support building and using OpenSSL 376 with libtls, but this is an initial start at providing an 377 independent package for people to start hacking on. 378 379 * Removal of OPENSSL_issetugid and all library getenv calls. 380 Applications can and should no longer rely on environment variables 381 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 382 supported with the openssl(1) command. 383 384 * libtls API and documentation additions 385 386 * Various bug fixes and simplifications to libssl and libcrypto 387 388 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 389 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 390 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 391 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 392 393 * The following CVEs did not apply to LibreSSL or were fixed in 394 earlier releases: 395 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 396 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 397 - CVE-2014-8176 - Invalid free in DTLS 398 399 * Fixes for the following CVEs are still in review for LibreSSL 400 - CVE-2015-1791 - Race condition handling NewSessionTicket 401 4022.1.6 - Security update 403 404 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 405 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 406 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 407 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 408 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 409 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 410 411 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 412 is integrated for safety, but LibreSSL is not vulnerable. 413 414 * Libtls is now built by default. The --enable-libtls 415 configuration option is no longer required. 416 The libtls API is now stable for the 2.1.x series. 417 4182.1.5 - Bug fixes and a security update 419 * Fix incorrect comparison function in openssl(1) certhash command. 420 Thanks to Christian Neukirchen / Void Linux. 421 422 * Windows port improvements and bug fixes. 423 - Removed a dependency on libgcc in 32-bit dynamic libraries. 424 - Correct a hang in openssl(1) reading from stdin on an connection. 425 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 426 any other network-related commands to function properly. 427 428 * Reject all server DH keys smaller than 1024 bits. 429 4302.1.4 - Security and feature updates 431 * Improvements to libtls: 432 - a new API for loading CA chains directly from memory instead of a 433 file, allowing verification with privilege separation in a chroot 434 without direct access to CA certificate files. 435 436 - Ciphers default to TLSv1.2 with AEAD and PFS. 437 438 - Improved error handling and message generation 439 440 - New APIs and improved documentation 441 442 * Added X509_STORE_load_mem API for loading certificates from memory. 443 This facilitates accessing certificates from a chrooted environment. 444 445 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 446 using 'TLSv1.2+AEAD' as the cipher selection string. 447 448 * Dead and disabled code removal including MD5, Netscape workarounds, 449 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 450 451 * ASN1 macro maze expanded to aid reading and searching the code. 452 453 * NULL pointer asserts removed in favor of letting the OS/signal 454 handler catch them. 455 456 * Refactored argument handling in openssl(1) for consistency and 457 maintainability. 458 459 * New openssl(1) command 'certhash' replaces the c_rehash script. 460 461 * Support for building with OPENSSL_NO_DEPRECATED 462 463 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 464 various auditor and vulnerability scanners. 465 466 * Dozens of issues found with the Coverity scanner fixed. 467 468 * Security Updates: 469 470 - Fix a minor information leak that was introduced in t1_lib.c 471 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 472 provided to the network. In most cases this is a non-issue since 473 the memory content is already public. Issue found and reported by 474 Felix Groebert of the Google Security Team. 475 476 - Fixes for the following low-severity issues were integrated into 477 LibreSSL from OpenSSL 1.0.1k: 478 479 CVE-2015-0205 - DH client certificates accepted without 480 verification 481 CVE-2014-3570 - Bignum squaring may produce incorrect results 482 CVE-2014-8275 - Certificate fingerprints can be modified 483 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 484 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 485 486 The following CVEs were fixed in earlier LibreSSL releases: 487 CVE-2015-0206 - Memory leak handling repeated DLTS records 488 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 489 490 The following CVEs did not apply to LibreSSL: 491 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 492 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 493 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 494 4952.1.3 - Security update and OS support improvements 496 * Fixed various memory leaks in DTLS, including fixes for 497 CVE-2015-0206. 498 499 * Added Application-Layer Protocol Negotiation (ALPN) support. 500 501 * Removed GOST R 34.10-94 signature authentication. 502 503 * Removed nonfunctional Netscape browser-hang workaround code. 504 505 * Simplfied and refactored SSL/DTLS handshake code. 506 507 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 508 509 * Hide timing info about padding errors during handshakes. 510 511 * Improved libtls support for non-blocking sockets, added randomized 512 session ID contexts. Work is ongoing with this library - feedback 513 and potential use-cases are welcome. 514 515 * Support building Windows DLLs. 516 Thanks to Jan Engelhard. 517 518 * Packaged config wrapper for better compatibility with OpenSSL-based 519 build systems. 520 Thanks to @technion from github 521 522 * Ensure the stack is marked non-executable for assembly sections. 523 Thanks to Anthony G. Bastile. 524 525 * Enable extra compiler hardening flags by default, where applicable. 526 The default set of hardening features can vary by OS to OS, so 527 feedback is welcome on this. To disable the default hardening flags, 528 specify '--disable-hardening' during configure. 529 Thanks to Jim Barlow 530 531 * Initial HP-UX support, tested with HP-UX 11.31 ia64 532 Thanks to Kinichiro Inoguchi 533 534 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 535 Imported from OpenNTPD, thanks to @gitisihara from github 536 5372.1.2 - Many new features and improvements 538 * Added reworked GOST cipher suite support 539 thanks to Dmitry Eremin-Solenikov 540 541 * Enabled Camellia ciphers due to improved patent situation 542 543 * Use builtin arc4random implementation on OS X and FreeBSD 544 this addresses some deficiencies in the native implementations of 545 these operating systems, see commit logs for more information 546 547 * Added initial Windows mingw-w64 support (32 and 64-bit) 548 thanks to Song Dongsheng and others for code and feedback 549 550 * Enabled assembly optimizations on x86_64 CPUs 551 supports Linux, *BSD, Solaris and OS X operating systems 552 thanks to Wouter Clarie for the initial implementation 553 554 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 555 556 * Improved build infrastructure, 'make distcheck' now passes 557 this simplifies and speeds developer efficiency 558 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 559 560 * Allow conditional building of the libtls library 561 expect the API and ABI of the library to change 562 feedback is welcome 563 564 * Fixes for more memory leaks, cleanups, etc. 565 5662.1.1 - Security update 567 * Address POODLE attack by disabling SSLv3 by default 568 569 * Fix Eliptical Curve cipher selection bug 570 (https://github.com/libressl-portable/portable/issues/35) 571 5722.1.0 - First release from the OpenBSD 5.7 tree 573 * Added support for automatic ephemeral EC keys 574 575 * Fixes for many memory leaks and overflows in error handlers 576 577 * The TLS padding extension (that works around bugs in F5 terminators) is 578 off by default 579 580 * support for getrandom(2) on Linux 3.17 581 582 * the NO_ASM macro is no longer being set, providing the first bits toward 583 enabling other assembly offloads. 584 5852.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 586 * CVE-2014-3506 587 * CVE-2014-3507 588 * CVE-2014-3508 (partially vulnerable)he 589 * CVE-2014-3509 590 * CVE-2014-3510 591 * CVE-2014-3511 592 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 593 5942.0.4 - Portability fixes, deleted unused SRP code 595 5962.0.3 - Portability fixes, improvements to fork detection 597 5982.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 599 6002.0.1 - Portability fixes: 601 * Removed -Werror and and other non-portable compiler flags 602 603 * Allow setting OPENSSLDIR and ENGINSDIR 604 6052.0.0 - First release from the OpenBSD 5.6 tree 606 * Removal of many obsolete features and coding conventions from the OpenSSL 607 1.0.1h source 608