1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 312.9.1 - Stable release 32 33 * Added support for XChaCha20 and XChaCha20-Poly1305. 34 35 * Added support for AES key wrap constructions via the EVP interface. 36 37 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 38 39 * Added pbkdf2 key derivation support to openssl(1) 40 41 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 42 43 * Changed the default digest type of openssl(1) enc to to sha256. 44 45 * Changed the default digest type of openssl(1) dgst to sha256. 46 47 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 48 49 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 50 51 * Improved Windows, Android, and ARM compatibility, including assembly 52 optimizations on Mingw-w64 targets. 53 542.9.0 - Development release 55 56 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 57 58 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 59 60 * Fixed CMake builds on systems where getpagesize is defined as an 61 inline function. 62 63 * CRYPTO_LOCK is now automatically initialized, with the legacy 64 callbacks stubbed for compatibility. 65 66 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 67 68 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 69 70 * Added extensive interoperability tests between LibreSSL and OpenSSL 71 1.0 and 1.1. 72 73 * Added additional Wycheproof tests and related bug fixes. 74 75 * Simplified sigalgs option processing and handshake signing algorithm 76 77 * Added the ability to use the RSA PSS algorithm for handshake 78 signatures. 79 80 * Added bn_rand_interval() and use it in code needing ranges of random 81 bn values. 82 83 * Added functionality to derive early, handshake, and application 84 secrets as per RFC8446. 85 86 * Added handshake state machine from RFC8446. 87 88 * Removed some ASN.1 related code from libcrypto that had not been used 89 since around 2000. 90 91 * Unexported internal symbols and internalized more record layer structs. 92 93 * Added support for assembly optimizations on 32-bit ARM ELF targets. 94 95 * Improved protection against timing side channels in ECDSA signature 96 generation. 97 98 * Coordinate blinding was added to some elliptic curves. This is the 99 last bit of the work by Brumley et al. to protect against the 100 Portsmash vulnerability. 101 102 * Ensure transcript handshake is always freed with TLS 1.2. 103 1042.8.2 - Stable release 105 106 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 107 along with test harness fixes. 108 109 * Fixed memory leak in nc(1) 110 1112.8.1 - Test and compatibility improvements 112 113 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 114 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 115 X25519 test vectors. Applied appropriate fixes for errors uncovered 116 by tests. 117 118 * Simplified key exchange signature generation and verification. 119 120 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 121 122 * Converted more code paths to use CBB/CBS. All handshake messages are 123 now created by CBB. 124 125 * Fixed various memory leaks found by Coverity. 126 127 * Simplified session ticket parsing and handling, inspired by 128 BoringSSL. 129 130 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 131 is a no-op in LibreSSL, so this function returns an error to not 132 indicate the (non-)existence of memory leaks. 133 134 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 135 X509_OBJECT_up_ref_count now return an int for error handling, 136 matching OpenSSL. 137 138 * Converted a number of #defines into proper functions, matching 139 OpenSSL's ABI. 140 141 * Added X509_get0_serialNumber from OpenSSL. 142 143 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 144 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 145 OpenSSL. 146 147 * Removed broken pkcs8 formats from openssl(1). 148 149 * Converted more functions in public API to use const arguments. 150 151 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 152 EVP_AEAD interface. 153 154 * Stopped using composite EVP_CIPHER AEADs. 155 156 * Added timing-safe compares for checking results of signature 157 verification. There are no known attacks, this is just inexpensive 158 prudence. 159 160 * Correctly clear the current cipher state, when changing cipher state. 161 This fixed an issue where renegotiation of cipher suites would fail 162 when switched from AEAD to non-AEAD or vice-versa. 163 Issue reported by Bernard Spil. 164 165 * Added more cipher tests to appstest.sh, including all TLSv1.2 166 ciphers. 167 168 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 169 170 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 171 retrieved and set with appropriate validation. 172 1732.8.0 - Bug fixes, security, and compatibility improvements 174 175 * Extensive documentation updates and additional API history. 176 177 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 178 179 * Tighten up checks for various X509_VERIFY_PARAM functions, 180 'poisoning' parameters so that an unverified certificate cannot be 181 used if it fails verification. 182 183 * Fixed a potential memory leak on failure in ASN1_item_digest 184 185 * Fixed a potential memory alignment crash in asn1_item_combine_free 186 187 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 188 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 189 190 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 191 192 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 193 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 194 195 * Added const annotations to many existing APIs from OpenSSL, making 196 interoperability easier for downstream applications. 197 198 * Fixed small timing side-channels in ecdsa_sign_setup and 199 dsa_sign_setup. 200 201 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 202 operation of BN_* functions. 203 204 * Updated BN_clear to use explicit_bzero. 205 206 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 207 208 * More CBS conversions, including simplifications to RSA key exchange, 209 and converted code to use dedicated buffers for secrets. 210 211 * Removed three remaining single DES cipher suites. 212 213 * Fixed a potential leak/incorrect return value in DSA signature 214 generation. 215 216 * Added a blinding value when generating DSA and ECDSA signatures, in 217 order to reduce the possibility of a side-channel attack leaking the 218 private key. 219 220 * Added ECC constant time scalar multiplication support. 221 From Billy Brumley and his team at Tampere University of Technology. 222 223 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 224 specification in RFC 8017. Based on an OpenSSL commit by David 225 Benjamin. 226 227 * Cleaned up BN_* implementations following changes made in OpenSSL by 228 Davide Galassi and others. 229 2302.7.4 - Security fixes 231 232 * Avoid a timing side-channel leak when generating DSA and ECDSA 233 signatures. This is caused by an attempt to do fast modular 234 arithmetic, which introduces branches that leak information 235 regarding secret values. Issue identified and reported by Keegan 236 Ryan of NCC Group. 237 238 * Reject excessively large primes in DH key generation. Problem 239 reported by Guido Vranken to OpenSSL 240 (https://github.com/openssl/openssl/pull/6457) and based on his 241 diff. 242 2432.7.3 - Bug fixes 244 245 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 246 Sury 247 248 * Fixed an issue normalizing CPU architecture in the configure script, 249 which disabled assembly optimizations on platforms that get detected 250 as 'amd64', opposed to 'x86_64' 251 252 * Limited tls_config_clear_keys() to only clear private keys. 253 This was inadvertently clearing the keypair, which includes the OCSP 254 staple and pubkey hash - if an application called tls_configure() 255 followed by tls_config_clear_keys(), this would prevent OCSP staples 256 from working. 257 2582.7.2 - Stable release 259 260 * Updated and added extensive new HISTORY sections to API manuals. 261 262 * Added support for shared library builds with CMake on all supported 263 platforms. Note that some of the CMake options have changed, consult 264 the README for details. 265 2662.7.1 - Bug fixes 267 268 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 269 length provided is 0 to match the OpenSSL behaviour. Issue noticed 270 by Christian Heimes <christian@python.org>. 271 272 * Fixed builds macOS 10.11 and older. 273 2742.7.0 - Bug fixes and improvements 275 276 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 277 observations of real-world usage in applications. These are 278 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 279 changes have not been made to existing structs, allowing code written 280 for older OpenSSL APIs to continue working. 281 282 * Extensive corrections, improvements, and additions to the 283 API documentation, including new public APIs from OpenSSL that had 284 no pre-existing documentation. 285 286 * Added support for automatic library initialization in libcrypto, 287 libssl, and libtls. Support for pthread_once or a compatible 288 equivalent is now required of the target operating system. As a 289 side-effect, minimum Windows support is Vista or higher. 290 291 * Converted more packet handling methods to CBB, which improves 292 resiliency when generating TLS messages. 293 294 * Completed TLS extension handling rewrite, improving consistency of 295 checks for malformed and duplicate extensions. 296 297 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 298 This removes the last remaining use of the old M_ASN1_* macros 299 (asn1_mac.h) from API that needs to continue to exist. 300 301 * Added support for client-side session resumption in libtls. 302 A libtls client can specify a session file descriptor (a regular 303 file with appropriate ownership and permissions) and libtls will 304 manage reading and writing of session data across TLS handshakes. 305 306 * Improved support for strict alignment on ARMv7 architectures, 307 conditionally enabling assembly in those cases. 308 309 * Fixed a memory leak in libtls when reusing a tls_config. 310 311 * Merged more DTLS support into the regular TLS code path, removing 312 duplicated code. 313 314 * Many improvements to Windows Cmake-based builds and tests, 315 especially when targeting Visual Studio. 316 3172.6.4 - Bug fixes 318 319 * Make tls_config_parse_protocols() work correctly when passed a NULL 320 pointer for a protocol string. Issue found by semarie@, who also 321 provided the diff. 322 323 * Correct TLS extensions handling when no extensions are present. 324 If no TLS extensions are present in a client hello or server hello, 325 omit the entire extensions block, rather than including it with a 326 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 327 providing packet captures and testing the fix. 328 329 * Fixed portable builds on older Android systems, and systems with out 330 IPV6_TCLASS support. 331 3322.6.3 - OpenBSD 6.2 Release 333 334 * No core changes from LibreSSL 2.6.2 335 336 * Minor compatibility fixes in portable version. 337 3382.6.2 - Bug fixes 339 340 * Provide a useful error with libtls if there are no OCSP URLs in a 341 peer certificate. 342 343 * Keep track of which keypair is in use by a TLS context, fixing a bug 344 where a TLS server with SNI would only return the OCSP staple for the 345 default keypair. Issue reported by William Graeber and confirmed by 346 Andreas Bartelt. 347 348 * Fixed various issues in the OCSP extension parsing code. 349 The original code incorrectly passes the pointer allocated via 350 CBS_stow() (using malloc()) to a d2i_*() function and then calls 351 free() on the now incremented pointer, most likely resulting in a 352 crash. This issue was reported by Robert Swiecki who found the issue 353 using honggfuzz. 354 355 * If tls_config_parse_protocols() is called with a NULL pointer, 356 return the default protocols instead of crashing - this makes the 357 behaviour more useful and mirrors what we already do in 358 tls_config_set_ciphers() et al. 359 3602.6.1 - Code removal, rewrites 361 362 * Added a "-T tlscompat" option to nc(1), which enables the use of all 363 TLS protocols and "compat" ciphers. This allows for TLS connections 364 to TLS servers that are using less than ideal cipher suites, without 365 having to resort to "-T tlsall" which enables all known cipher 366 suites. Diff from Kyle J. McKay. 367 368 * Added a new TLS extension handling framework, somewhat analogous to 369 BoringSSL, and converted all TLS extensions to use it. Added new TLS 370 extension regression tests. 371 372 * Improved and added many new manpages. Updated *check_private_key 373 manpages with additional cautions regarding their use. 374 375 * Cleaned up the EC key/curve configuration handling. 376 377 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 378 of the eliptical curves that may be used during client and server 379 key exchange to be specified. 380 381 * Converted more code paths to use CBB/CBS. 382 383 * Removed support for DSS/DSA, since we removed the cipher suites a 384 while back. 385 386 * Removed NPN support. NPN was never standardised and the last draft 387 expired in October 2012. ALPN was standardised in July 2014 and has 388 been supported in LibreSSL since December 2014. NPN has also been 389 removed from Chromium in May 2016. 390 391 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 392 CryptoPro clients. 393 394 * Removed support for the TLS padding extension, which was added as a 395 workaround for an old bug in F5's TLS termination. 396 397 * Worked around another bug in F5's TLS termination handling of the 398 elliptical curves extension. RFC 4492 only defines elliptic_curves 399 for ClientHello. However, F5 is sending it in ServerHello. We need 400 to skip over it since our TLS extension parsing code is now more 401 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 402 403 * Added ability to clamp notafter valies in certificates for systems 404 with 32-bit time_t. This is necessary to conform to RFC 5280 405 4.1.2.5. 406 407 * Implemented the SSL_CTX_set_min_proto_version(3) API. 408 409 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 410 411 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 412 4132.6.0 - New APIs, bug fixes and improvements 414 415 * Added support for providing CRLs to libtls. Once a CRL is provided we 416 enable CRL checking for the full certificate chain. Based on a diff 417 from Jack Burton 418 419 * Allow non-compliant clients using IP literal addresses with SNI 420 to connect to a server using libtls. 421 422 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 423 Reported by Robert Swiecki, who found the issue using honggfuzz. 424 425 * Added definitions for three OIDs used in EV certificates. 426 From Kyle J. McKay 427 428 * Added tls_peer_cert_chain_pem to libtls, useful in private 429 certificate validation callbacks such as those in relayd. 430 431 * Converted explicit clear/free sequences to use freezero(3). 432 433 * Reworked TLS certificate name verification code to more strictly 434 follow RFC 6125. 435 436 * Cleaned up and simplified server key exchange EC point handling. 437 438 * Added tls_keypair_clear_key for clearing key material. 439 440 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 441 simplified BIO_get_host_ip and BIO_accept. 442 443 * Fixed the openssl(1) ca command so that is generates certificates 444 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 445 446 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 447 448 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 449 450 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 451 452 * Provided a tls_unload_file() function that frees the memory returned 453 from a tls_load_file() call, ensuring that it the contents become 454 inaccessible. This is specifically needed on platforms where the 455 library allocators may be different from the application allocator. 456 457 * Perform reference counting for tls_config. This allows 458 tls_config_free() to be called as soon as it has been passed to the 459 final tls_configure() call, simplifying lifetime tracking for the 460 application. 461 462 * Moved internal state of SSL and other structures to be opaque. 463 464 * Dropped cipher suites with DSS authentication. 465 466 * nc(1) improvements, including: 467 nc -W to terminate nc after receiving a number of packets 468 nc -Z for saving the peer certificate and chain in a pem file 469 4702.5.5 - Bug fixes 471 472 * Distinguish between self-issued certificates and self-signed 473 certificates. The certificate verification code has special cases 474 for self-signed certificates and without this change, self-issued 475 certificates (which it seems are common place with 476 openvpn/easyrsa) were also being included in this category. 477 478 * Added getpagesize fallback, needed for Android bionic libc. 479 4802.5.4 - Security Updates 481 482 * Revert a previous change that forced consistency between return 483 value and error code when specifing a certificate verification 484 callback, since this breaks the documented API. When a user supplied 485 callback always returns 1, and later code checks the error code to 486 potentially abort post verification, this will result in incorrect 487 successul certificate verification. 488 489 * Switched Linux getrandom() usage to non-blocking mode, continuing to 490 use fallback mechanims if unsuccessful. This works around a design 491 flaw in Linux getrandom(2) where early boot usage in a library makes 492 it impossible to recover if getrandom(2) is not yet initialized. 493 494 * Fixed a bug caused by the return value being set early to signal 495 successful DTLS cookie validation. This can mask a later failure and 496 result in a positive return value being returned from 497 ssl3_get_client_hello(), when it should return a negative value to 498 propagate the error. 499 500 * Fixed a build error on non-x86/x86_64 systems running Solaris. 501 5022.5.3 - OpenBSD 6.1 Release 503 504 * Documentation updates 505 506 * Improved ocspcheck(1) error handling 507 5082.5.2 - Security features and bugfixes 509 510 * Added the recallocarray(3) memory allocation function, and converted 511 various places in the library to use it, such as CBB and BUF_MEM_grow. 512 recallocarray(3) is similar to reallocarray. Newly allocated memory 513 is cleared similar to calloc(3). Memory that becomes unallocated 514 while shrinking or moving existing allocations is explicitly 515 discarded by unmapping or clearing to 0 516 517 * Added new root CAs from SECOM Trust Systems / Security Communication 518 of Japan. 519 520 * Added EVP interface for MD5+SHA1 hashes. 521 522 * Fixed DTLS client failures when the server sends a certificate 523 request. 524 525 * Correct handling of padding when upgrading an SSLv2 challenge into 526 an SSLv3/TLS connection. 527 528 * Allow protocols and ciphers to be set on a TLS config object in 529 libtls. 530 531 * Improved nc(1) TLS handshake CPU usage and server-side error 532 reporting. 533 5342.5.1 - Bug and security fixes, new features, documentation updates 535 536 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 537 error. Reported by Theofilos Petsios. 538 539 * Detect zero-length encrypted session data early, instead of when 540 malloc(0) fails or the HMAC check fails. Noted independently by 541 jsing@ and Kurt Cancemi. 542 543 * Check for and handle failure of HMAC_{Update,Final} or 544 EVP_DecryptUpdate(). 545 546 * Massive update and normalization of manpages, conversion to 547 mandoc format. Many pages were rewritten for clarity and accuracy. 548 Portable doc links are up-to-date with a new conversion tool. 549 550 * Curve25519 Key Exchange support. 551 552 * Support for alternate chains for certificate verification. 553 554 * Code cleanups, CBS conversions, further unification of DTLS/SSL 555 handshake code, further ASN1 macro expansion and removal. 556 557 * Private symbol are now hidden in libssl and libcryto. 558 559 * Friendly certificate verification error messages in libtls, peer 560 verification is now always enabled. 561 562 * Added OCSP stapling support to libtls and netcat. 563 564 * Added ocspcheck utility to validate a certificate against its OCSP 565 responder and save the reply for stapling 566 567 * Enhanced regression tests and error handling for libtls. 568 569 * Added explicit constant and non-constant time BN functions, 570 defaulting to constant time wherever possible. 571 572 * Moved many leaked implementation details in public structs behind 573 opaque pointers. 574 575 * Added ticket support to libtls. 576 577 * Added support for setting the supported EC curves via 578 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 579 SSL{_CTX}_set1_curves{_list} names. This also changes the default 580 list of curves to be X25519, P-256 and P-384. All other curves must 581 be manually enabled. 582 583 * Added -groups option to openssl(1) s_client for specifying the curves 584 to be used in a colon-separated list. 585 586 * Merged client/server version negotiation code paths into one, 587 reducing much duplicate code. 588 589 * Removed error function codes from libssl and libcrypto. 590 591 * Fixed an issue where a truncated packet could crash via an OOB read. 592 593 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 594 client-initiated renegotiation. This is the default for libtls 595 servers. 596 597 * Avoid a side-channel cache-timing attack that can leak the ECDSA 598 private keys when signing. This is due to BN_mod_inverse() being 599 used without the constant time flag being set. Reported by Cesar 600 Pereida Garcia and Billy Brumley (Tampere University of Technology). 601 The fix was developed by Cesar Pereida Garcia. 602 603 * iOS and MacOS compatibility updates from Simone Basso and Jacob 604 Berkman. 605 606 6072.5.0 - New APIs, bug fixes and improvements 608 609 * libtls now supports ALPN and SNI 610 611 * libtls adds a new callback interface for integrating custom IO 612 functions. Thanks to Tobias Pape. 613 614 * libtls now handles 4 cipher suite groups: 615 "secure" (TLSv1.2+AEAD+PFS) 616 "compat" (HIGH:!aNULL) 617 "legacy" (HIGH:MEDIUM:!aNULL) 618 "insecure" (ALL:!aNULL:!eNULL) 619 620 This allows for flexibility and finer grained control, rather than 621 having two extremes (an issue raised by Marko Kreen some time ago). 622 623 * Tightened error handling for tls_config_set_ciphers(). 624 625 * libtls now always loads CA, key and certificate files at the time the 626 configuration function is called. This simplifies code and results in 627 a single memory based code path being used to provide data to libssl. 628 629 * Add support for OCSP intermediate certificates. 630 631 * Added functions used by stunnel and exim from BoringSSL - this 632 brings in X509_check_host, X509_check_email, X509_check_ip, and 633 X509_check_ip_asc. 634 635 * Added initial support for iOS, thanks to Jacob Berkman. 636 637 * Improved behavior of arc4random on Windows when using memory leak 638 analysis software. 639 640 * Correctly handle an EOF that occurs prior to the TLS handshake 641 completing. Reported by Vasily Kolobkov, based on a diff from Marko 642 Kreen. 643 644 * Limit the support of the "backward compatible" ssl2 handshake to 645 only be used if TLS 1.0 is enabled. 646 647 * Fix incorrect results in certain cases on 64-bit systems when 648 BN_mod_word() can return incorrect results. BN_mod_word() now can 649 return an error condition. Thanks to Brian Smith. 650 651 * Added constant-time updates to address CVE-2016-0702 652 653 * Fixed undefined behavior in BN_GF2m_mod_arr() 654 655 * Removed unused Cryptographic Message Support (CMS) 656 657 * More conversions of long long idioms to time_t 658 659 * Improved compatibility by avoiding printing NULL strings with 660 printf. 661 662 * Reverted change that cleans up the EVP cipher context in 663 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 664 previous behaviour. 665 666 * Avoid unbounded memory growth in libssl, which can be triggered by a 667 TLS client repeatedly renegotiating and sending OCSP Status Request 668 TLS extensions. 669 670 * Avoid falling back to a weak digest for (EC)DH when using SNI with 671 libssl. 672 6732.4.2 - Bug fixes and improvements 674 675 * Fixed loading default certificate locations with openssl s_client. 676 677 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 678 RFC6960. Also added fixes for OCSP to work with intermediate 679 certificates provided in responses. 680 681 * Improved behavior of arc4random on Windows to not appear to leak 682 memory in debug tools, reduced privileges of allocated memory. 683 684 * Fixed incorrect results from BN_mod_word() when the modulus is too 685 large, thanks to Brian Smith from BoringSSL. 686 687 * Correctly handle an EOF prior to completing the TLS handshake in 688 libtls. 689 690 * Improved libtls ceritificate loading and cipher string validation. 691 692 * Updated libtls cipher group suites into four categories: 693 "secure" (TLSv1.2+AEAD+PFS) 694 "compat" (HIGH:!aNULL) 695 "legacy" (HIGH:MEDIUM:!aNULL) 696 "insecure" (ALL:!aNULL:!eNULL) 697 This allows for flexibility and finer grained control, rather than 698 having two extremes. 699 700 * Limited support for 'backward compatible' SSLv2 handshake packets to 701 when TLS 1.0 is enabled, providing more restricted compatibility 702 with TLS 1.0 clients. 703 704 * openssl(1) and other documentation improvements. 705 706 * Removed flags for disabling constant-time operations. 707 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 708 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 709 all of these operations unconditionally constant-time. 710 711 7122.4.1 - Security fix 713 714 * Correct a problem that prevents the DSA signing algorithm from 715 running in constant time even if the flag BN_FLG_CONSTTIME is set. 716 This issue was reported by Cesar Pereida (Aalto University), Billy 717 Brumley (Tampere University of Technology), and Yuval Yarom (The 718 University of Adelaide and NICTA). The fix was developed by Cesar 719 Pereida. 720 7212.4.0 - Build improvements, new features 722 723 * Many improvements to the CMake build infrastructure, including 724 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 725 Inoguchi for this work. 726 727 * Added missing error handling around bn_wexpand() calls. 728 729 * Added explicit_bzero calls for freed ASN.1 objects. 730 731 * Fixed X509_*set_object functions to return 0 on allocation failure. 732 733 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 734 735 * Changed default EVP_aead_chacha20_poly1305() implementation to the 736 IETF version, which is now the default. 737 738 * Fixed password prompts from openssl(1) to properly handle ^C. 739 740 * Reworked error handling in libtls so that configuration errors are 741 visible. 742 743 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 744 745 * Manpage fixes and updates 746 7472.3.5 - Reliability fix 748 749 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 750 7512.3.4 - Security Update 752 753 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 754 From OpenSSL. 755 756 * Minor build fixes 757 7582.3.3 - OpenBSD 5.9 release branch tagged 759 760 * Reworked build scripts to better sync with OpenNTPD-portable 761 762 * Fixed broken manpage links 763 764 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 765 766 * Fixed HP-UX builds 767 768 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 769 binary builds 770 771 * cert.pem has been reorganized and synced with Mozilla's certificate store 772 7732.3.2 - Compatibility and Reliability fixes 774 775 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 776 OPENSSL_VERSION_NUMBER, see: 777 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 778 779 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 780 construction introduced in RFC 7539, which is different than that 781 already used in TLS with EVP_aead_chacha20_poly1305() 782 783 * Avoid a potential undefined C99+ behavior due to shift overflow in 784 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 785 786 * More man pages converted from pod to mdoc format 787 788 * Added COMODO RSA Certification Authority and QuoVadis 789 root certificates to cert.pem 790 791 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 792 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 793 certificate from cert.pem 794 795 * Added support for building nc(1) on Solaris 796 797 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 798 799 * Improved console handling with openssl(1) on Windows 800 801 * Ensure the network stack is enabled on Windows when running 802 tls_init() 803 804 * Fixed incorrect TLS certificate loading by nc(1) 805 806 * Added support for Solaris 11.3's getentropy(2) system call 807 808 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 809 810 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 811 812 * Fixes from OpenSSL 1.0.1q 813 - CVE-2015-3194 - NULL pointer dereference in client side certificate 814 validation. 815 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 816 817 * The following OpenSSL CVEs did not apply to LibreSSL 818 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 819 squaring procedure. 820 - CVE-2015-3196 - Double free race condition of the identify hint 821 data. 822 823 See https://marc.info/?l=openbsd-announce&m=144925068504102 824 8252.3.1 - ASN.1 and time handling cleanups 826 827 * ASN.1 cleanups and RFC5280 compliance fixes. 828 829 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 830 now checks if the host OS supports 64-bit time_t. 831 832 * Fixed a leak in SSL_new in the error path. 833 834 * Support always extracting the peer cipher and version with libtls. 835 836 * Added ability to check certificate validity times with libtls, 837 tls_peer_cert_notbefore and tls_peer_cert_notafter. 838 839 * Changed tls_connect_servername to use the first address that resolves with 840 getaddrinfo(). 841 842 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 843 initial commit in 2004). 844 845 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 846 by Qualys Security. 847 848 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 849 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 850 851 * Reject too small bits value in BN_generate_prime_ex(), so that it does 852 not risk becoming negative in probable_prime_dh_safe(), reported by 853 Franck Denis. 854 855 * Enable nc(1) builds on more platforms. 856 8572.3.0 - SSLv3 removed, libtls API changes, portability improvements 858 859 * SSLv3 is now permanently removed from the tree. 860 861 * The libtls API is changed from the 2.2.x series. 862 863 The read/write functions work correctly with external event 864 libraries. See the tls_init man page for examples of using libtls 865 correctly in asynchronous mode. 866 867 Client-side verification is now supported, with the client supplying 868 the certificate to the server. 869 870 Also, when using tls_connect_fds, tls_connect_socket or 871 tls_accept_fds, libtls no longer implicitly closes the passed in 872 sockets. The caller is responsible for closing them in this case. 873 874 * When loading a DSA key from an raw (without DH parameters) ASN.1 875 serialization, perform some consistency checks on its `p' and `q' 876 values, and return an error if the checks failed. 877 878 Thanks for Georgi Guninski (guninski at guninski dot com) for 879 mentioning the possibility of a weak (non prime) q value and 880 providing a test case. 881 882 See 883 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 884 for a longer discussion. 885 886 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 887 of the result key without error. A coding error could cause software 888 to use much shorter keys than intended. 889 890 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 891 longer supported. 892 893 * The engine command and parameters are removed from the openssl(1). 894 Previous releases removed dynamic and builtin engine support 895 already. 896 897 * SHA-0 is removed, which was withdrawn shortly after publication 20 898 years ago. 899 900 * Added Certplus CA root certificate to the default cert.pem file. 901 902 * New interface OPENSSL_cpu_caps is provided that does not allow 903 software to inadvertently modify cpu capability flags. 904 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 905 906 * The out_len argument of AEAD changed from ssize_t to size_t. 907 908 * Deduplicated DTLS code, sharing bugfixes and improvements with 909 TLS. 910 911 * Converted 'nc' to use libtls for client and server operations; it is 912 included in the libressl-portable distribution as an example of how 913 to use the library. 914 9152.2.3 - Bug fixes, build enhancements 916 917 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 918 include TLS extensions, resulting in such handshakes being aborted. 919 This release corrects the handling of such messages. Thanks to 920 Ligushka from github for reporting the issue. 921 922 * Added install target for cmake builds. Thanks to TheNietsnie from 923 github. 924 925 * Updated pkgconfig files to correctly report the release version 926 number, not the individual library ABI version numbers. Thanks to 927 Jan Engelhardt for reporting the issue. 928 9292.2.2 - More TLS parser rework, bug fixes, expanded portable build support 930 931 * Switched 'openssl dhparam' default from 512 to 2048 bits 932 933 * Reworked openssl(1) option handling 934 935 * More CRYPTO ByteString (CBC) packet parsing conversions 936 937 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 938 939 * Fixed dozens of Coverity issues including dead code, memory leaks, 940 logic errors and more. 941 942 * Ensure that openssl(1) restores terminal echo state after reading a 943 password. 944 945 * Incorporated fix for OpenSSL Issue #3683 946 947 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 948 for each portable release. 949 950 * Removed workarounds for TLS client padding bugs. 951 952 * No longer disable ECDHE-ECDSA on OS X 953 954 * Removed SSLv3 support from openssl(1) 955 956 * Removed IE 6 SSLv3 workarounds. 957 958 * Modified tls_write in libtls to allow partial writes, clarified with 959 examples in the documentation. 960 961 * Removed RSAX engine 962 963 * Tested SSLv3 removal with the OpenBSD ports tree and found several 964 applications that were not ready to build without SSLv3 yet. For 965 now, building a program that intentionally uses SSLv3 will result in 966 a linker warning. 967 968 * Added TLS_method, TLS_client_method and TLS_server_method as a 969 replacement for the SSLv23_*method calls. 970 971 * Added initial cmake build support, including support for building with 972 Visual Studio, currently tested with Visual Studio 2013 Community 973 Edition. 974 975 * --with-enginesdir is removed as a configuration parameter 976 977 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 978 installed under $sysconfdir/ssl or the directory specified by 979 --with-openssldir. Previous versions of LibreSSL left these empty. 980 9812.2.1 - Build fixes, feature added, features removed 982 983 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 984 985 * Initial support for Windows Embedded 2009, Server 2003, XP 986 987 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 988 989 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 990 991 * Removed Dynamic Engine support 992 993 * Removed unused and obsolete MDC-2DES cipher 994 995 * Removed workarounds for obsolete SSL implementations 996 9972.2.0 - Build cleanups and new OS support, Security Updates 998 999 * AIX Support - thanks to Michael Felt 1000 1001 * Cygwin Support - thanks to Corinna Vinschen 1002 1003 * Refactored build macros, support packaging libtls independently. 1004 There are more pieces required to support building and using OpenSSL 1005 with libtls, but this is an initial start at providing an 1006 independent package for people to start hacking on. 1007 1008 * Removal of OPENSSL_issetugid and all library getenv calls. 1009 Applications can and should no longer rely on environment variables 1010 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1011 supported with the openssl(1) command. 1012 1013 * libtls API and documentation additions 1014 1015 * Various bug fixes and simplifications to libssl and libcrypto 1016 1017 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1018 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1019 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1020 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1021 1022 * The following CVEs did not apply to LibreSSL or were fixed in 1023 earlier releases: 1024 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1025 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1026 - CVE-2014-8176 - Invalid free in DTLS 1027 1028 * Fixes for the following CVEs are still in review for LibreSSL 1029 - CVE-2015-1791 - Race condition handling NewSessionTicket 1030 10312.1.6 - Security update 1032 1033 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1034 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1035 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1036 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1037 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1038 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1039 1040 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1041 is integrated for safety, but LibreSSL is not vulnerable. 1042 1043 * Libtls is now built by default. The --enable-libtls 1044 configuration option is no longer required. 1045 The libtls API is now stable for the 2.1.x series. 1046 10472.1.5 - Bug fixes and a security update 1048 * Fix incorrect comparison function in openssl(1) certhash command. 1049 Thanks to Christian Neukirchen / Void Linux. 1050 1051 * Windows port improvements and bug fixes. 1052 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1053 - Correct a hang in openssl(1) reading from stdin on an connection. 1054 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1055 any other network-related commands to function properly. 1056 1057 * Reject all server DH keys smaller than 1024 bits. 1058 10592.1.4 - Security and feature updates 1060 * Improvements to libtls: 1061 - a new API for loading CA chains directly from memory instead of a 1062 file, allowing verification with privilege separation in a chroot 1063 without direct access to CA certificate files. 1064 1065 - Ciphers default to TLSv1.2 with AEAD and PFS. 1066 1067 - Improved error handling and message generation 1068 1069 - New APIs and improved documentation 1070 1071 * Added X509_STORE_load_mem API for loading certificates from memory. 1072 This facilitates accessing certificates from a chrooted environment. 1073 1074 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1075 using 'TLSv1.2+AEAD' as the cipher selection string. 1076 1077 * Dead and disabled code removal including MD5, Netscape workarounds, 1078 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1079 1080 * ASN1 macro maze expanded to aid reading and searching the code. 1081 1082 * NULL pointer asserts removed in favor of letting the OS/signal 1083 handler catch them. 1084 1085 * Refactored argument handling in openssl(1) for consistency and 1086 maintainability. 1087 1088 * New openssl(1) command 'certhash' replaces the c_rehash script. 1089 1090 * Support for building with OPENSSL_NO_DEPRECATED 1091 1092 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1093 various auditor and vulnerability scanners. 1094 1095 * Dozens of issues found with the Coverity scanner fixed. 1096 1097 * Security Updates: 1098 1099 - Fix a minor information leak that was introduced in t1_lib.c 1100 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1101 provided to the network. In most cases this is a non-issue since 1102 the memory content is already public. Issue found and reported by 1103 Felix Groebert of the Google Security Team. 1104 1105 - Fixes for the following low-severity issues were integrated into 1106 LibreSSL from OpenSSL 1.0.1k: 1107 1108 CVE-2015-0205 - DH client certificates accepted without 1109 verification 1110 CVE-2014-3570 - Bignum squaring may produce incorrect results 1111 CVE-2014-8275 - Certificate fingerprints can be modified 1112 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1113 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1114 1115 The following CVEs were fixed in earlier LibreSSL releases: 1116 CVE-2015-0206 - Memory leak handling repeated DLTS records 1117 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1118 1119 The following CVEs did not apply to LibreSSL: 1120 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1121 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1122 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1123 11242.1.3 - Security update and OS support improvements 1125 * Fixed various memory leaks in DTLS, including fixes for 1126 CVE-2015-0206. 1127 1128 * Added Application-Layer Protocol Negotiation (ALPN) support. 1129 1130 * Removed GOST R 34.10-94 signature authentication. 1131 1132 * Removed nonfunctional Netscape browser-hang workaround code. 1133 1134 * Simplified and refactored SSL/DTLS handshake code. 1135 1136 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1137 1138 * Hide timing info about padding errors during handshakes. 1139 1140 * Improved libtls support for non-blocking sockets, added randomized 1141 session ID contexts. Work is ongoing with this library - feedback 1142 and potential use-cases are welcome. 1143 1144 * Support building Windows DLLs. 1145 Thanks to Jan Engelhard. 1146 1147 * Packaged config wrapper for better compatibility with OpenSSL-based 1148 build systems. 1149 Thanks to @technion from github 1150 1151 * Ensure the stack is marked non-executable for assembly sections. 1152 Thanks to Anthony G. Bastile. 1153 1154 * Enable extra compiler hardening flags by default, where applicable. 1155 The default set of hardening features can vary by OS to OS, so 1156 feedback is welcome on this. To disable the default hardening flags, 1157 specify '--disable-hardening' during configure. 1158 Thanks to Jim Barlow 1159 1160 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1161 Thanks to Kinichiro Inoguchi 1162 1163 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1164 Imported from OpenNTPD, thanks to @gitisihara from github 1165 11662.1.2 - Many new features and improvements 1167 * Added reworked GOST cipher suite support 1168 thanks to Dmitry Eremin-Solenikov 1169 1170 * Enabled Camellia ciphers due to improved patent situation 1171 1172 * Use builtin arc4random implementation on OS X and FreeBSD 1173 this addresses some deficiencies in the native implementations of 1174 these operating systems, see commit logs for more information 1175 1176 * Added initial Windows mingw-w64 support (32 and 64-bit) 1177 thanks to Song Dongsheng and others for code and feedback 1178 1179 * Enabled assembly optimizations on x86_64 CPUs 1180 supports Linux, *BSD, Solaris and OS X operating systems 1181 thanks to Wouter Clarie for the initial implementation 1182 1183 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1184 1185 * Improved build infrastructure, 'make distcheck' now passes 1186 this simplifies and speeds developer efficiency 1187 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1188 1189 * Allow conditional building of the libtls library 1190 expect the API and ABI of the library to change 1191 feedback is welcome 1192 1193 * Fixes for more memory leaks, cleanups, etc. 1194 11952.1.1 - Security update 1196 * Address POODLE attack by disabling SSLv3 by default 1197 1198 * Fix Eliptical Curve cipher selection bug 1199 (https://github.com/libressl-portable/portable/issues/35) 1200 12012.1.0 - First release from the OpenBSD 5.7 tree 1202 * Added support for automatic ephemeral EC keys 1203 1204 * Fixes for many memory leaks and overflows in error handlers 1205 1206 * The TLS padding extension (that works around bugs in F5 terminators) is 1207 off by default 1208 1209 * support for getrandom(2) on Linux 3.17 1210 1211 * the NO_ASM macro is no longer being set, providing the first bits toward 1212 enabling other assembly offloads. 1213 12142.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1215 * CVE-2014-3506 1216 * CVE-2014-3507 1217 * CVE-2014-3508 (partially vulnerable)he 1218 * CVE-2014-3509 1219 * CVE-2014-3510 1220 * CVE-2014-3511 1221 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1222 12232.0.4 - Portability fixes, deleted unused SRP code 1224 12252.0.3 - Portability fixes, improvements to fork detection 1226 12272.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1228 12292.0.1 - Portability fixes: 1230 * Removed -Werror and and other non-portable compiler flags 1231 1232 * Allow setting OPENSSLDIR and ENGINSDIR 1233 12342.0.0 - First release from the OpenBSD 5.6 tree 1235 * Removal of many obsolete features and coding conventions from the OpenSSL 1236 1.0.1h source 1237