1Because this project is maintained both in the OpenBSD tree using CVS and in 2Git, it can be confusing following all of the changes. 3 4Most of the libssl and libcrypto source code is is here in OpenBSD CVS: 5 6 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ 7 8Some of the libcrypto and OS-compatibility files for entropy and random number 9generation are here: 10 11 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ 12 13A simplified TLS wrapper library is here: 14 15 http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ 16 17The LibreSSL Portable project copies these portions of the OpenBSD tree, along 18with relevant portions of the C library, to a Git repository. This makes it 19easier to follow all of the relevant changes to the upstream project in a 20single place: 21 22 https://github.com/libressl-portable/openbsd 23 24The portable bits of the project are largely maintained out-of-tree, and their 25history is also available from Git. 26 27 https://github.com/libressl-portable/portable 28 29LibreSSL Portable Release Notes: 30 313.2.2 - Stable release 32 33 * This is the first stable release with the new TLSv1.3 34 implementation enabled by default for both client and server. The 35 OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided 36 in an upcoming release. 37 38 * New X509 certificate chain validator that correctly handles 39 multiple paths through intermediate certificates. Loosely based on 40 Go's X509 validator. 41 42 * New name constraints verification implementation which passes the 43 bettertls.com certificate validation check suite. 44 45 * Improve the handling of BIO_read()/BIO_write() failures in the 46 TLSv1.3 stack. 47 48 * Start replacing the existing TLSv1.2 record layer. 49 50 * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. 51 52 * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. 53 54 * Send alert on ssl_get_prev_session() failure. 55 56 * Zero out variable on the stack to avoid leaving garbage in the tail 57 of short session IDs. 58 59 * Move state initialization from SSL_clear() to ssl3_clear() to ensure 60 that it gets correctly reinitialized across a SSL_set_ssl_method() 61 call. 62 63 * Avoid an out-of-bounds write in BN_rand(). 64 65 * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up 66 the code in ui_lib.c. 67 68 * Correctly track selected ALPN length to avoid a potential segmentation 69 fault with SSL_get0_alpn_selected() when alpn_selected is NULL. 70 71 * Include machine/endian.h gost2814789.c in order to pick up the 72 __STRICT_ALIGNMENT define. 73 74 * Simplify SSL method lookups. 75 76 * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), 77 SSL_set_ssl_method() and several internal functions. 78 79 * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). 80 81 * Refactor dtls1_new(), dtls1_hm_fragment_new(), 82 dtls1_drain_fragments(), dtls1_clear_queues(). 83 84 * Copy the session ID directly in ssl_get_prev_session() instead of 85 handing it through several functions for copying. 86 87 * Clean up and refactor ssl_get_prev_session(); simplify 88 tls_decrypt_ticket() and tls1_process_ticket() exit paths. 89 90 * Avoid memset() before memcpy() in CBS_add_bytes(). 91 92 * Rewrite X509_INFO_{new,free}() more idiomatically. 93 94 * Remove unnecessary zeroing after recallocarray() in 95 ASN1_BIT_STRING_set_bit(). 96 97 * Convert openssl(1) ocsp new option handling. 98 99 * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). 100 101 * Document return value from EC_KEY_get0_public_key(3). 102 103 * Greatly expanded test coverage via the tlsfuzzer test scripts. 104 105 * Expanded test coverage via the bettertls certificate test suite. 106 107 * Test interoperability with the Botan TLS client. 108 109 * Make pthread_mutex static initialisation work on Windows. 110 111 * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. 112 1133.2.1 - Development release 114 115 * Propagate alerts from the read half of the TLSv1.3 record layer to I/O 116 functions. 117 118 * Send a record overflow alert for TLSv1.3 messages having overlong 119 plaintext or inner plaintext. 120 121 * Send an illegal parameter alert if a client sends an invalid DH key 122 share. 123 124 * Document PKCS7_final(3), PKCS7_add_attribute(3). 125 126 * Collapse x509v3 directory into x509. 127 128 * Improve TLSv1.3 client certificate selection to allow EC certificates 129 instead of only RSA certificates. 130 131 * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead 132 of constructing a broken objects that may cause NULL pointer accesses. 133 134 * Add support for additional GOST curves from RFC 7836 and 135 draft-deremin-rfc4491-bis. 136 137 * Add OIDs for HMAC using the Streebog hash function. 138 139 * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. 140 141 * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. 142 143 * Handle GOST in ssl_cert_dup(). 144 145 * Stop sending GOST R 34.10-94 as a CertificateType. 146 147 * Use IANA allocated GOST ClientCertificateTypes. 148 149 * Add a custom copy handler for AES keywrap to fix a use-after-free. 150 151 * Enforce in the TLSv1.3 server that that ClientHello messages after 152 a HelloRetryRequest match the original ClientHello as per RFC 8446 153 section 4.1.2 154 155 * Document more PKCS7 attribute functions. 156 157 * Document PKCS7_get_signer_info(3). 158 159 * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). 160 161 * Document PEM_def_callback(3). 162 163 * Document EVP_read_pw_string_min(3). 164 165 * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. 166 167 * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) 168 169 * Document X509_get0_pubkey_bitstr(3). 170 171 * Fix an off-by-one in the CBC padding removal. From BoringSSL. 172 173 * Enforce restrictions on extensions present in the ClientHello as per 174 RFC 8446, section 9.2. 175 176 * Add new CMAC_Init(3) and ChaCha(3) manual pages. 177 178 * Fix SSL_shutdown behavior to match the legacy stack. The previous 179 behavior could cause a hang. 180 181 * Add initial support for openbsd/powerpc64. 182 183 * Make the message type available in the internal TLS extensions API 184 functions. 185 186 * Enable TLSv1.3 for the generic TLS_method(). 187 188 * Convert openssl(1) s_client option handling. 189 190 * Document openssl(1) certhash. 191 192 * Convert openssl(1) verify option handling. 193 194 * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause 195 use-after-free and double-free issues in calling programs. 196 197 * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). 198 199 * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. 200 201 * Convert openssl(1) s_server option handling. 202 203 * Add minimal info callback support for TLSv1.3. 204 205 * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. 206 207 * Correctly handle server requests for an OCSP response. 208 209 * Add the P-521 curve to the list of curves supported by default 210 in the client. 211 212 * Convert openssl(1) req option handling. 213 214 * Avoid calling freezero with a negative size if a server sends a 215 malformed plaintext of all zeroes. 216 217 * Send an unexpected message alert if no valid content type is found 218 in a TLSv1.3 record. 219 2203.2.0 - Development release 221 222 * Enable TLS 1.3 server side in addition to client by default. 223 With this change TLS 1.3 is handled entirely on the new stack 224 and state machine, with fallback to the legacy stack and 225 state machine for older versions. Note that the OpenSSL TLS 1.3 226 API is not yet visible/available. 227 228 * Improve length checks in the TLS 1.3 record layer and provide 229 appropriate alerts for violations of record layer limits. 230 231 * Enforce that SNI hostnames received by the TLS server are correctly 232 formed as per RFC 5890 and RFC 6066, responding with illegal parameter 233 for a nonconformant host name. 234 235 * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic 236 retry of handshake messages. 237 238 * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default 239 similar to new OpenSSL releases. 240 241 * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in 242 various commands. 243 244 * Add tlsfuzzer based regression tests. 245 246 * Support sending certificate status requests from the TLS 1.3 247 client to request OCSP staples for leaf certificates. 248 249 * Support sending certificate status replies from the TLS 1.3 server 250 in order to send OCSP staples for leaf certificates. 251 252 * Send correct alerts when handling failed key share extensions 253 on the TLS 1.3 server. 254 255 * Various compatibility fixes for TLS 1.3 to 1.2 fallback for 256 switching from the new to legacy stacks. 257 258 * Support TLS 1.3 options in the openssl(1) command. 259 260 * Many alert cleanups in TLS 1.3 to provide expected alerts in failure 261 conditions. 262 263 * Modify "openssl x509" to display invalid certificate times as 264 invalid, and correctly deal with the failing return case from 265 X509_cmp_time so that a certificate with an invalid NotAfter does 266 not appear valid. 267 268 * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox 269 compatibility. 270 271 * Ensure only PSS signatures are used with RSA in TLS 1.3. 272 273 * Ensure that TLS 1.3 clients advertise exactly the "null" compression 274 method in its legacy_compression_methods. 275 276 * Correct use of sockaddr_storage instead of sockaddr in openssl(1) 277 s_client, which could lead to using 14 bytes of stack garbage instead 278 of an IPv6 address in DTLS mode. 279 280 * Use non-expired certificates first when building a certificate chain. 281 2823.1.4 - Interoperability and bug fixes for the TLSv1.3 client: 283 284 * Improve client certificate selection to allow EC certificates 285 instead of only RSA certificates. 286 287 * Do not error out if a TLSv1.3 server requests an OCSP response as 288 part of a certificate request. 289 290 * Fix SSL_shutdown behavior to match the legacy stack. The previous 291 behaviour could cause a hang. 292 293 * Fix a memory leak and add a missing error check in the handling of 294 the key update message. 295 296 * Fix a memory leak in tls13_record_layer_set_traffic_key. 297 298 * Avoid calling freezero with a negative size if a server sends a 299 malformed plaintext of all zeroes. 300 301 * Ensure that only PSS may be used with RSA in TLSv1.3 in order 302 to avoid using PKCS1-based signatures. 303 304 * Add the P-521 curve to the list of curves supported by default 305 in the client. 306 3073.1.3 - Bug fix 308 309 * libcrypto may fail to build a valid certificate chain due to 310 expired untrusted issuer certificates. 311 3123.1.2 - Bug fix 313 314 * A TLS client with peer verification disabled may crash when 315 contacting a server that sends an empty certificate list. 316 3173.1.1 - Stable release 318 319 * Improved cipher suite handling to automatically include TLSv1.3 320 cipher suites when they are not explicitly referred to in the 321 cipher string. 322 323 * Improved handling of TLSv1.3 HelloRetryRequests, simplifying 324 state transitions and ensuring that the legacy session identifer 325 retains the same value across the handshake. 326 327 * Provided TLSv1.3 cipher suite aliases to match the names used 328 in RFC 8446. 329 330 * Improved TLSv1.3 client key share handling to allow the use of 331 any groups in our configured NID list. 332 333 * Fixed printing the serialNumber with X509_print_ex() fall back to 334 the colon separated hex bytes in case greater than int value. 335 336 * Fix to disallow setting the AES-GCM IV length to zero. 337 338 * Added -groups option to openssl(1) s_server subcommand. 339 340 * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. 341 342 * Improved portable builds to support the use of static MSVC runtimes. 343 344 * Fixed portable builds to avoid exporting a sleep() symbol. 345 3463.1.0 - Development release 347 348 * Completed initial TLS 1.3 implementation with a completely new state 349 machine and record layer. TLS 1.3 is now enabled by default for the 350 client side, with the server side to be enabled in a future release. 351 Note that the OpenSSL TLS 1.3 API is not yet visible/available. 352 353 * Many more code cleanups, fixes, and improvements to memory handling 354 and protocol parsing. 355 356 * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. 357 358 * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL 359 1.1.1 and enabled by default. 360 361 * Improved compatibility by backporting functionality and documentation 362 from OpenSSL 1.1.1. 363 364 * Added many new additional crypto test vectors. 365 366 * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. 367 368 * Default CA bundle location is now configurable in portable builds. 369 370 * Added cms subcommand to openssl(1). 371 372 * Added -addext option to openssl(1) req subcommand. 373 3743.0.2 - Stable release 375 376 * Use a valid curve when constructing an EC_KEY that looks like X25519. 377 The recent EC group cofactor change results in stricter validation, 378 which causes the EC_GROUP_set_generator() call to fail. 379 Issue reported and fix tested by rsadowski@ 380 381 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 382 (Note that the CMS code is currently disabled) 383 Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 384 385 * Avoid a path traversal bug in s_server on Windows when run with the -WWW 386 or -HTTP options, due to incomplete path check logic. 387 Issue reported and fix tested by Jobert Abma 388 3893.0.1 - Development release 390 391 * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL 392 or zero cofactor is passed to EC_GROUP_set_generator(), try to compute 393 it using Hasse's bound. This works as long as the cofactor is small 394 enough. 395 396 * Fixed a memory leak in error paths for eckey_type2param(). 397 398 * Initial work on supporting Cryptographic Message Syntax (CMS) in 399 libcrypto (not enabled). 400 401 * Various manual page improvements and additions. 402 403 * Added a CMake check for an existing uninstall target, facilitating 404 embedding LibreSSL in larger CMake projects, from Matthew Albrecht. 405 4063.0.0 - Development release 407 408 * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. 409 410 * Documented undescribed options and removed unfunctional options 411 description in openssl(1) manual. 412 413 * A plethora of small fixes due to regular oss-fuzz testing. 414 415 * Various side channels in DSA and ECDSA were addressed. These are some of 416 the many issues found in an extensive systematic analysis of bignum usage 417 by Samuel Weiser, David Schrammel et al. 418 419 * Enabled openssl(1) speed subcommand on Windows platform. 420 421 * Enabled performance optimizations when building with Visual Studio on Windows. 422 423 * Fixed incorrect carry operation in 512 addition for Streebog. 424 425 * Fixed -modulus option with openssl(1) dsa subcommand. 426 427 * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. 428 4292.9.2 - Bug fixes 430 431 * Fixed portable builds with older versions of MacOS, 432 Android targets < API 21, and Solaris 10 433 434 * Fixed SRTP profile advertisement for DTLS servers. 435 4362.9.1 - Stable release 437 438 * Added support for XChaCha20 and XChaCha20-Poly1305. 439 440 * Added support for AES key wrap constructions via the EVP interface. 441 442 * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. 443 444 * Added pbkdf2 key derivation support to openssl(1) 445 446 * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. 447 448 * Changed the default digest type of openssl(1) enc to to sha256. 449 450 * Changed the default digest type of openssl(1) dgst to sha256. 451 452 * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. 453 454 * Changed the default digest type of openssl(1) crl -fingerprint to sha256. 455 456 * Improved Windows, Android, and ARM compatibility, including assembly 457 optimizations on Mingw-w64 targets. 458 4592.9.0 - Development release 460 461 * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. 462 463 * Fixed warnings about clock_gettime on Windows Visual Studio builds. 464 465 * Fixed CMake builds on systems where getpagesize is defined as an 466 inline function. 467 468 * CRYPTO_LOCK is now automatically initialized, with the legacy 469 callbacks stubbed for compatibility. 470 471 * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. 472 473 * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. 474 475 * Added extensive interoperability tests between LibreSSL and OpenSSL 476 1.0 and 1.1. 477 478 * Added additional Wycheproof tests and related bug fixes. 479 480 * Simplified sigalgs option processing and handshake signing algorithm 481 482 * Added the ability to use the RSA PSS algorithm for handshake 483 signatures. 484 485 * Added bn_rand_interval() and use it in code needing ranges of random 486 bn values. 487 488 * Added functionality to derive early, handshake, and application 489 secrets as per RFC8446. 490 491 * Added handshake state machine from RFC8446. 492 493 * Removed some ASN.1 related code from libcrypto that had not been used 494 since around 2000. 495 496 * Unexported internal symbols and internalized more record layer structs. 497 498 * Added support for assembly optimizations on 32-bit ARM ELF targets. 499 500 * Improved protection against timing side channels in ECDSA signature 501 generation. 502 503 * Coordinate blinding was added to some elliptic curves. This is the 504 last bit of the work by Brumley et al. to protect against the 505 Portsmash vulnerability. 506 507 * Ensure transcript handshake is always freed with TLS 1.2. 508 5092.8.2 - Stable release 510 511 * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, 512 along with test harness fixes. 513 514 * Fixed memory leak in nc(1) 515 5162.8.1 - Test and compatibility improvements 517 518 * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, 519 AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and 520 X25519 test vectors. Applied appropriate fixes for errors uncovered 521 by tests. 522 523 * Simplified key exchange signature generation and verification. 524 525 * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string 526 527 * Converted more code paths to use CBB/CBS. All handshake messages are 528 now created by CBB. 529 530 * Fixed various memory leaks found by Coverity. 531 532 * Simplified session ticket parsing and handling, inspired by 533 BoringSSL. 534 535 * Modified signature of CRYPTO_mem_leaks_* to return -1. This function 536 is a no-op in LibreSSL, so this function returns an error to not 537 indicate the (non-)existence of memory leaks. 538 539 * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, 540 X509_OBJECT_up_ref_count now return an int for error handling, 541 matching OpenSSL. 542 543 * Converted a number of #defines into proper functions, matching 544 OpenSSL's ABI. 545 546 * Added X509_get0_serialNumber from OpenSSL. 547 548 * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding 549 PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching 550 OpenSSL. 551 552 * Removed broken pkcs8 formats from openssl(1). 553 554 * Converted more functions in public API to use const arguments. 555 556 * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the 557 EVP_AEAD interface. 558 559 * Stopped using composite EVP_CIPHER AEADs. 560 561 * Added timing-safe compares for checking results of signature 562 verification. There are no known attacks, this is just inexpensive 563 prudence. 564 565 * Correctly clear the current cipher state, when changing cipher state. 566 This fixed an issue where renegotiation of cipher suites would fail 567 when switched from AEAD to non-AEAD or vice-versa. 568 Issue reported by Bernard Spil. 569 570 * Added more cipher tests to appstest.sh, including all TLSv1.2 571 ciphers. 572 573 * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. 574 575 * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be 576 retrieved and set with appropriate validation. 577 5782.8.0 - Bug fixes, security, and compatibility improvements 579 580 * Extensive documentation updates and additional API history. 581 582 * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry 583 584 * Tighten up checks for various X509_VERIFY_PARAM functions, 585 'poisoning' parameters so that an unverified certificate cannot be 586 used if it fails verification. 587 588 * Fixed a potential memory leak on failure in ASN1_item_digest 589 590 * Fixed a potential memory alignment crash in asn1_item_combine_free 591 592 * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and 593 SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. 594 595 * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. 596 597 * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers 598 and matching OpenSSL behavior, rewrote ENGINE_* documentation. 599 600 * Added const annotations to many existing APIs from OpenSSL, making 601 interoperability easier for downstream applications. 602 603 * Fixed small timing side-channels in ecdsa_sign_setup and 604 dsa_sign_setup. 605 606 * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time 607 operation of BN_* functions. 608 609 * Updated BN_clear to use explicit_bzero. 610 611 * Added a missing bounds check in c2i_ASN1_BIT_STRING. 612 613 * More CBS conversions, including simplifications to RSA key exchange, 614 and converted code to use dedicated buffers for secrets. 615 616 * Removed three remaining single DES cipher suites. 617 618 * Fixed a potential leak/incorrect return value in DSA signature 619 generation. 620 621 * Added a blinding value when generating DSA and ECDSA signatures, in 622 order to reduce the possibility of a side-channel attack leaking the 623 private key. 624 625 * Added ECC constant time scalar multiplication support. 626 From Billy Brumley and his team at Tampere University of Technology. 627 628 * Revised the implementation of RSASSA-PKCS1-v1_5 to match the 629 specification in RFC 8017. Based on an OpenSSL commit by David 630 Benjamin. 631 632 * Cleaned up BN_* implementations following changes made in OpenSSL by 633 Davide Galassi and others. 634 6352.7.4 - Security fixes 636 637 * Avoid a timing side-channel leak when generating DSA and ECDSA 638 signatures. This is caused by an attempt to do fast modular 639 arithmetic, which introduces branches that leak information 640 regarding secret values. Issue identified and reported by Keegan 641 Ryan of NCC Group. 642 643 * Reject excessively large primes in DH key generation. Problem 644 reported by Guido Vranken to OpenSSL 645 (https://github.com/openssl/openssl/pull/6457) and based on his 646 diff. 647 6482.7.3 - Bug fixes 649 650 * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej 651 Sury 652 653 * Fixed an issue normalizing CPU architecture in the configure script, 654 which disabled assembly optimizations on platforms that get detected 655 as 'amd64', opposed to 'x86_64' 656 657 * Limited tls_config_clear_keys() to only clear private keys. 658 This was inadvertently clearing the keypair, which includes the OCSP 659 staple and pubkey hash - if an application called tls_configure() 660 followed by tls_config_clear_keys(), this would prevent OCSP staples 661 from working. 662 6632.7.2 - Stable release 664 665 * Updated and added extensive new HISTORY sections to API manuals. 666 667 * Added support for shared library builds with CMake on all supported 668 platforms. Note that some of the CMake options have changed, consult 669 the README for details. 670 6712.7.1 - Bug fixes 672 673 * Fixed a bug in int_x509_param_set_hosts, calling strlen() if name 674 length provided is 0 to match the OpenSSL behaviour. Issue noticed 675 by Christian Heimes <christian@python.org>. 676 677 * Fixed builds macOS 10.11 and older. 678 6792.7.0 - Bug fixes and improvements 680 681 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on 682 observations of real-world usage in applications. These are 683 implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility 684 changes have not been made to existing structs, allowing code written 685 for older OpenSSL APIs to continue working. 686 687 * Extensive corrections, improvements, and additions to the 688 API documentation, including new public APIs from OpenSSL that had 689 no pre-existing documentation. 690 691 * Added support for automatic library initialization in libcrypto, 692 libssl, and libtls. Support for pthread_once or a compatible 693 equivalent is now required of the target operating system. As a 694 side-effect, minimum Windows support is Vista or higher. 695 696 * Converted more packet handling methods to CBB, which improves 697 resiliency when generating TLS messages. 698 699 * Completed TLS extension handling rewrite, improving consistency of 700 checks for malformed and duplicate extensions. 701 702 * Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. 703 This removes the last remaining use of the old M_ASN1_* macros 704 (asn1_mac.h) from API that needs to continue to exist. 705 706 * Added support for client-side session resumption in libtls. 707 A libtls client can specify a session file descriptor (a regular 708 file with appropriate ownership and permissions) and libtls will 709 manage reading and writing of session data across TLS handshakes. 710 711 * Improved support for strict alignment on ARMv7 architectures, 712 conditionally enabling assembly in those cases. 713 714 * Fixed a memory leak in libtls when reusing a tls_config. 715 716 * Merged more DTLS support into the regular TLS code path, removing 717 duplicated code. 718 719 * Many improvements to Windows Cmake-based builds and tests, 720 especially when targeting Visual Studio. 721 7222.6.4 - Bug fixes 723 724 * Make tls_config_parse_protocols() work correctly when passed a NULL 725 pointer for a protocol string. Issue found by semarie@, who also 726 provided the diff. 727 728 * Correct TLS extensions handling when no extensions are present. 729 If no TLS extensions are present in a client hello or server hello, 730 omit the entire extensions block, rather than including it with a 731 length of zero. Thanks to Eric Elena <eric at voguemerry dot com> for 732 providing packet captures and testing the fix. 733 734 * Fixed portable builds on older Android systems, and systems with out 735 IPV6_TCLASS support. 736 7372.6.3 - OpenBSD 6.2 Release 738 739 * No core changes from LibreSSL 2.6.2 740 741 * Minor compatibility fixes in portable version. 742 7432.6.2 - Bug fixes 744 745 * Provide a useful error with libtls if there are no OCSP URLs in a 746 peer certificate. 747 748 * Keep track of which keypair is in use by a TLS context, fixing a bug 749 where a TLS server with SNI would only return the OCSP staple for the 750 default keypair. Issue reported by William Graeber and confirmed by 751 Andreas Bartelt. 752 753 * Fixed various issues in the OCSP extension parsing code. 754 The original code incorrectly passes the pointer allocated via 755 CBS_stow() (using malloc()) to a d2i_*() function and then calls 756 free() on the now incremented pointer, most likely resulting in a 757 crash. This issue was reported by Robert Swiecki who found the issue 758 using honggfuzz. 759 760 * If tls_config_parse_protocols() is called with a NULL pointer, 761 return the default protocols instead of crashing - this makes the 762 behaviour more useful and mirrors what we already do in 763 tls_config_set_ciphers() et al. 764 7652.6.1 - Code removal, rewrites 766 767 * Added a "-T tlscompat" option to nc(1), which enables the use of all 768 TLS protocols and "compat" ciphers. This allows for TLS connections 769 to TLS servers that are using less than ideal cipher suites, without 770 having to resort to "-T tlsall" which enables all known cipher 771 suites. Diff from Kyle J. McKay. 772 773 * Added a new TLS extension handling framework, somewhat analogous to 774 BoringSSL, and converted all TLS extensions to use it. Added new TLS 775 extension regression tests. 776 777 * Improved and added many new manpages. Updated *check_private_key 778 manpages with additional cautions regarding their use. 779 780 * Cleaned up the EC key/curve configuration handling. 781 782 * Added tls_config_set_ecdhecurves() to libtls, which allows the names 783 of the eliptical curves that may be used during client and server 784 key exchange to be specified. 785 786 * Converted more code paths to use CBB/CBS. 787 788 * Removed support for DSS/DSA, since we removed the cipher suites a 789 while back. 790 791 * Removed NPN support. NPN was never standardised and the last draft 792 expired in October 2012. ALPN was standardised in July 2014 and has 793 been supported in LibreSSL since December 2014. NPN has also been 794 removed from Chromium in May 2016. 795 796 * Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken 797 CryptoPro clients. 798 799 * Removed support for the TLS padding extension, which was added as a 800 workaround for an old bug in F5's TLS termination. 801 802 * Worked around another bug in F5's TLS termination handling of the 803 elliptical curves extension. RFC 4492 only defines elliptic_curves 804 for ClientHello. However, F5 is sending it in ServerHello. We need 805 to skip over it since our TLS extension parsing code is now more 806 strict. Thanks to Armin Wolfermann and WJ Liu for reporting. 807 808 * Added ability to clamp notafter valies in certificates for systems 809 with 32-bit time_t. This is necessary to conform to RFC 5280 810 4.1.2.5. 811 812 * Implemented the SSL_CTX_set_min_proto_version(3) API. 813 814 * Removed the original (pre-IETF) chacha20-poly1305 cipher suites. 815 816 * Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. 817 8182.6.0 - New APIs, bug fixes and improvements 819 820 * Added support for providing CRLs to libtls. Once a CRL is provided we 821 enable CRL checking for the full certificate chain. Based on a diff 822 from Jack Burton 823 824 * Allow non-compliant clients using IP literal addresses with SNI 825 to connect to a server using libtls. 826 827 * Avoid a potential NULL pointer dereference in d2i_ECPrivateKey(). 828 Reported by Robert Swiecki, who found the issue using honggfuzz. 829 830 * Added definitions for three OIDs used in EV certificates. 831 From Kyle J. McKay 832 833 * Added tls_peer_cert_chain_pem to libtls, useful in private 834 certificate validation callbacks such as those in relayd. 835 836 * Converted explicit clear/free sequences to use freezero(3). 837 838 * Reworked TLS certificate name verification code to more strictly 839 follow RFC 6125. 840 841 * Cleaned up and simplified server key exchange EC point handling. 842 843 * Added tls_keypair_clear_key for clearing key material. 844 845 * Removed inconsistent IPv6 handling from BIO_get_accept_socket, 846 simplified BIO_get_host_ip and BIO_accept. 847 848 * Fixed the openssl(1) ca command so that is generates certificates 849 with RFC 5280-conformant time. Problem noticed by Harald Dunkel. 850 851 * Added ASN1_TIME_set_tm to set an asn1 from a struct tm * 852 853 * Added SSL{,_CTX}_set_{min,max}_proto_version() functions. 854 855 * Added HKDF (HMAC Key Derivation Function) from BoringSSL 856 857 * Provided a tls_unload_file() function that frees the memory returned 858 from a tls_load_file() call, ensuring that it the contents become 859 inaccessible. This is specifically needed on platforms where the 860 library allocators may be different from the application allocator. 861 862 * Perform reference counting for tls_config. This allows 863 tls_config_free() to be called as soon as it has been passed to the 864 final tls_configure() call, simplifying lifetime tracking for the 865 application. 866 867 * Moved internal state of SSL and other structures to be opaque. 868 869 * Dropped cipher suites with DSS authentication. 870 871 * nc(1) improvements, including: 872 nc -W to terminate nc after receiving a number of packets 873 nc -Z for saving the peer certificate and chain in a pem file 874 8752.5.5 - Bug fixes 876 877 * Distinguish between self-issued certificates and self-signed 878 certificates. The certificate verification code has special cases 879 for self-signed certificates and without this change, self-issued 880 certificates (which it seems are common place with 881 openvpn/easyrsa) were also being included in this category. 882 883 * Added getpagesize fallback, needed for Android bionic libc. 884 8852.5.4 - Security Updates 886 887 * Revert a previous change that forced consistency between return 888 value and error code when specifing a certificate verification 889 callback, since this breaks the documented API. When a user supplied 890 callback always returns 1, and later code checks the error code to 891 potentially abort post verification, this will result in incorrect 892 successul certificate verification. 893 894 * Switched Linux getrandom() usage to non-blocking mode, continuing to 895 use fallback mechanims if unsuccessful. This works around a design 896 flaw in Linux getrandom(2) where early boot usage in a library makes 897 it impossible to recover if getrandom(2) is not yet initialized. 898 899 * Fixed a bug caused by the return value being set early to signal 900 successful DTLS cookie validation. This can mask a later failure and 901 result in a positive return value being returned from 902 ssl3_get_client_hello(), when it should return a negative value to 903 propagate the error. 904 905 * Fixed a build error on non-x86/x86_64 systems running Solaris. 906 9072.5.3 - OpenBSD 6.1 Release 908 909 * Documentation updates 910 911 * Improved ocspcheck(1) error handling 912 9132.5.2 - Security features and bugfixes 914 915 * Added the recallocarray(3) memory allocation function, and converted 916 various places in the library to use it, such as CBB and BUF_MEM_grow. 917 recallocarray(3) is similar to reallocarray. Newly allocated memory 918 is cleared similar to calloc(3). Memory that becomes unallocated 919 while shrinking or moving existing allocations is explicitly 920 discarded by unmapping or clearing to 0 921 922 * Added new root CAs from SECOM Trust Systems / Security Communication 923 of Japan. 924 925 * Added EVP interface for MD5+SHA1 hashes. 926 927 * Fixed DTLS client failures when the server sends a certificate 928 request. 929 930 * Correct handling of padding when upgrading an SSLv2 challenge into 931 an SSLv3/TLS connection. 932 933 * Allow protocols and ciphers to be set on a TLS config object in 934 libtls. 935 936 * Improved nc(1) TLS handshake CPU usage and server-side error 937 reporting. 938 9392.5.1 - Bug and security fixes, new features, documentation updates 940 941 * X509_cmp_time() now passes a malformed GeneralizedTime field as an 942 error. Reported by Theofilos Petsios. 943 944 * Detect zero-length encrypted session data early, instead of when 945 malloc(0) fails or the HMAC check fails. Noted independently by 946 jsing@ and Kurt Cancemi. 947 948 * Check for and handle failure of HMAC_{Update,Final} or 949 EVP_DecryptUpdate(). 950 951 * Massive update and normalization of manpages, conversion to 952 mandoc format. Many pages were rewritten for clarity and accuracy. 953 Portable doc links are up-to-date with a new conversion tool. 954 955 * Curve25519 Key Exchange support. 956 957 * Support for alternate chains for certificate verification. 958 959 * Code cleanups, CBS conversions, further unification of DTLS/SSL 960 handshake code, further ASN1 macro expansion and removal. 961 962 * Private symbol are now hidden in libssl and libcryto. 963 964 * Friendly certificate verification error messages in libtls, peer 965 verification is now always enabled. 966 967 * Added OCSP stapling support to libtls and netcat. 968 969 * Added ocspcheck utility to validate a certificate against its OCSP 970 responder and save the reply for stapling 971 972 * Enhanced regression tests and error handling for libtls. 973 974 * Added explicit constant and non-constant time BN functions, 975 defaulting to constant time wherever possible. 976 977 * Moved many leaked implementation details in public structs behind 978 opaque pointers. 979 980 * Added ticket support to libtls. 981 982 * Added support for setting the supported EC curves via 983 SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous 984 SSL{_CTX}_set1_curves{_list} names. This also changes the default 985 list of curves to be X25519, P-256 and P-384. All other curves must 986 be manually enabled. 987 988 * Added -groups option to openssl(1) s_client for specifying the curves 989 to be used in a colon-separated list. 990 991 * Merged client/server version negotiation code paths into one, 992 reducing much duplicate code. 993 994 * Removed error function codes from libssl and libcrypto. 995 996 * Fixed an issue where a truncated packet could crash via an OOB read. 997 998 * Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows 999 client-initiated renegotiation. This is the default for libtls 1000 servers. 1001 1002 * Avoid a side-channel cache-timing attack that can leak the ECDSA 1003 private keys when signing. This is due to BN_mod_inverse() being 1004 used without the constant time flag being set. Reported by Cesar 1005 Pereida Garcia and Billy Brumley (Tampere University of Technology). 1006 The fix was developed by Cesar Pereida Garcia. 1007 1008 * iOS and MacOS compatibility updates from Simone Basso and Jacob 1009 Berkman. 1010 1011 10122.5.0 - New APIs, bug fixes and improvements 1013 1014 * libtls now supports ALPN and SNI 1015 1016 * libtls adds a new callback interface for integrating custom IO 1017 functions. Thanks to Tobias Pape. 1018 1019 * libtls now handles 4 cipher suite groups: 1020 "secure" (TLSv1.2+AEAD+PFS) 1021 "compat" (HIGH:!aNULL) 1022 "legacy" (HIGH:MEDIUM:!aNULL) 1023 "insecure" (ALL:!aNULL:!eNULL) 1024 1025 This allows for flexibility and finer grained control, rather than 1026 having two extremes (an issue raised by Marko Kreen some time ago). 1027 1028 * Tightened error handling for tls_config_set_ciphers(). 1029 1030 * libtls now always loads CA, key and certificate files at the time the 1031 configuration function is called. This simplifies code and results in 1032 a single memory based code path being used to provide data to libssl. 1033 1034 * Add support for OCSP intermediate certificates. 1035 1036 * Added functions used by stunnel and exim from BoringSSL - this 1037 brings in X509_check_host, X509_check_email, X509_check_ip, and 1038 X509_check_ip_asc. 1039 1040 * Added initial support for iOS, thanks to Jacob Berkman. 1041 1042 * Improved behavior of arc4random on Windows when using memory leak 1043 analysis software. 1044 1045 * Correctly handle an EOF that occurs prior to the TLS handshake 1046 completing. Reported by Vasily Kolobkov, based on a diff from Marko 1047 Kreen. 1048 1049 * Limit the support of the "backward compatible" ssl2 handshake to 1050 only be used if TLS 1.0 is enabled. 1051 1052 * Fix incorrect results in certain cases on 64-bit systems when 1053 BN_mod_word() can return incorrect results. BN_mod_word() now can 1054 return an error condition. Thanks to Brian Smith. 1055 1056 * Added constant-time updates to address CVE-2016-0702 1057 1058 * Fixed undefined behavior in BN_GF2m_mod_arr() 1059 1060 * Removed unused Cryptographic Message Support (CMS) 1061 1062 * More conversions of long long idioms to time_t 1063 1064 * Improved compatibility by avoiding printing NULL strings with 1065 printf. 1066 1067 * Reverted change that cleans up the EVP cipher context in 1068 EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the 1069 previous behaviour. 1070 1071 * Avoid unbounded memory growth in libssl, which can be triggered by a 1072 TLS client repeatedly renegotiating and sending OCSP Status Request 1073 TLS extensions. 1074 1075 * Avoid falling back to a weak digest for (EC)DH when using SNI with 1076 libssl. 1077 10782.4.2 - Bug fixes and improvements 1079 1080 * Fixed loading default certificate locations with openssl s_client. 1081 1082 * Ensured OCSP only uses and compares GENERALIZEDTIME values as per 1083 RFC6960. Also added fixes for OCSP to work with intermediate 1084 certificates provided in responses. 1085 1086 * Improved behavior of arc4random on Windows to not appear to leak 1087 memory in debug tools, reduced privileges of allocated memory. 1088 1089 * Fixed incorrect results from BN_mod_word() when the modulus is too 1090 large, thanks to Brian Smith from BoringSSL. 1091 1092 * Correctly handle an EOF prior to completing the TLS handshake in 1093 libtls. 1094 1095 * Improved libtls ceritificate loading and cipher string validation. 1096 1097 * Updated libtls cipher group suites into four categories: 1098 "secure" (TLSv1.2+AEAD+PFS) 1099 "compat" (HIGH:!aNULL) 1100 "legacy" (HIGH:MEDIUM:!aNULL) 1101 "insecure" (ALL:!aNULL:!eNULL) 1102 This allows for flexibility and finer grained control, rather than 1103 having two extremes. 1104 1105 * Limited support for 'backward compatible' SSLv2 handshake packets to 1106 when TLS 1.0 is enabled, providing more restricted compatibility 1107 with TLS 1.0 clients. 1108 1109 * openssl(1) and other documentation improvements. 1110 1111 * Removed flags for disabling constant-time operations. 1112 This removes support for DSA_FLAG_NO_EXP_CONSTTIME, 1113 DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making 1114 all of these operations unconditionally constant-time. 1115 1116 11172.4.1 - Security fix 1118 1119 * Correct a problem that prevents the DSA signing algorithm from 1120 running in constant time even if the flag BN_FLG_CONSTTIME is set. 1121 This issue was reported by Cesar Pereida (Aalto University), Billy 1122 Brumley (Tampere University of Technology), and Yuval Yarom (The 1123 University of Adelaide and NICTA). The fix was developed by Cesar 1124 Pereida. 1125 11262.4.0 - Build improvements, new features 1127 1128 * Many improvements to the CMake build infrastructure, including 1129 Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro 1130 Inoguchi for this work. 1131 1132 * Added missing error handling around bn_wexpand() calls. 1133 1134 * Added explicit_bzero calls for freed ASN.1 objects. 1135 1136 * Fixed X509_*set_object functions to return 0 on allocation failure. 1137 1138 * Implemented the IETF ChaCha20-Poly1305 cipher suites. 1139 1140 * Changed default EVP_aead_chacha20_poly1305() implementation to the 1141 IETF version, which is now the default. 1142 1143 * Fixed password prompts from openssl(1) to properly handle ^C. 1144 1145 * Reworked error handling in libtls so that configuration errors are 1146 visible. 1147 1148 * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. 1149 1150 * Manpage fixes and updates 1151 11522.3.5 - Reliability fix 1153 1154 * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k. 1155 11562.3.4 - Security Update 1157 1158 * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding. 1159 From OpenSSL. 1160 1161 * Minor build fixes 1162 11632.3.3 - OpenBSD 5.9 release branch tagged 1164 1165 * Reworked build scripts to better sync with OpenNTPD-portable 1166 1167 * Fixed broken manpage links 1168 1169 * Fixed an nginx compatibility issue by adding an 'install_sw' make alias 1170 1171 * Fixed HP-UX builds 1172 1173 * Changed the default configuration directory to c:\LibreSSL\ssl on Windows 1174 binary builds 1175 1176 * cert.pem has been reorganized and synced with Mozilla's certificate store 1177 11782.3.2 - Compatibility and Reliability fixes 1179 1180 * Changed format of LIBRESSL_VERSION_NUMBER to match that of 1181 OPENSSL_VERSION_NUMBER, see: 1182 https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3) 1183 1184 * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD 1185 construction introduced in RFC 7539, which is different than that 1186 already used in TLS with EVP_aead_chacha20_poly1305() 1187 1188 * Avoid a potential undefined C99+ behavior due to shift overflow in 1189 AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com> 1190 1191 * More man pages converted from pod to mdoc format 1192 1193 * Added COMODO RSA Certification Authority and QuoVadis 1194 root certificates to cert.pem 1195 1196 * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification 1197 Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root 1198 certificate from cert.pem 1199 1200 * Added support for building nc(1) on Solaris 1201 1202 * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev 1203 1204 * Improved console handling with openssl(1) on Windows 1205 1206 * Ensure the network stack is enabled on Windows when running 1207 tls_init() 1208 1209 * Fixed incorrect TLS certificate loading by nc(1) 1210 1211 * Added support for Solaris 11.3's getentropy(2) system call 1212 1213 * Enabled support for using NetBSD 7.0's arc4random(3) implementation 1214 1215 * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect 1216 1217 * Fixes from OpenSSL 1.0.1q 1218 - CVE-2015-3194 - NULL pointer dereference in client side certificate 1219 validation. 1220 - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL 1221 1222 * The following OpenSSL CVEs did not apply to LibreSSL 1223 - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery 1224 squaring procedure. 1225 - CVE-2015-3196 - Double free race condition of the identify hint 1226 data. 1227 1228 See https://marc.info/?l=openbsd-announce&m=144925068504102 1229 12302.3.1 - ASN.1 and time handling cleanups 1231 1232 * ASN.1 cleanups and RFC5280 compliance fixes. 1233 1234 * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL 1235 now checks if the host OS supports 64-bit time_t. 1236 1237 * Fixed a leak in SSL_new in the error path. 1238 1239 * Support always extracting the peer cipher and version with libtls. 1240 1241 * Added ability to check certificate validity times with libtls, 1242 tls_peer_cert_notbefore and tls_peer_cert_notafter. 1243 1244 * Changed tls_connect_servername to use the first address that resolves with 1245 getaddrinfo(). 1246 1247 * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since 1248 initial commit in 2004). 1249 1250 * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported 1251 by Qualys Security. 1252 1253 * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of 1254 sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>. 1255 1256 * Reject too small bits value in BN_generate_prime_ex(), so that it does 1257 not risk becoming negative in probable_prime_dh_safe(), reported by 1258 Franck Denis. 1259 1260 * Enable nc(1) builds on more platforms. 1261 12622.3.0 - SSLv3 removed, libtls API changes, portability improvements 1263 1264 * SSLv3 is now permanently removed from the tree. 1265 1266 * The libtls API is changed from the 2.2.x series. 1267 1268 The read/write functions work correctly with external event 1269 libraries. See the tls_init man page for examples of using libtls 1270 correctly in asynchronous mode. 1271 1272 Client-side verification is now supported, with the client supplying 1273 the certificate to the server. 1274 1275 Also, when using tls_connect_fds, tls_connect_socket or 1276 tls_accept_fds, libtls no longer implicitly closes the passed in 1277 sockets. The caller is responsible for closing them in this case. 1278 1279 * When loading a DSA key from an raw (without DH parameters) ASN.1 1280 serialization, perform some consistency checks on its `p' and `q' 1281 values, and return an error if the checks failed. 1282 1283 Thanks for Georgi Guninski (guninski at guninski dot com) for 1284 mentioning the possibility of a weak (non prime) q value and 1285 providing a test case. 1286 1287 See 1288 https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html 1289 for a longer discussion. 1290 1291 * Fixed a bug in ECDH_compute_key that can lead to silent truncation 1292 of the result key without error. A coding error could cause software 1293 to use much shorter keys than intended. 1294 1295 * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no 1296 longer supported. 1297 1298 * The engine command and parameters are removed from the openssl(1). 1299 Previous releases removed dynamic and builtin engine support 1300 already. 1301 1302 * SHA-0 is removed, which was withdrawn shortly after publication 20 1303 years ago. 1304 1305 * Added Certplus CA root certificate to the default cert.pem file. 1306 1307 * New interface OPENSSL_cpu_caps is provided that does not allow 1308 software to inadvertently modify cpu capability flags. 1309 OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed. 1310 1311 * The out_len argument of AEAD changed from ssize_t to size_t. 1312 1313 * Deduplicated DTLS code, sharing bugfixes and improvements with 1314 TLS. 1315 1316 * Converted 'nc' to use libtls for client and server operations; it is 1317 included in the libressl-portable distribution as an example of how 1318 to use the library. 1319 13202.2.3 - Bug fixes, build enhancements 1321 1322 * LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not 1323 include TLS extensions, resulting in such handshakes being aborted. 1324 This release corrects the handling of such messages. Thanks to 1325 Ligushka from github for reporting the issue. 1326 1327 * Added install target for cmake builds. Thanks to TheNietsnie from 1328 github. 1329 1330 * Updated pkgconfig files to correctly report the release version 1331 number, not the individual library ABI version numbers. Thanks to 1332 Jan Engelhardt for reporting the issue. 1333 13342.2.2 - More TLS parser rework, bug fixes, expanded portable build support 1335 1336 * Switched 'openssl dhparam' default from 512 to 2048 bits 1337 1338 * Reworked openssl(1) option handling 1339 1340 * More CRYPTO ByteString (CBC) packet parsing conversions 1341 1342 * Fixed 'openssl pkeyutl -verify' to exit with a 0 on success 1343 1344 * Fixed dozens of Coverity issues including dead code, memory leaks, 1345 logic errors and more. 1346 1347 * Ensure that openssl(1) restores terminal echo state after reading a 1348 password. 1349 1350 * Incorporated fix for OpenSSL Issue #3683 1351 1352 * LibreSSL version define LIBRESSL_VERSION_NUMBER will now be bumped 1353 for each portable release. 1354 1355 * Removed workarounds for TLS client padding bugs. 1356 1357 * No longer disable ECDHE-ECDSA on OS X 1358 1359 * Removed SSLv3 support from openssl(1) 1360 1361 * Removed IE 6 SSLv3 workarounds. 1362 1363 * Modified tls_write in libtls to allow partial writes, clarified with 1364 examples in the documentation. 1365 1366 * Removed RSAX engine 1367 1368 * Tested SSLv3 removal with the OpenBSD ports tree and found several 1369 applications that were not ready to build without SSLv3 yet. For 1370 now, building a program that intentionally uses SSLv3 will result in 1371 a linker warning. 1372 1373 * Added TLS_method, TLS_client_method and TLS_server_method as a 1374 replacement for the SSLv23_*method calls. 1375 1376 * Added initial cmake build support, including support for building with 1377 Visual Studio, currently tested with Visual Studio 2013 Community 1378 Edition. 1379 1380 * --with-enginesdir is removed as a configuration parameter 1381 1382 * Default cert.pem, openssl.cnf, and x509v3.cnf files are now 1383 installed under $sysconfdir/ssl or the directory specified by 1384 --with-openssldir. Previous versions of LibreSSL left these empty. 1385 13862.2.1 - Build fixes, feature added, features removed 1387 1388 * Assorted build fixes for musl, HP-UX, Mingw, Solaris. 1389 1390 * Initial support for Windows Embedded 2009, Server 2003, XP 1391 1392 * Protocol parsing conversions to BoringSSL's CRYPTO ByteString (CBS) API 1393 1394 * Added EC_curve_nid2nist and EC_curve_nist2nid from OpenSSL 1395 1396 * Removed Dynamic Engine support 1397 1398 * Removed unused and obsolete MDC-2DES cipher 1399 1400 * Removed workarounds for obsolete SSL implementations 1401 14022.2.0 - Build cleanups and new OS support, Security Updates 1403 1404 * AIX Support - thanks to Michael Felt 1405 1406 * Cygwin Support - thanks to Corinna Vinschen 1407 1408 * Refactored build macros, support packaging libtls independently. 1409 There are more pieces required to support building and using OpenSSL 1410 with libtls, but this is an initial start at providing an 1411 independent package for people to start hacking on. 1412 1413 * Removal of OPENSSL_issetugid and all library getenv calls. 1414 Applications can and should no longer rely on environment variables 1415 for changing library behavior. OPENSSL_CONF/SSLEAY_CONF is still 1416 supported with the openssl(1) command. 1417 1418 * libtls API and documentation additions 1419 1420 * Various bug fixes and simplifications to libssl and libcrypto 1421 1422 * Fixes for the following issues are integrated into LibreSSL 2.2.0: 1423 - CVE-2015-1788 - Malformed ECParameters causes infinite loop 1424 - CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time 1425 - CVE-2015-1792 - CMS verify infinite loop with unknown hash function 1426 1427 * The following CVEs did not apply to LibreSSL or were fixed in 1428 earlier releases: 1429 - CVE-2015-4000 - DHE man-in-the-middle protection (Logjam) 1430 - CVE-2015-1790 - PKCS7 crash with missing EnvelopedContent 1431 - CVE-2014-8176 - Invalid free in DTLS 1432 1433 * Fixes for the following CVEs are still in review for LibreSSL 1434 - CVE-2015-1791 - Race condition handling NewSessionTicket 1435 14362.1.6 - Security update 1437 1438 * Fixes for the following issues are integrated into LibreSSL 2.1.6: 1439 - CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error 1440 - CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp 1441 - CVE-2015-0287 - ASN.1 structure reuse memory corruption 1442 - CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref 1443 - CVE-2015-0289 - PKCS7 NULL pointer dereferences 1444 1445 * The fix for CVE-2015-0207 - Segmentation fault in DTLSv1_listen 1446 is integrated for safety, but LibreSSL is not vulnerable. 1447 1448 * Libtls is now built by default. The --enable-libtls 1449 configuration option is no longer required. 1450 The libtls API is now stable for the 2.1.x series. 1451 14522.1.5 - Bug fixes and a security update 1453 * Fix incorrect comparison function in openssl(1) certhash command. 1454 Thanks to Christian Neukirchen / Void Linux. 1455 1456 * Windows port improvements and bug fixes. 1457 - Removed a dependency on libgcc in 32-bit dynamic libraries. 1458 - Correct a hang in openssl(1) reading from stdin on an connection. 1459 - Initialize winsock in openssl(1) earlier, allow 'openssl ocsp' and 1460 any other network-related commands to function properly. 1461 1462 * Reject all server DH keys smaller than 1024 bits. 1463 14642.1.4 - Security and feature updates 1465 * Improvements to libtls: 1466 - a new API for loading CA chains directly from memory instead of a 1467 file, allowing verification with privilege separation in a chroot 1468 without direct access to CA certificate files. 1469 1470 - Ciphers default to TLSv1.2 with AEAD and PFS. 1471 1472 - Improved error handling and message generation 1473 1474 - New APIs and improved documentation 1475 1476 * Added X509_STORE_load_mem API for loading certificates from memory. 1477 This facilitates accessing certificates from a chrooted environment. 1478 1479 * New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by 1480 using 'TLSv1.2+AEAD' as the cipher selection string. 1481 1482 * Dead and disabled code removal including MD5, Netscape workarounds, 1483 non-POSIX IO, SCTP, RFC 3779 support, many #if 0 sections, and more. 1484 1485 * ASN1 macro maze expanded to aid reading and searching the code. 1486 1487 * NULL pointer asserts removed in favor of letting the OS/signal 1488 handler catch them. 1489 1490 * Refactored argument handling in openssl(1) for consistency and 1491 maintainability. 1492 1493 * New openssl(1) command 'certhash' replaces the c_rehash script. 1494 1495 * Support for building with OPENSSL_NO_DEPRECATED 1496 1497 * Server-side support for TLS_FALLBACK_SCSV for compatibility with 1498 various auditor and vulnerability scanners. 1499 1500 * Dozens of issues found with the Coverity scanner fixed. 1501 1502 * Security Updates: 1503 1504 - Fix a minor information leak that was introduced in t1_lib.c 1505 r1.71, whereby an additional 28 bytes of .rodata (or .data) is 1506 provided to the network. In most cases this is a non-issue since 1507 the memory content is already public. Issue found and reported by 1508 Felix Groebert of the Google Security Team. 1509 1510 - Fixes for the following low-severity issues were integrated into 1511 LibreSSL from OpenSSL 1.0.1k: 1512 1513 CVE-2015-0205 - DH client certificates accepted without 1514 verification 1515 CVE-2014-3570 - Bignum squaring may produce incorrect results 1516 CVE-2014-8275 - Certificate fingerprints can be modified 1517 CVE-2014-3572 - ECDHE silently downgrades to ECDH [Client] 1518 Reported by Karthikeyan Bhargavan of the PROSECCO team at INRIA. 1519 1520 The following CVEs were fixed in earlier LibreSSL releases: 1521 CVE-2015-0206 - Memory leak handling repeated DLTS records 1522 CVE-2014-3510 - Flaw handling DTLS anonymous EC(DH) ciphersuites. 1523 1524 The following CVEs did not apply to LibreSSL: 1525 CVE-2014-3571 - DTLS segmentation fault in dtls1_get_record 1526 CVE-2014-3569 - no-ssl3 configuration sets method to NULL 1527 CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA 1528 15292.1.3 - Security update and OS support improvements 1530 * Fixed various memory leaks in DTLS, including fixes for 1531 CVE-2015-0206. 1532 1533 * Added Application-Layer Protocol Negotiation (ALPN) support. 1534 1535 * Removed GOST R 34.10-94 signature authentication. 1536 1537 * Removed nonfunctional Netscape browser-hang workaround code. 1538 1539 * Simplified and refactored SSL/DTLS handshake code. 1540 1541 * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. 1542 1543 * Hide timing info about padding errors during handshakes. 1544 1545 * Improved libtls support for non-blocking sockets, added randomized 1546 session ID contexts. Work is ongoing with this library - feedback 1547 and potential use-cases are welcome. 1548 1549 * Support building Windows DLLs. 1550 Thanks to Jan Engelhard. 1551 1552 * Packaged config wrapper for better compatibility with OpenSSL-based 1553 build systems. 1554 Thanks to @technion from github 1555 1556 * Ensure the stack is marked non-executable for assembly sections. 1557 Thanks to Anthony G. Bastile. 1558 1559 * Enable extra compiler hardening flags by default, where applicable. 1560 The default set of hardening features can vary by OS to OS, so 1561 feedback is welcome on this. To disable the default hardening flags, 1562 specify '--disable-hardening' during configure. 1563 Thanks to Jim Barlow 1564 1565 * Initial HP-UX support, tested with HP-UX 11.31 ia64 1566 Thanks to Kinichiro Inoguchi 1567 1568 * Initial NetBSD support, tested with NetBSD 6.1.5 x86_64 1569 Imported from OpenNTPD, thanks to @gitisihara from github 1570 15712.1.2 - Many new features and improvements 1572 * Added reworked GOST cipher suite support 1573 thanks to Dmitry Eremin-Solenikov 1574 1575 * Enabled Camellia ciphers due to improved patent situation 1576 1577 * Use builtin arc4random implementation on OS X and FreeBSD 1578 this addresses some deficiencies in the native implementations of 1579 these operating systems, see commit logs for more information 1580 1581 * Added initial Windows mingw-w64 support (32 and 64-bit) 1582 thanks to Song Dongsheng and others for code and feedback 1583 1584 * Enabled assembly optimizations on x86_64 CPUs 1585 supports Linux, *BSD, Solaris and OS X operating systems 1586 thanks to Wouter Clarie for the initial implementation 1587 1588 * Added no_ssl3/no_tls1_1/no_tls1_2 options to openssl(1) 1589 1590 * Improved build infrastructure, 'make distcheck' now passes 1591 this simplifies and speeds developer efficiency 1592 thanks to Dmitry Eremin-Solenikov and Wouter Clarie 1593 1594 * Allow conditional building of the libtls library 1595 expect the API and ABI of the library to change 1596 feedback is welcome 1597 1598 * Fixes for more memory leaks, cleanups, etc. 1599 16002.1.1 - Security update 1601 * Address POODLE attack by disabling SSLv3 by default 1602 1603 * Fix Eliptical Curve cipher selection bug 1604 (https://github.com/libressl-portable/portable/issues/35) 1605 16062.1.0 - First release from the OpenBSD 5.7 tree 1607 * Added support for automatic ephemeral EC keys 1608 1609 * Fixes for many memory leaks and overflows in error handlers 1610 1611 * The TLS padding extension (that works around bugs in F5 terminators) is 1612 off by default 1613 1614 * support for getrandom(2) on Linux 3.17 1615 1616 * the NO_ASM macro is no longer being set, providing the first bits toward 1617 enabling other assembly offloads. 1618 16192.0.5 - Fixes for CVEs from OpenSSL 1.0.1i 1620 * CVE-2014-3506 1621 * CVE-2014-3507 1622 * CVE-2014-3508 (partially vulnerable)he 1623 * CVE-2014-3509 1624 * CVE-2014-3510 1625 * CVE-2014-3511 1626 * Synced LibreSSL Portable with the release version of OpenBSD 5.6 1627 16282.0.4 - Portability fixes, deleted unused SRP code 1629 16302.0.3 - Portability fixes, improvements to fork detection 1631 16322.0.2 - Address arc4random fork PID wraparound issues with pthread_atfork 1633 16342.0.1 - Portability fixes: 1635 * Removed -Werror and and other non-portable compiler flags 1636 1637 * Allow setting OPENSSLDIR and ENGINSDIR 1638 16392.0.0 - First release from the OpenBSD 5.6 tree 1640 * Removal of many obsolete features and coding conventions from the OpenSSL 1641 1.0.1h source 1642