1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 312.4.2 - Bug fixes and improvements 32 33 * Fixed loading default certificate locations with openssl s_client. 34 35 * Ensured OSCP only uses and compares GENERALIZEDTIME values as per 36 RFC6960. Also added fixes for OCSP to work with intermediate 37 certificates provided in responses. 38 39 * Improved behavior of arc4random on Windows to not appear to leak 40 memory in debug tools, reduced privileges of allocated memory. 41 42 * Fixed incorrect results from BN_mod_word() when the modulus is too 43 large, thanks to Brian Smith from BoringSSL. 44 45 * Correctly handle an EOF prior to completing the TLS handshake in 46 libtls. 47 48 * Improved libtls ceritificate loading and cipher string validation. 49 50 * Updated libtls cipher group suites into four categories: 51 "secure" (TLSv1.2+AEAD+PFS) 52 "compat" (HIGH:!aNULL) 53 "legacy" (HIGH:MEDIUM:!aNULL) 54 "insecure" (ALL:!aNULL:!eNULL) 55 This allows for flexibility and finer grained control, rather than 56 having two extremes. 57 58 * Limited support for 'backward compatible' SSLv2 handshake packets to 59 when TLS 1.0 is enabled, providing more restricted compatibility 60 with TLS 1.0 clients. 61 62 * openssl(1) and other documentation improvements. 63 64 * Removed flags for disabling constant-time operations. 65 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 66 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 67 all of these operations unconditionally constant-time. 68 69 702.4.1 - Security fix 71 72 * Correct a problem that prevents the DSA signing algorithm from 73 running in constant time even if the flag BN_FLG_CONSTTIME is set. 74 This issue was reported by Cesar Pereida (Aalto University), Billy 75 Brumley (Tampere University of Technology), and Yuval Yarom (The 76 University of Adelaide and NICTA). The fix was developed by Cesar 77 Pereida. 78 792.4.0 - Build improvements, new features 80 81 * Many improvements to the CMake build infrastructure, including 82 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 83 Inoguchi for this work. 84 85 * Added missing error handling around bn_wexpand() calls. 86 87 * Added explicit_bzero calls for freed ASN.1 objects. 88 89 * Fixed X509_*set_object functions to return 0 on allocation failure. 90 91 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 92 93 * Changed default EVP_aead_chacha20_poly1305() implementation to the 94 IETF version, which is now the default. 95 96 * Fixed password prompts from openssl(1) to properly handle ^C. 97 98 * Reworked error handling in libtls so that configuration errors are 99 visible. 100 101 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 102 103 * Manpage fixes and updates 104 1052.3.5 - Reliability fix 106 107 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 108 1092.3.4 - Security Update 110 111 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 112 From OpenSSL. 113 114 * Minor build fixes 115 1162.3.3 - OpenBSD 5.9 release branch tagged 117 118 * Reworked build scripts to better sync with OpenNTPD-portable 119 120 * Fixed broken manpage links 121 122 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 123 124 * Fixed HP-UX builds 125 126 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 127 binary builds 128 129 * cert.pem has been reorganized and synced with Mozilla's certificate store 130 1312.3.2 - Compatibility and Reliability fixes 132 133 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 134 OPENSSL_VERSION_NUMBER, see: 135 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 136 137 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 138 construction introduced in RFC 7539, which is different than that 139 already used in TLS with EVP_aead_chacha20_poly1305() 140 141 * Avoid a potential undefined C99+ behavior due to shift overflow in 142 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 143 144 * More man pages converted from pod to mdoc format 145 146 * Added COMODO RSA Certification Authority and QuoVadis 147 root certificates to cert.pem 148 149 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 150 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 151 certificate from cert.pem 152 153 * Added support for building nc(1) on Solaris 154 155 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 156 157 * Improved console handling with openssl(1) on Windows 158 159 * Ensure the network stack is enabled on Windows when running 160 tls_init() 161 162 * Fixed incorrect TLS certificate loading by nc(1) 163 164 * Added support for Solaris 11.3's getentropy(2) system call 165 166 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 167 168 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 169 170 * Fixes from OpenSSL 1.0.1q 171 - CVE-2015-3194 - NULL pointer dereference in client side certificate 172 validation. 173 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 174 175 * The following OpenSSL CVEs did not apply to LibreSSL 176 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 177 squaring procedure. 178 - CVE-2015-3196 - Double free race condition of the identify hint 179 data. 180 181 See https://marc.info/?l=openbsd-announce&m=144925068504102 182 1832.3.1 - ASN.1 and time handling cleanups 184 185 * ASN.1 cleanups and RFC5280 compliance fixes. 186 187 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 188 now checks if the host OS supports 64-bit time_t. 189 190 * Fixed a leak in SSL_new in the error path. 191 192 * Support always extracting the peer cipher and version with libtls. 193 194 * Added ability to check certificate validity times with libtls, 195 tls_peer_cert_notbefore and tls_peer_cert_notafter. 196 197 * Changed tls_connect_servername to use the first address that resolves with 198 getaddrinfo(). 199 200 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 201 initial commit in 2004). 202 203 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 204 by Qualys Security. 205 206 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 207 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 208 209 * Reject too small bits value in BN_generate_prime_ex(), so that it does 210 not risk becoming negative in probable_prime_dh_safe(), reported by 211 Franck Denis. 212 213 * Enable nc(1) builds on more platforms. 214 2152.3.0 - SSLv3 removed, libtls API changes, portability improvements 216 217 * SSLv3 is now permanently removed from the tree. 218 219 * The libtls API is changed from the 2.2.x series. 220 221 The read/write functions work correctly with external event 222 libraries. See the tls_init man page for examples of using libtls 223 correctly in asynchronous mode. 224 225 Client-side verification is now supported, with the client supplying 226 the certificate to the server. 227 228 Also, when using tls_connect_fds, tls_connect_socket or 229 tls_accept_fds, libtls no longer implicitly closes the passed in 230 sockets. The caller is responsible for closing them in this case. 231 232 * When loading a DSA key from an raw (without DH parameters) ASN.1 233 serialization, perform some consistency checks on its `p' and `q' 234 values, and return an error if the checks failed. 235 236 Thanks for Georgi Guninski (guninski at guninski dot com) for 237 mentioning the possibility of a weak (non prime) q value and 238 providing a test case. 239 240 See 241 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 242 for a longer discussion. 243 244 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 245 of the result key without error. A coding error could cause software 246 to use much shorter keys than intended. 247 248 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 249 longer supported. 250 251 * The engine command and parameters are removed from the openssl(1). 252 Previous releases removed dynamic and builtin engine support 253 already. 254 255 * SHA-0 is removed, which was withdrawn shortly after publication 20 256 years ago. 257 258 * Added Certplus CA root certificate to the default cert.pem file. 259 260 * New interface OPENSSL_cpu_caps is provided that does not allow 261 software to inadvertently modify cpu capability flags. 262 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 263 264 * The out_len argument of AEAD changed from ssize_t to size_t. 265 266 * Deduplicated DTLS code, sharing bugfixes and improvements with 267 TLS. 268 269 * Converted 'nc' to use libtls for client and server operations; it is 270 included in the libressl-portable distribution as an example of how 271 to use the library. 272 2732.2.3 - Bug fixes, build enhancements 274 275 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 276 include TLS extensions, resulting in such handshakes being aborted. 277 This release corrects the handling of such messages. Thanks to 278 Ligushka from github for reporting the issue. 279 280 * Added install target for cmake builds. Thanks to TheNietsnie from 281 github. 282 283 * Updated pkgconfig files to correctly report the release version 284 number, not the individual library ABI version numbers. Thanks to 285 Jan Engelhardt for reporting the issue. 286 2872.2.2 - More TLS parser rework, bug fixes, expanded portable build support 288 289 * Switched 'openssl dhparam' default from 512 to 2048 bits 290 291 * Reworked openssl(1) option handling 292 293 * More CRYPTO ByteString (CBC) packet parsing conversions 294 295 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 296 297 * Fixed dozens of Coverity issues including dead code, memory leaks, 298 logic errors and more. 299 300 * Ensure that openssl(1) restores terminal echo state after reading a 301 password. 302 303 * Incorporated fix for OpenSSL Issue #3683 304 305 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 306 for each portable release. 307 308 * Removed workarounds for TLS client padding bugs. 309 310 * No longer disable ECDHE-ECDSA on OS X 311 312 * Removed SSLv3 support from openssl(1) 313 314 * Removed IE 6 SSLv3 workarounds. 315 316 * Modified tls_write in libtls to allow partial writes, clarified with 317 examples in the documentation. 318 319 * Removed RSAX engine 320 321 * Tested SSLv3 removal with the OpenBSD ports tree and found several 322 applications that were not ready to build without SSLv3 yet. For 323 now, building a program that intentionally uses SSLv3 will result in 324 a linker warning. 325 326 * Added TLS_method, TLS_client_method and TLS_server_method as a 327 replacement for the SSLv23_*method calls. 328 329 * Added initial cmake build support, including support for building with 330 Visual Studio, currently tested with Visual Studio 2013 Community 331 Edition. 332 333 * --with-enginesdir is removed as a configuration parameter 334 335 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 336 installed under $sysconfdir/ssl or the directory specified by 337 --with-openssldir. Previous versions of LibreSSL left these empty. 338 3392.2.1 - Build fixes, feature added, features removed 340 341 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 342 343 * Initial support for Windows Embedded 2009, Server 2003, XP 344 345 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 346 347 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 348 349 * Removed Dynamic Engine support 350 351 * Removed unused and obsolete MDC-2DES cipher 352 353 * Removed workarounds for obsolete SSL implementations 354 3552.2.0 - Build cleanups and new OS support, Security Updates 356 357 * AIX Support - thanks to Michael Felt 358 359 * Cygwin Support - thanks to Corinna Vinschen 360 361 * Refactored build macros, support packaging libtls independently. 362 There are more pieces required to support building and using OpenSSL 363 with libtls, but this is an initial start at providing an 364 independent package for people to start hacking on. 365 366 * Removal of OPENSSL_issetugid and all library getenv calls. 367 Applications can and should no longer rely on environment variables 368 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 369 supported with the openssl(1) command. 370 371 * libtls API and documentation additions 372 373 * Various bug fixes and simplifications to libssl and libcrypto 374 375 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 376 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 377 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 378 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 379 380 * The following CVEs did not apply to LibreSSL or were fixed in 381 earlier releases: 382 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 383 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 384 - CVE-2014-8176 - Invalid free in DTLS 385 386 * Fixes for the following CVEs are still in review for LibreSSL 387 - CVE-2015-1791 - Race condition handling NewSessionTicket 388 3892.1.6 - Security update 390 391 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 392 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 393 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 394 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 395 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 396 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 397 398 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 399 is integrated for safety, but LibreSSL is not vulnerable. 400 401 * Libtls is now built by default. The --enable-libtls 402 configuration option is no longer required. 403 The libtls API is now stable for the 2.1.x series. 404 4052.1.5 - Bug fixes and a security update 406 * Fix incorrect comparison function in openssl(1) certhash command. 407 Thanks to Christian Neukirchen / Void Linux. 408 409 * Windows port improvements and bug fixes. 410 - Removed a dependency on libgcc in 32-bit dynamic libraries. 411 - Correct a hang in openssl(1) reading from stdin on an connection. 412 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 413 any other network-related commands to function properly. 414 415 * Reject all server DH keys smaller than 1024 bits. 416 4172.1.4 - Security and feature updates 418 * Improvements to libtls: 419 - a new API for loading CA chains directly from memory instead of a 420 file, allowing verification with privilege separation in a chroot 421 without direct access to CA certificate files. 422 423 - Ciphers default to TLSv1.2 with AEAD and PFS. 424 425 - Improved error handling and message generation 426 427 - New APIs and improved documentation 428 429 * Added X509_STORE_load_mem API for loading certificates from memory. 430 This facilitates accessing certificates from a chrooted environment. 431 432 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 433 using 'TLSv1.2+AEAD' as the cipher selection string. 434 435 * Dead and disabled code removal including MD5, Netscape workarounds, 436 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 437 438 * ASN1 macro maze expanded to aid reading and searching the code. 439 440 * NULL pointer asserts removed in favor of letting the OS/signal 441 handler catch them. 442 443 * Refactored argument handling in openssl(1) for consistency and 444 maintainability. 445 446 * New openssl(1) command 'certhash' replaces the c_rehash script. 447 448 * Support for building with OPENSSL_NO_DEPRECATED 449 450 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 451 various auditor and vulnerability scanners. 452 453 * Dozens of issues found with the Coverity scanner fixed. 454 455 * Security Updates: 456 457 - Fix a minor information leak that was introduced in t1_lib.c 458 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 459 provided to the network. In most cases this is a non-issue since 460 the memory content is already public. Issue found and reported by 461 Felix Groebert of the Google Security Team. 462 463 - Fixes for the following low-severity issues were integrated into 464 LibreSSL from OpenSSL 1.0.1k: 465 466 CVE-2015-0205 - DH client certificates accepted without 467 verification 468 CVE-2014-3570 - Bignum squaring may produce incorrect results 469 CVE-2014-8275 - Certificate fingerprints can be modified 470 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 471 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 472 473 The following CVEs were fixed in earlier LibreSSL releases: 474 CVE-2015-0206 - Memory leak handling repeated DLTS records 475 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 476 477 The following CVEs did not apply to LibreSSL: 478 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 479 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 480 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 481 4822.1.3 - Security update and OS support improvements 483 * Fixed various memory leaks in DTLS, including fixes for 484 CVE-2015-0206. 485 486 * Added Application-Layer Protocol Negotiation (ALPN) support. 487 488 * Removed GOST R 34.10-94 signature authentication. 489 490 * Removed nonfunctional Netscape browser-hang workaround code. 491 492 * Simplfied and refactored SSL/DTLS handshake code. 493 494 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 495 496 * Hide timing info about padding errors during handshakes. 497 498 * Improved libtls support for non-blocking sockets, added randomized 499 session ID contexts. Work is ongoing with this library - feedback 500 and potential use-cases are welcome. 501 502 * Support building Windows DLLs. 503 Thanks to Jan Engelhard. 504 505 * Packaged config wrapper for better compatibility with OpenSSL-based 506 build systems. 507 Thanks to @technion from github 508 509 * Ensure the stack is marked non-executable for assembly sections. 510 Thanks to Anthony G. Bastile. 511 512 * Enable extra compiler hardening flags by default, where applicable. 513 The default set of hardening features can vary by OS to OS, so 514 feedback is welcome on this. To disable the default hardening flags, 515 specify '--disable-hardening' during configure. 516 Thanks to Jim Barlow 517 518 * Initial HP-UX support, tested with HP-UX 11.31 ia64 519 Thanks to Kinichiro Inoguchi 520 521 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 522 Imported from OpenNTPD, thanks to @gitisihara from github 523 5242.1.2 - Many new features and improvements 525 * Added reworked GOST cipher suite support 526 thanks to Dmitry Eremin-Solenikov 527 528 * Enabled Camellia ciphers due to improved patent situation 529 530 * Use builtin arc4random implementation on OS X and FreeBSD 531 this addresses some deficiencies in the native implementations of 532 these operating systems, see commit logs for more information 533 534 * Added initial Windows mingw-w64 support (32 and 64-bit) 535 thanks to Song Dongsheng and others for code and feedback 536 537 * Enabled assembly optimizations on x86_64 CPUs 538 supports Linux, *BSD, Solaris and OS X operating systems 539 thanks to Wouter Clarie for the initial implementation 540 541 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 542 543 * Improved build infrastructure, 'make distcheck' now passes 544 this simplifies and speeds developer efficiency 545 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 546 547 * Allow conditional building of the libtls library 548 expect the API and ABI of the library to change 549 feedback is welcome 550 551 * Fixes for more memory leaks, cleanups, etc. 552 5532.1.1 - Security update 554 * Address POODLE attack by disabling SSLv3 by default 555 556 * Fix Eliptical Curve cipher selection bug 557 (https://github.com/libressl-portable/portable/issues/35) 558 5592.1.0 - First release from the OpenBSD 5.7 tree 560 * Added support for automatic ephemeral EC keys 561 562 * Fixes for many memory leaks and overflows in error handlers 563 564 * The TLS padding extension (that works around bugs in F5 terminators) is 565 off by default 566 567 * support for getrandom(2) on Linux 3.17 568 569 * the NO_ASM macro is no longer being set, providing the first bits toward 570 enabling other assembly offloads. 571 5722.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 573 * CVE-2014-3506 574 * CVE-2014-3507 575 * CVE-2014-3508 (partially vulnerable)he 576 * CVE-2014-3509 577 * CVE-2014-3510 578 * CVE-2014-3511 579 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 580 5812.0.4 - Portability fixes, deleted unused SRP code 582 5832.0.3 - Portability fixes, improvements to fork detection 584 5852.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 586 5872.0.1 - Portability fixes: 588 * Removed -Werror and and other non-portable compiler flags 589 590 * Allow setting OPENSSLDIR and ENGINSDIR 591 5922.0.0 - First release from the OpenBSD 5.6 tree 593 * Removal of many obsolete features and coding conventions from the OpenSSL 594 1.0.1h source 595